> In three years or so, the Wi-Fi specification is scheduled to get an upgrade that will turn wireless devices into sensors capable of gathering data about the people and objects bathed in their signals... When 802.11bf will be finalized and introduced as an IEEE standard in September 2024, Wi-Fi will cease to be a communication-only standard and will legitimately become a full-fledged sensing paradigm... tracking can be done surreptitiously because Wi-Fi signals can penetrate walls, don't require light, and don't offer any visible indicator of their presence.
Thanks for this comment. While it is a no-brainer for me to support this, I initially felt that this is hopeless and very few people care. But after seeing your comment, it pushed me to also sign :-) We shouldn't give up.
A lot of people are fond of security indeed! And I can imagine many even excited about this new technology. Maybe they just don't buy into this campaign. "we don't know what companies and governments want to use it for", but obviously gvts want to enforce the law and companies want to sell more stuff so nothing mysterious there and especially nothing against LGBTQI+ in the EU for sure despite the campaign's message.
I...don't await eagerly the time when tinfoil ceases to be the joke it has been for decades, instead being promoted to a solution anybody even remotely interested in their privacy utilizes.
RF blocking walls could be useful for more than just privacy. Could block out neighbors overpowered wifi APs. Just have a data line in and wifi APs inside.
> Honestly I don't see any purely technical solution to this.
For home, chicken wire in the walls and wired networks. A Faraday cage is the simple solution, but unfortunately for this case is unlikely to be in most interior walls in modern buildings.
That sounds like one of those things made into law but hard to enforce for practical reasons, and if they did try to enforce it, might be something that a civil rights group might take up to get stricken down. Especially with what we're discussing in this thread coming.
The characteristic length of 2.4GHz waves is ~12cm. This is roughly their feature resolution size. But you can do better with more antennas, more frequencies, more time, and phase information.
I've tried this [0] "typing biometrics authentication" out in some test apps. It worked well in detecting typing a password between two hands, just my left hand and just my right hand. I tried to do the same cadence - but it seems to also notice keypress duration as well. Not sure how I feel about my typing rhythm being a personal signature.
> Honestly I don't see any purely technical solution to this.
The technical solution is pretty simple: do not use Wi-Fi. I use wired connections for all of the devices in my household. The only non-technical aspect of the solution was an interior design-based one about unobtrusive cable wiring around the house.
Build better walls. Don't try to outlaw people "looking at you", no matter what frequency they use.
I find it equally ridiculous to try to outlaw software radio that might listen to "unapproved" radio bands, or listening to clear-text WiFi, baby monitors and cell phones.
It's almost as stupid as people who would want brain implant computers to implement DRM so people can't record and share their own memory of a movie.
Another analogy would be a country of blind people trying to legislate sighted people wearing blindfolds, because all of their privacy fences have huge holes in them.
I think you should read your own comment but slowly to realize how absurd it is to say "Build better walls". You are basically saying the whole world should rebuild the walls because of this totally not needed WiFi standard. Great!
Also I do not agree on "technology improves people's abilities" statement. It is always based on how the technology is used. Famous example. Harnessing nuclear energy. You can use it to blow up cities or to generate power around the world.
One shouldn't develop technology for advancement's sake. Every new technology should be given thorough thought and analysis into it on why is it needed? and are the negatives outweigh the positives? or vice versa? and so on.
problem are law can not stop egrigous bad actor, so necesary for to proof against such persons with better wall. we "should" not having to do this but we are having to if we are caring for privacy.
There are a lot of walls to upgrade then, who should pay for that?
Standing in someone's garden, peering through their window is dealt with via legislation.
Since the invention of video recording devices, rather than having everyone upgrade their windows, legislation was reinterpreted and updated to govern the recording of people in private places vs public places.
It doesn't seem unreasonable for the same to be done to keep up with other forms of technology.
> Build better walls. Don't try to outlaw people "looking at you", no matter what frequency they use.
