top | item 47168129

(no title)

As far as I can tell, all of these attacks require the attacker to already be associated to a victim's network. Most of these attacks seem similar to ones expected on shared wifi (airports, cafes) that have been known about for a while. The novel attacks seem to exploit weaknesses in particular router implementations that didn't actually segregate traffic between guest and normal networks.

I'm curious if I missed something because that doesn't sound like it allows the worst kind of attacks, e.g. drive-by with no ability to associate to APs without cracking keys.

discuss

tialaramex|3 days ago

The attacker doesn't need to be connected to the victim's network, only to the same hardware, the hardware's loss of isolation is the unexpected problem.

Their University example is pertinent. The victim is an Eduroam user, and the attacker never has any Eduroam credentials, but the same WiFi hardware is serving both eduroam and the local guest provision which will be pretty bare bones, so the attacker uses the means described to start getting packets meant for that Eduroam user.

If you only have a single appropriately authenticated WiFi network then the loss of isolation doesn't matter, in the same way that a Sandbox escape in your web browser doesn't matter if you only visit a single trusted web site...

dijit|3 days ago

I should reinforce this point by saying that it's the default position for "guest" networks to be using the same hardware as "secure" office wifi and such.

benlivengood|3 days ago

Yeah, that commercial-grade hardware didn't actually isolate at the PHY-MAC layer is a bit surprising. How would they have working VLANs at the AP?

vanhoefm|3 days ago

I'm a co-author on the paper: I would personally indeed not use the phrase "we can break Wi-Fi encryption", because that might be misinterpreated that we can break any Wi-Fi network.

What we can do is that, when an adversary is connected to a co-located open network, or is a malicious insider, they can attack other clients. More technically, that we can bypass client isolation. We encountered one interesting case where the open Wi-Fi network of a university enabled us to intercept all traffic of co-located networks, including the private Enterprise SSID.

In this sense, the work doesn't break encryption. We bypass encryption.

If you don't rely on client/network isolation, you are safe. More importantly, if you have a router broadcasting a single SSID that only you use, we can't break it.

delBarrio|3 days ago

Hi and thanks so much for the valuable research!! I know it has been asked a lot here already, and probably some in-deep reading would help figure that out by myself. But I’ve noticed that you used Cisco 9130 APs, and noticed only part of the attack work on those. So wanted to ask whether you tested those with just IP based network separation, or also the VLAN-based one? Also, since you’ve mentioned the findings have been communicated to the vendors and the WiFi alliance alike, may I ask you to maybe share a CVE number here? I (as probably a lot of us here), use some of the hardware mentioned for personal goals/hobby in my home setup, and find it fun to keep that setup reasonably protected for the sake (fun) of it. Much appreciated!

pdonis|2 days ago

So if you're running multiple SSIDs on a single router, but all of them use encryption and require a passphrase (i.e., none of them are open), the attacks you are describing don't work?

To clarify, the passphrase for each SSID is different, and the question is whether, first, an client that doesn't know any of the passphrases can somehow attack other clients who do, and second, whether a client that knows the passphrase for one SSID can attack clients connected to the other SSID (which has a different passphrase)?

NetMageSCW|3 days ago

Do separate VLANs behind the different SSIDs provide protection?

blobbers|3 days ago

Hi! In the case of accessing the private Enterprise SSID, was the network VLAN isolated or some other type of virtualization of the bssid?

Thanks for your work on the topic! This is quite interesting!

MetaWhirledPeas|1 day ago

Is this one possibility?

- Buy cheap IOT device

- Isolate it on guest network

- IOT device is compromised (or shipped that way)

- IOT device now has clear access to traffic on both your guest and primary networks

Is that accurate?

nickburns|3 days ago

Much of (if not the vast majority of the 'worthwhile') traffic you're intercepting is still encrypted packets though.

Not to minimize the recon value of the plaintext stuff. But not really fair to say you're 'bypassing' any encryption but for the WPA-specific kind.

hpdigidrifter|2 days ago

>Of course it's you / partially you

Absolutely love your work, go strong. I click these thread and always expect your name to pop up

upboundspiral|3 days ago

What about XFinity, which by default shares the wifi you pay for with strangers to create access points around the city?

bronco21016|3 days ago

It sounds like this attack would work in that scenario provided the attacker is able to connect to the guest access point.

I haven’t paid attention to one in a while but I seem to remember the need to authenticate with the guest network using Xfinity credentials. This at least makes it so attribution might be possible.

1bpp|3 days ago

As of a few years ago, you could simply spoof your MAC to that of a Comcast subscriber with these and you'd get unrestricted access on the hotspot.

happyPersonR|3 days ago

This is probably the biggest issue.

I turn WiFi mine off and use my own WiFi ap.

ProllyInfamous|3 days ago

See also: Amazon's Sidewalk (which shares your network via Ring camerae, e.g.).

vee-kay|3 days ago

[deleted]

strongpigeon|3 days ago

That's my read as well. It's bad for places that rely on client isolation, but not really for the general case. I feel like this also overstates the "stealing authentication cookies": most people's cookies will be protected by TLS rather than physical layer protection.

Still an interesting attack though.

NetMageSCW|3 days ago

I think that places that rely on client isolation might be the general case - every public space that has a guest network - e.g. retail stores, doctor’s offices, hotels, hospitals - is probably using client isolation on their wireless network.

ectospheno|3 days ago

Access points frequently have multiple BSSIDs even if just for broadcasting on 2.4 and 5 at the same time. Any multiple AP scenario will have them regardless. Couple that with weak duplicate MAC checking and shared GTK (WPA2-PSK) and the attack becomes trivial. I imagine old hardware will be broken forever. Especially pre 802.11w.

wat10000|3 days ago

That’s my read as well. It’s not good, but it’s not nearly as bad as the headline makes it sound.