There's a silent vulnerability lurking underneath the architecture of Wi-Fi networks:
A team of researchers from the University of California, Riverside revealed a series of weaknesses in existing Wi-Fi security, allowing them to intercept data on a network infrastructure that they've already connected to, even with client isolation in place.
The group called this vulnerability, AirSnitch, and, according to their paper [PDF], it exploits inherent weaknesses in the networking stack. Since Wi-Fi does not cryptographically link client MAC addresses, Wi-Fi encryption keys, and IP addresses through Layers 1, 2, and 3 of the network stack, an attacker can use this to assume the identity of another device and confuse the network into diverting downlink and uplink traffic through it.
Xin'an Zhou, the lead author on the research, said in an interview, according to Ars Technica, that AirSnitch "breaks worldwide Wi-Fi encryption, and it might have the potential to enable advanced cyberattacks." He also added, "Advanced attacks can build on our primitives to [perform] cookie stealing, DNS and cache poisoning. Our research physically wiretaps the wire altogether so these sophisticated attacks will work. It's really a threat to worldwide network security."
AirSnitch does not break encryption at all, but it challenges the general assumption that encrypted clients cannot attack each other because they've been cryptographically isolated.
[...] The researchers found that these vulnerabilities exist in five popular home routers — Netgear Nighthawk x6 R8000, Tenda RX2 Pro, D-LINK DIR-3040, TP-Link Archer AXE75, and Asus RT-AX57 — two open-source firmwares — DD-WRT v3.0-r44715 and OpenWrt 24.10 — and across two university enterprise networks. This shows that the issue is not just limited to how manufacturers make and program their routers. Instead, it’s a problem with Wi-Fi itself, where its architecture is vulnerable to attackers who know how to take advantage of its flaws.
While this may sound bad, the researchers pointed out that this type of attack is rather complicated, especially with how complicated modern wireless networks have become. Still, that does not mean that manufacturers and standardization groups should ignore this problem. The group hoped that this revelation would force the industry to come together and create a rigorous set of requirements for client isolation and avoid this flaw in the future.
(Score: 3, Disagree) by Bentonite on Monday March 02, @06:44AM
Of course each client connected to the same AP can see the packets of the other clients (WPAX was never really designed to prevent that) - that's why you use TLS & DTLS and other relevant encryption for everything.
DD-WRT and "Open"WRT don't qualify for "open source", as both contain a huge amount of proprietary software.
(Score: 1, Interesting) by Anonymous Coward on Monday March 02, @08:14AM (2 children)
Ah, yes. I did this back-in-the-day when I ended up on a 10baseT (coax) network, and one of the users insisted on torrenting - which completely and utterly destroyed the internet for absolutely everyone else. So I managed to, very slowly, download an arp-spoof tool, and poison their arp cache. Just theirs. They complained the next day that the internet wasn't working, and everyone said that it wasn't working earlier in the day - but in the evening it was fine again. Yay.
This is that: It's arp poisoning, but for devices that "we thought" were segragated. It turns out that that works at the IPtables level, and not at the arp level. The result: you can arp-poison your way into MITM the other device's traffic.
Factors:
- you have to know the other device's MAC (and remember: it's on a segregated network segment, so its packets shouldn't be arriving at your Wifi adapter)
Ways of preventing this:
- static ARP (which virtually no one implements, because c'monnnn -- even DHCP servers might have multiple, or one server can take over for another, or ...)
The fix/prevention of this:
- monitoring your network for curious or extremely repetitive arp traffic (responses to WHO-HAS requests without the actual request, who-has)
The enterprise networks are often protected against this based on the prevention above. Many monitoring tools will watch for it. The "physical" prevention - static arp - is .... terrible. Trying to manage devices at a MAC level in addition to (static) IPs (which a lot of people don't do, because excessive)? No. If something is awry with an actor on a port, shut that port off.
Plausible, easy fix:
- If you see traffic from a MAC that isn't registered with that WIFI connection, send a disconnect signal. Make them sign on again. Arp spoofing fails. Changing your MAC after connecting fails. This will not fix things if the attacker is not part of the wireless network (but it seems like that's what this article is complaining about).
(Score: 0) by Anonymous Coward on Monday March 02, @08:45AM (1 child)
IPSec IPv6 network
(Score: 0) by Anonymous Coward on Monday March 02, @09:35AM
Static analysis and split-debug symbols!
Perhaps you have a point, but it's a mystery.
(Score: 2, Insightful) by pTamok on Monday March 02, @10:25AM (1 child)
This is one of the reasons why I favour using wired networks, including in my home office/lab. There is a great deal more control over the physical layer, so it is correspondingly harder to sneak in additional devices to do nefarious stuff. Physically wired networks tend to be more reliable, too, and often have better goodput [wikipedia.org] than wireless networks.
Physical Ethernet doesn't have CVEs very often.
(Score: 2) by mcgrew on Monday March 02, @03:54PM
Indeed. At my house, Both the Linux and Windows computers are wired into the router. Anything important is done on one of them. The phone and tablet are okay for reading the news, but using it for internet commerce is incredibly ignorant, especially on a public WiFi.
Even wired you can't be completely safe. But it's the best one can do.
Why do the mainstream media act as if Donald Trump isn't a pathological liar with dozens of felony fraud convictions?
(Score: 2) by driverless on Monday March 02, @11:27AM
If you look at the statement in the press release:
it's the standard recitation "the whole world is going to end" followed by "someone might actually figure out how to do something with this at some point". From a quick scan of the paper, and with the qualifier that this isn't my field, it looks more towards the "we've discovered an interesting quirk" end of the scale rather than the "sky is falling" end.
(Score: 0) by Anonymous Coward on Monday March 02, @05:54PM
It allows other devices that are already on the network to perform man in the middle attacks. This is mostly irrelevant in the modern day because everything is encrypted at the application level. It doesn't allow anyone to bypass authentication and connect to the network when they shouldn't be able to, or to do anything with a network they aren't able to join. The most interesting thing it can do is bypass guest network isolation that is on the same physical radio as the main network.
This becomes important if combined with a vulnerability in TLS that makes it susceptible to a MitM type attack. In that case public networks would become unsafe. Or you could mess with unencrypted video streams. Or do denial of service attacks. Maybe some low end smart garbage uses unencrypted protocols and you can mess with that. So there's some stuff you can do with it but basically it doesn't matter at all on your personal network and it doesn't matter very much on a public network.