It's just not possible to make a wall that can't be seen through, at least without making them tens of meters thick, even using high density concrete, tungsten, or uranium.
Muons aren't photons, but cosmic muon tomography has been used to image the Great Pyramid of Giza and also several mountains. Exposure times for cosmic muon tomography are very long, but with enough exposure time, correlating 5-minute blocks across days, someone could work out mean density throughout your house and make low-res 3D video of your daily routine, even with 1 meter thick walls of reactor-grade high-density concrete with sheet steel cladding.
If the standard is built into all future WiFi standards you might have no choice in having to install those devices. If you want to obtain the fastest speeds/range/features etc.
A lot of this work has been research of Dina Katabi at MIT, via a function called the Sparse Fourier ("4-E-A") Transform.
I am not excusing the privacy implications, which will be abused to the extreme. However, it will be used also for health reasons, like monitoring respiration, and activity.
> We identify a number of critical issues that need to be addressed in this space... First, individuals should be provided the opportunity to opt out of SENS services – in other words, to avoid being monitored and tracked by the Wi-Fi devices around them.
Bad news, the paper proposes remote human identification by every Wi-Fi device.
> This would require the widespread introduction of reliable SENS algorithm for human or animal identification.
Would opt-in be legally easier than requiring human body scan registration for opt-out of Wi-Fi remote sensing?
It would be better to have a beacon that simply broadcasts that you do not want to be tracked, with no further identifying features. There isn't really a good reason for identifying you to then look up that you don't want to be tracked. Make that legally binding and enforce it.
How would opt-in work in practice? Say, if this gets pushed out on $CAFE public wifi for analytics. Would it be something akin to "tick this consent box to use the wifi"?
And if $CAFE tracks you regardless of you not ticking the box or connecting to the network, how do I detect that as a regular customer?
Yeah, this tech standard is totally insane, why would I want anyone or anything to be able to scan people and objects inside my house without my knowledge? I’m aware of microphone attacks for keyboard password entry and other methods of surreptitious surveillance, but this is way past a microphone or webcam. I will pay a massive premium to purchase WiFi equipment without this feature.
Unfortunately these will be everywhere, far beyond any existing camera surveillance network.
It's also passive. Someone could stand outside your house or factory with their device and "illuminate" activity inside the building. Only EMF shielding in/on the walls could block them. Nation-state regulators could get involved, since these devices would be using spectrum that belongs to the public.
> The radars work like finely tuned motion detectors, using radio waves to zero in on movements as slight as human breathing from a distance of more than 50 feet. They can detect whether anyone is inside of a house, where they are and whether they are moving.
The cost of those devices should fall with 802.11bf Wi-Fi.
> the vans deliver a radiation dose 40 percent larger than delivered by a backscatter airport scanner; bystanders present when the van is in use are exposed to the radiation that the van emits… there may be significant health risks associated with the use of backscatter x-ray devices as these machines use ionizing radiation, a type of radiation long known to mutate DNA and cause cancer.
Could this radiation meter detect the presence of such a van?
Can make a lot of interesting products. Lights that turn on or change color when different people enter a room. home security systems that can detect motion. the ability to summon help for people who fall.
I've been looking into this for a while, should be mature enough in a year or so. there are already dozens of companies in this space
> In Japan if you are found with lock picks you will be subject to a fine of 500,000 yen and a year in prison. In Poland, it is illegal to possess any picks without being able to show that your profession requires it ... In Hungary ownership of lock picks is completely illegal. The only people in Hungary that are allowed to have these tools are the military, and as a result lock picks are classified as military equipment. For travel within the United States or even traveling to the US, you should consult the lock pick laws in the state you are visiting.
Is that some sort of hatch in the pavement? You order something on Prime, and moments later, a slab embossed with Amazons' logo opens, a deliveryperson jumps out and deposits the package into your outstretched arm.
It's ambient network access, a desirable behaviour which I anticipate our descendants (or their descendants) will take for granted.
