Comment by blobbers
15 hours ago
Hi! In the case of accessing the private Enterprise SSID, was the network VLAN isolated or some other type of virtualization of the bssid?
Thanks for your work on the topic! This is quite interesting!
15 hours ago
Hi! In the case of accessing the private Enterprise SSID, was the network VLAN isolated or some other type of virtualization of the bssid?
Thanks for your work on the topic! This is quite interesting!
When testing our own Enterprise devices, VLANs were not used. This was done to understand the impact of client isolation on its own.
For the university networks that we tested, I'd have to ask my co-author. But perhaps my other comment can further contextualize this: https://news.ycombinator.com/item?id=47172327 Summarized, I'm sure that it is possible to configure devices securely, and VLANs can play an important role in this. But doing so is more tedious and error-prone than one may initially assume, e.g., there is often no single setting to easily do so.
Without 802.1X (EAP), there isn't really a way to achieve client isolation against inside attackers who can mount mc-mitm [0] attacks against base stations and clients. The basic problem is single shared secrets that allow anyone who knows it to act as any of the participants (which also breaks privacy). Unfortunately the infrastructure for EAP is unwieldy for unmanaged devices.
The real solution is zero-trust network access which gets closer to reality with passkeys; the last mile will be internal (LAN) devices that need a way to provision trusted identities (Bluetooth proximity, QR codes, physical presence buttons, etc.). Quite a pain for smartbulbs or other numerous IoT. If ZTNA is solved then 802.1x is trivial as well for e.g. preventing bandwidth stealing.
EDIT: I guess Matter is leading the way here. I need to do some more reading/learning on that.
[0] https://www.rit.edu/wisplab/sites/rit.edu.wisplab/files/2022...