top | item 47170781

(no title)

vanhoefm | 5 days ago

I'm a co-author on the paper: I would personally indeed not use the phrase "we can break Wi-Fi encryption", because that might be misinterpreated that we can break any Wi-Fi network.

What we can do is that, when an adversary is connected to a co-located open network, or is a malicious insider, they can attack other clients. More technically, that we can bypass client isolation. We encountered one interesting case where the open Wi-Fi network of a university enabled us to intercept all traffic of co-located networks, including the private Enterprise SSID.

In this sense, the work doesn't break encryption. We bypass encryption.

If you don't rely on client/network isolation, you are safe. More importantly, if you have a router broadcasting a single SSID that only you use, we can't break it.

discuss

delBarrio|5 days ago

Hi and thanks so much for the valuable research!! I know it has been asked a lot here already, and probably some in-deep reading would help figure that out by myself. But I’ve noticed that you used Cisco 9130 APs, and noticed only part of the attack work on those. So wanted to ask whether you tested those with just IP based network separation, or also the VLAN-based one? Also, since you’ve mentioned the findings have been communicated to the vendors and the WiFi alliance alike, may I ask you to maybe share a CVE number here? I (as probably a lot of us here), use some of the hardware mentioned for personal goals/hobby in my home setup, and find it fun to keep that setup reasonably protected for the sake (fun) of it. Much appreciated!

vanhoefm|4 days ago

We don't have a CVE number. Whether devices/networks are affected also highly depends on the specific configuration of the device/network. This means that some might interpret some of the identified weaknesses as software flaws, but other weaknesses can also be seen as configuration issues. That's actually what makes some of our findings hard to 'fix': it's easy to say that someone else is responsible for properly ensuring client isolation :) Hence also hard to really assign CVE(s).

One of the main takeaway issues, in my view, is that it's just hard to correctly deploy client isolation in more complex networks. I think it can be done using modern hardware, but it's very tedious. We didn't test with VLAN separation, but using that can definitely help. Enterprise devices also require a high amount of expertise, meaning we might have missed some specialised settings.. So I'd recommend testing your Wi-Fi network, and then see which settings or routing configurations to change: https://github.com/vanhoefm/airsnitch

pdonis|4 days ago

So if you're running multiple SSIDs on a single router, but all of them use encryption and require a passphrase (i.e., none of them are open), the attacks you are describing don't work?

To clarify, the passphrase for each SSID is different, and the question is whether, first, an client that doesn't know any of the passphrases can somehow attack other clients who do, and second, whether a client that knows the passphrase for one SSID can attack clients connected to the other SSID (which has a different passphrase)?

isomorphic|4 days ago

My interpretation:

First, they can't attack a WiFi access point for which they do not know any password(s). Thus your multi-SSID access point with multiple passwords is "safe" from this particular attack.

However, second, they can attack an access point for which they know any password, gaining access to clients on the other SSIDs. This means your security is now effectively only the security of your worst SSID's password. It also may defeat your purpose in having multiple SSIDs/passwords in the first place.

NetMageSCW|5 days ago

Do separate VLANs behind the different SSIDs provide protection?

vanhoefm|4 days ago

That should definitely help. You still have to double-check the IP routing tables between the VLANs, but most of the time, that should prevent attacks between SSIDs.

blobbers|4 days ago

I would guess that the VLAN separation should prevent it, but perhaps there are implementation errors on the VLAN implementation inside of individual brands of routers?

Inter-VLAN routing shouldn't be done at the wifi access point, packets would need to be tagged coming out of the wifi AP and switched upstream, unless I'm mistaken about this.

blobbers|5 days ago

Hi! In the case of accessing the private Enterprise SSID, was the network VLAN isolated or some other type of virtualization of the bssid?

Thanks for your work on the topic! This is quite interesting!

vanhoefm|4 days ago

When testing our own Enterprise devices, VLANs were not used. This was done to understand the impact of client isolation on its own.

For the university networks that we tested, I'd have to ask my co-author. But perhaps my other comment can further contextualize this: https://news.ycombinator.com/item?id=47172327 Summarized, I'm sure that it is possible to configure devices securely, and VLANs can play an important role in this. But doing so is more tedious and error-prone than one may initially assume, e.g., there is often no single setting to easily do so.

nickburns|5 days ago

Much of (if not the vast majority of the 'worthwhile') traffic you're intercepting is still encrypted packets though.

Not to minimize the recon value of the plaintext stuff. But not really fair to say you're 'bypassing' any encryption but for the WPA-specific kind.

vanhoefm|4 days ago

People who use or rely on client isolation want to prevent inter-client attacks, for whatever reason. We show that this can often be broken. This can be problematic when you have older hardware in your network that is rarely updated, and many then rely on client isolation to mitigate attacks. If everything is encrypted and properly patched, then our attack indeed has less impact, but then there also wouldn't have been a good reason to use client isolation in the first place ;)

MetaWhirledPeas|3 days ago

Is this one possibility?

- Buy cheap IOT device

- Isolate it on guest network

- IOT device is compromised (or shipped that way)

- IOT device now has clear access to traffic on both your guest and primary networks

Is that accurate?

hpdigidrifter|4 days ago

>Of course it's you / partially you

Absolutely love your work, go strong. I click these thread and always expect your name to pop up