Imagine gradually choking as you wait for a friend to open their front door - oops, you forgot their air doesn't know you're allowed to use Oxygen, hope they get here in time to explicitly authorise you to breathe...
Because of the Network Effect the grand total number of Networks you care about will always be... one. So, it doesn't make sense to have a dozen fiercely independent WiFi networks in the same physical volume all of which are, in fact, just offering access to the same network (the Internet) but with separate credentials needed for each.
There have been very slow steps on the obvious way forward here. If you've been a student somewhere civilized in the last couple of decades you might have seen EduRoam. Under EduROAM your credentials from say, the University of Florida, or Stanford work at MIT and NYU, but also in Oxford, and in Tokyo. No more need to maintain separate "guest" networks so that the visiting lecturer's laptop works. But most of us, most of the time, are using dozens of little pointless fiefdoms.
You will still have to identity particular users, because you want to sell access, because you want to identity those who break the rules and attack other users. But most importantly, users want to separate their networks from one another.
OTOH the technology can move from private radios to the model of cellular networks, where you don't care which tower you connect to, and the security / authorization lives at a different level.
That’s exactly what is being pitched! Sounds pretty great to me. Just move auth upstream, like eduroam/ cellular. Doesn’t preclude people from making their own separate access points, but would make doing so antiquated for most people.
Don't put your wifi credentials into your TV, then you've effectively got a giant monitor/commercial display.
If you're feeling especially crafty, open the back of your TV and disconnect the wifi/bluetooth board. It's a discrete board in all of my TVs of different brands. I assume they build them this way so they can use the same network board design/production for years and just upgrade the main logic board in newer models.
I can't find any references right now, but someone once mentioned TVs shipping with SIM cards embedded so that they could collect telemetry even if you didn't connect it to your network.
Even if it isn't/hasn't happened, there's nothing to stop someone like Samsung sticking cellular modems in their TVs to work around you doing this.
If we think about it like Air-Tags too, popular enough product, it'll just connect to one of your neighbour's TV's which _is_ online.
I remember years ago, Vodafone gave me a "free" femtocell because signal in my home was poor. They neglected to mention the fact it broadcast a public cellular signal which allowed other Vodafone customers to use _my_ internet bandwidth.
Amazon has a solution to this. If your tv is within wifi range of an amazon device, your TV will be able to connect to a network. It might even be your neighbors device.
I've rented two houses that used chicken wire to bind the plaster to the lath. You could get a bit of cell service near the windows, but you needed a WAP in each room. Finding studs was a nightmare.
Yes, this kind of shielding in construction is well understood, people concerned about information leakage have been doing it for decades and made the specs public. (Also people suffering from perceived "eletromagnetic hypersensitivity")
Of course, any house totally shielded with a Faraday cage would look extra suspicious and thus receive closer scrutiny. You'd need most of the house to be non-shielded to act as a honeypot while maintaining a small shielded section of the house for "emergencies".
Also, expect to have very strange windows. Of course, if visible light can pass through, that might be considered a flaw in your faraday cage so YMMV.
Personally, I'd like it if my devices knew what room I was in. Back in 2013, I'd started working on a home automation project with that goal in mind, but then all these closed source devices came out that were incredibly cheap and convenient and I haven't revisited the idea since.
I do look back with a bit of regret that more hasn't been done to push for reverse engineering these devices or somehow encouraging companies to open source their routers to support third-party operating systems, etc. We take for granted that we've open source smartphones and standard PC specifications when we don't yet have a standard that could let me run YouTube TV on my Echo Show 8, for example, or add lossless FLAC playback to my smart speaker...
I recently cut a couple holes in my house exterior through stucco. Like a sibling comment, that stucco was secured over some wire mesh. I can't remember how dense the mesh needs to be to block whichever frequencies would be used, but something like that would be commonplace and provide reasonable doubt.
There are different types of lathe used for plaster walls.
From chicken wire to mesh with 1/8, or less, inch rectangles.
I imagine the whole room would have to be covered with lathe. In good construction the lathe is covering every sq. inch of a room before the the base coat is put on.
Plaster wall are not typical anymore. Stucco is still used on exterior walls, but it usually just covers up ap the foundation, and might extent up the wall a few feet.
Plaster walls in a bathroom are the best walls though. The house I'm in has 1" thick plaster walls, and they hold up to a lot of abuse.
A well plastered plaster room would need screen on the door too, but that's doable.
If I was building a house, it would have stucco walls. Maybe only the exterior walls, and the ceilings? Then my signals could go room to room, but the world is locked out.
No one uses chicken wire, but it works just as well as the new smaller holed lathe sheets.
I still have no clue if modern sheets of lathe would act as a Faraday Cage?
I have fooled around with Faraday Cages, and tiny openings matter.
(I remember hearing about a guy who stole a vechicle with lowjack. He covered the vechicle with chicken wire, and the cell signal with through? He was caught.)
I am not an electrical engineer, but AFAIK no. You want your ground path to be the favored path, rather then say, a sweaty human hand if there's a short.
Those are illegal (at least in the US, and likely just about everywhere). Which is bitterly ironic in this case ... spying on people inside their homes using WiFi is "fine", but trying to jam that bullshit is ... illegal.
Anyone aware of a polished application that utilizes this for personal home monitoring? It'd be fantastic to integrate this with Home Assistant[1] in lieu of Zigbee motion sensors.
No, that would require a precision that's probably still decades away. It could be used to grossly place people and large objects, and notice their movement. Sensing voice would require to monitor vibrations in either the person speaking or anything that vibrates with the emitted sound.
Funnily, there are much easier ways to do that, although they require direct line of vision [1]. Another option would be to measure the vibrations on walls (think glass on the wall, but hitech).
Instead of going to such extreme lengths though, it's more sensible to lobby for political change. There is absolutely no legitimate reason this should be introduced as a general standard for all wifi divices. This sort of spying needs to be illegal unless specifically approved in limited cases.
> "It’s important to note that there is presently no evidence of the vulnerabilities being used against Wi-Fi users maliciously and these issues are mitigated through routine device updates once updated firmware becomes available.
> "Like many previous vulnerabilities, FragAttacks has been academically well-researched and responsibly reported in a manner allowing the industry to proactively prepare and begin to roll out updates that fully eliminate the vulnerabilities. This set of vulnerabilities requires a potential attacker to be physically within range of the Wi-Fi network (or user device) in order to exploit it. This significantly reduces the likelihood of actual exploitation or attack."
I agree with the industry response here. KRACK was the same thing. The author finds a vulnerability that is absolutely valid (no denying here), easy to exploit in a lab but very hard to exploit in practice. Back in the day, we did test our equipment for KRACK. We concluded that someone had to circumvent all our physical security barriers (challenging, but theoretically possible) to get close enough to an AP that would see sensitive stuff, had to know WHEN to do that, or at least plant a device that could easily be noticed, and they would still fail because we didn't have 802.11r enabled on those AP's.
Is it a concern? It depends on what you're doing. It is absolutely a concern if your corporation is handling ultra-sensitive information. However, you should also question your physical barriers in that case and whether you should use Wi-Fi at all for some aspects of your operation. Is it a concern for the vast majority of office workers or someone at home? Probably not; there would be easier ways to find a valid credit card number that don't involve the time and effort for a hacker to travel to your place where they could be discovered. There's no need to replace all your AP's with new hardware, although the Wi-Fi Alliance would love for you to do that.
Does this exploit warrant its own fancy name and domain name? As was the case for KRACK, I don't believe so. That should be reserved for vulnerabilities that have a severe impact AND are extremely trivial to exploit with no proximity requirements. If not, the fancy-name-vulns risk being deprived of their ability to get the attention that is required.
I don't. This sentence serves no purpose other than distraction and needs to stop being used: "there is presently no evidence of the vulnerabilities being used".
It's a standard sentence that is rolled out for any security event or breach usually to misdirect blame. It needs to go away.
I disagree: for defenders trying to establish veracity of flaws and prioritizing defense this is useful information. "Active exploits seen in wild" is a strong signal.
Picking two potentially high impact announcements from the last month or so:
1. There is a severe flaw in the RSA cryptosystem.
2. There is a remote code exec vulnerability in Microsoft Exchange.
One of these was a sketch of an incremental improvement to an attack that remains mostly of theoretical interest. The other was being actively exploited, was tragically simple for 3rd parties to replicate post-announcement and resulted in widespread pain.
There is some (non-linear) scale here (theoretical flaw/poc/weaponized poc/public poc/public weaponized poc/exploited, but limited actors or targets/widely exploited/HAVOC). MS for example uses just "less likely to be exploited", "more likely to be exploited" "being exploited". It's coarse and somewhat subjective but there is value even so.
"This flaw is being actively exploited in the wild" is the best line I can take upstairs. I don't want that to go away just because some parties might misuse it.
That assumes this statement is made out of some sort of particular knowledge. When a Google Zero researcher finds an exploit, then goes through Google crash logging to determine if it's been abused in the wild, there is a reasonable basis for speculation on their part to say if this is an active exploit in the wild or not.
When an sales busybody like the WiFi alliance makes that statement, it comes from ignorance and CYA.
>[KRACK] easy to exploit in a lab but very hard to exploit in practice
How so? Even I have done it (on my own AP). Unless you own a big property that the WiFi signal cannot reach outside it's as easy as pressing GO in one of the hundreds of script kiddie tools.
Several of the implementation flaws allow an attacker to essentially inject plaintext frames in a Wi-Fi network. All that's needed is being within range of the network (with an extender you can still be far away). I agree that the design flaws aren't that serious! But that's also explicitly mentioned on the website so...
Edit: injection can be used to punch a hole in the router's NAT so someone can directly try to attack your devices. As always there world isn't burning down. But I think it's interesting research :)
I agree, it absolutely is interesting research, and I appreciate the detailed explanation that was published.
Although the proximity requirement severely limits the possible impact, it does make us think again about the security of our Wi-Fi networks, and as a result we may identify areas to improve, which is a benefit.
WiFi exploits will always be subject to proximity though? For it to be remotely exploitable, you would be talking about a router or something else in the hardware stack.
In your mind, what kind of WiFi exploit is actually concerning?
After reading your reply, it seems you have ruled out all home networks and any exploit on a company not dealing with ultra-sensitive data. What's left?
>WiFi exploits will always be subject to proximity though?
Something as simple as a Pringles can will dramatically increase "proximity". If you are in (or as perceived as) a juicy enough target area why wouldn't someone use something like this? Great way to monitor people, find out which houses are ripe to break in, etc.
If you do not trust the network, as you should not, the risk of these attacks is reduced to that of denial of service attacks.
Yes, it’s annoying if an attacker can manipulate your DNS responses. But it’s unavoidable on the internet and your local network should not be your only defense against it.
In which fantasy world are WiFi devices known for receiving regular firmware updates? Especially if they're older than a year or two? Enterprisey brands, sure, but consumer grade stuff? Hah!
> By default devices don't send fragmented frames. This means that the mixed key attack and the fragment cache attack, on their own, will be hard to exploit in practice, unless Wi-Fi 6 is used. When using Wi-Fi 6, which is based on the 802.11ax standard, a device may dynamically fragment frames to fill up available airtime.
Why does this feel like Spectre? We're trying to speed things up in a way that eventually blows back into our face.
Does it have anything to do with the speed of development->deployment? If something that is going to be standardized is rushed, then these kind of easily-ish found flaws will continually haunt us. If things slowed down and allowed a serious amount of pentesting before standarization, then maybe we can avoid these herpes like flaws where they sit dormant and then flare up, but can never be eliminated once discovered.
If you want up-to-the-second research results on Wi-Fi vulnerabilities, you are welcome to start your own research group, generate your own results, and share them however you'd like. You are not entitled to access to other people's results on your own terms.
I'm not a believer in coordinated disclosure and long embargoes (I think P0 does it just about right, though I'd make it 45 days instead of 90). But if I was offered information about a protocol vulnerability under a long embargo, accepted it, and then broke the embargo terms, I wouldn't whine about it next time when I wasn't included. Honestly: I wouldn't whine about it under any circumstances, even if I studiously complied with the embargo. Because we're not entitled to other people's work.
I read the email thread, and stsp's comments on Lobsters. I get that there's a grudging agreement on both sides that OpenBSD can't abide by long embargoes, and will simply get notified later in the process when those are expected. That seems like a fine outcome, and not a cause to dunk on a researcher for having a "secret club".
I would dispute the idea that OpenBSD is being punished here, based on the information that's been made public. OpenBSD argued explicitly and repeatedly that embargoed early access to vulnerabilities put them in an untenable position. Both sides of this controversy have, effectively, agreed to delay disclosure to OpenBSD.
From someone mostly out of the drama loop, here's my brief recollection:
Generally in the security sphere we consider it the most ethical and responsible to give vendors plenty of time to patch vulnerabilities, especially critical ones, before publishing details or anything that could lead to a working 0-day exploit.
Theo de Raadt was one of the people notified of a previous WiFi exploit, and there was a set length of time intended for the vulnerability to be made private, in order for the (inordinately slow) vendors to create and push/prepare patches. If the patches were released early, it'd be easy to determine what the original vulnerability was.
So, Theo de Raadt decided, in the interest of keeping OpenBSD secure, to push the patch early, effectively letting the whole cat out of the bag. I'm not going to get into the drama of whether that was right, wrong, foolish, wise, whatever, but because of that, he no longer receives these ahead-of-time notifications of vulnerabilities.
There are at least two things wrong with this comment. First, OpenBSD did not push the patch earlier than agreed. Second, OpenBSD did not push the patch without permission.
Mathy originally reported the vulnerability to OpenBSD on July 15 under embargo, and estimated it would be lifted by the end of August (1.5 months after disclosure). Theo argued that 1.5 months was too long, but didn’t push the patch. Then on August 14, Mathy said the final public disclosure date would be October 16 (three months after initial disclosure), but agreed to allow OpenBSD to patch early. Although he didn’t like it, and has since said he would not give such permission again, he agrees that OpenBSD did commit with his permission.
Direct quote from Mathy: “From my point of view, I sent one mail on 14 August where I mentioned the new disclosure date of 16 Oct. In that same mail I also gave the OK to quietly commit a fix.” https://marc.info/?l=openbsd-tech&m=152909822107104&w=2
People portray OpenBSD as a project that ignores embargoes, and point to KRACK as an example. But Theo didn’t ignore the KRACK embargo. Rather, Theo successfully persuaded Mathy to allow OpenBSD to patch the vulnerability a full month and a half after all vendors had been informed.
I’m commenting on this because I think simply pushing back against the length of an embargo should not be characterized as breaking an embargo.
There were a lot of vendors in the KRACK embargo. The risk of the vulnerability leaking to the black market or malicious governments is real. As the length of the embargo increases, this risk increases dramatically. Big vendors are incentivized to pressure researchers to extend the embargo as long as possible. Open source projects are forced to hold off on committing bugfixes, leaving their users potentially vulnerable. If a project pushes back against a long embargo, or through persuasion manages to finagle permission to release an unobtrusive fix “early,” that project is characterized as an untrustworthy embargo breaker and left out of future embargoes. So open source projects are incentivized to sit down, shut up, ignore the threat to their users, and let the big vendors dawdle in their bugfixes.
I have just one more thought on the matter. I'm still early in my career, but in the years I've spent so far working with small business-types on security, and watching my colleagues, a month and a half is practically no time at all. I have little love for the big vendors, especially for behavior like this, but the reality I've seen is they often take months to do anything, and it takes further months for customers to actually patch their systems.
So I'm a little sympathetic to the desire to have an embargo of half a year or even longer, even with the downsides mentioned. Still, Theo clearly didn't actually breach his trust with Mathy, that's my mistake.
> a month and a half is practically no time at all
A month and a half is plenty of time, but it requires (1) the company decides that fixing security bugs is top priority. (2) They need a senior engineer or two on hand who are smart enough to understand the issues involved and implement a fix. And (3) They need a decent release process which allows security fixes to be promptly rolled out to users.
I’m not sure where most companies fail here. It’s certainly easy to downplay and deprioritize security fixes from the inside, when you have a big deadline coming up, or your customers are yelling at you or a refactor is blocking other people from doing their job. Security issues from the inside never feel like the “all hands on deck” emergency situations that security researchers believe them to be. (And I’m not sure if this is right or wrong, just, the experience I’ve always had from the ground when security issues potentially affected us.)
The best way to get vendors to make security a priority is to not perpetually coddle them. At this point in time if a vendor cant react to something in under a month in a half that's more on them than the rest of us.
If anything the security community should be steadily decreasing the amount of embargo time. I wouldn't be opposed to different classes/criticality of vulnerabilities having different timelines. But for vulnerabilities where everyone's collective ass is proverbially hanging out there the times should be VERY short.
Oh, I 100% agree. The companies are more than capable of preparing fixes in that time. I meant from the perspective of the end user businesses, even if they prioritize the patches (which isn't a given) these vendors take ages to fix anything.
And I mean, that's a part of why you release these vulnerabilities publicly anyway, to pressure them into fixing their crap. I just worry a bit that if the window is too small, they'll just shrug their shoulders and put out a PR piece about how the vuln isn't actually that big a deal or something.
IME, the most common reason for delaying fixes are due to organizational dysfunction, not technical complexity. You can spend a lot of time arguing whose job it is to make the fix, what the best way to make the fix is, what sprint it all should go into, and are you sure it's not team Y that really should change their code to deal with this? Let's meet to discuss that..
> Generally in the security sphere we consider it the most ethical and responsible to give vendors plenty of time to patch vulnerabilities
Can you provide more context for this point? As somebody with some experience in infosec, I don’t think that’s actually so clear cut. There are people who believe coordinating with vendors is the right course, and people who believe embargoes compromise users’ ability to make safe choices. There are also people who think the right course depends on the individual vuln/system.
Absolutely, it was wrong for me to try and speak for everyone. In my own professional circle, this is what's accepted, but there are many who think otherwise, so my apologies.
>Generally in the security sphere we consider it the most ethical and responsible
I would reword this to say
>Generally in the security sphere we consider it the most obedient
The earlier wording severely disadvantages the end-user of the opportunity to know that they are working with broken software and to find an alternative.
That's fair. It's the attitude I've seen the most of in the people I work with/around, and it's rubbed off on me a bit. There are definitely people who believe this is a disservice to the users, and I don't necessarily disagree with them.
Personally, I agree most with tptacek in another comment, that this is on a continuum, and depends on the vulnerability, situation, and who's involved. If there's a good faith effort to develop + push a patch to a very wide install base of hardware which realistically is being ignored by the sysadmins (no change of being replaced, and impacting people using them in e.g. public places), I think it can be ok to embargo details.
Probably referring to the internet drama related to silent patching and disclosure embargo. There are some details here, and others on various mailing lists, including an airing of differences if you want to look for that sort of thing after making a bowl of popcorn.
By now it's probably easier in mind to treat any Wi-Fi as Open Network and always use something like WireGuard/Tailscale for secure communication between devices.
Often many companies and organizations from many countries are getting informed about such security problems under the embargo. I assume that the intelligence agencies form many countries are also getting these information. Either they are officially informed, because they also protect the government networks or they have just good working relationships with their local companies.
I assume Microsoft would inform the NSA about such things, Huawei would inform the Chinese intelligence agencies and Siemens would inform the German BND.
I can't read from your comment if you think this is A Good Thing. In my opinion it is s Very Bad Thing. None of those entities are more important than everyone else. If anyone should be alerted it should only be those that fix the vulnerability in WiFi devices. Anyone else and not only does the risk of leaks rise exponentially but some of them will rub their fingers with glee and exploit it ASAP.
Embargoes prevent that the average cyber criminal knows about the problems, but the resourceful organizations already get the information before the public knows about them. I think even 90 days are pretty long.
For example 253 vendors were informed about the problem in dnsmasq about 3 months before it was published:
https://www.kb.cert.org/vuls/id/434904 (all vendors listed here were informed)
In each organization probably multiple people know about this.
Long embargoes only give companies cover to continue to not prioritize security or responding to security issues in a timely manner.
That we have had embargo processes for decades is utterly ridiculous. It's time for these vulnerabilities - especially for the ones that literally break everything - to be treated with the urgency they should be.
I appreciate the distaste for a security-vulnerability being sat on for so long. However, the appropriateness of a long-embargo would seem like a bigger topic.
That said, about being sitting ducks.. dunno how much the situation really changes like that. For example, was this really unknown before this particular discovery? And what other vulnerabilities aren't currently being reported, whether under embargo or not?
Seems like users ought to have reasonable expectations about how secure popularly practiced technology is. If someone believed that a vulnerability like this wasn't a possibility, then they may need to update their expectations.
The embargo for binary patches was May 3rd. Of course, if random me knew about these issues, every interested party also did. Think about vendors like Qualcomm, Intel or Mediatek; they were all informed and all of them then had to inform their chip buyers because they don't make any of the actual customer products.
"""
How can the adversary construct unencrypted Wi-Fi frames so they are accepted by a vulnerable device? First, certain Wi-Fi devices accept any unencrypted frame even when connected to a protected Wi-Fi network.
"""
This actually made me angry. How fucking long are we doing this already? This is so. basic. Why is this possible? This should incur liability, we know the IT environment is adversarial.
I understand one can make technical mistakes, or shoot oneself in the foot in low level languages that are difficult to handle correctly. But this is a conceptual mistake, involving crypto! How can you possibly have written this code for an issue like this to occur? What is the control flow that leads to this? I almost cannot imagine how someone could code this up by accident, this must be a backdoor. Just imagine:
if decrypt(encrypted) == false
{
memcpy(plaintext, encrypted); // lets try to use the encrypted data anyway, you never know!
}
handle_packet(plaintext);
WiFi has always been developed on being retro-compatible. The good side is you can use something from 2003 with AP from today (let's ditch the 5MHz and 10MHz bandwidth), the downside is you have a big stack of technical debt in most of the chipset out there, which might be why this kind of things happens.
Not having any access to the firmware source (thanks FCC) does not help at all.
Why is it the FCC's fault specifically? The FCC doesn't regulate Intellectual Property. They regulate radios. Are you implying its within the FCC's power to say radio firmware must be open source?
They require that users can't use restricted frequency ranges or raise the power level. The easiest and cheapest way for manufacturers to comply is to lock down firmwares.
And since they didn't also require open firmwares that's the effective outcome in many cases.
Might shock you but the for-profit Wifi Alliance repeatedly ignores best practice advice and has the garbage they push out owned all the time. At this point I'm half convinced they are compromised, see no reason why they should be writing the standards anymore. People tell them what they are doing wrong constantly and they just ignore it and push ahead until someone breaks it exactly as predicted, rinse, repeat. This has been going on for years.
Even with encryption turned on, there will be plaintext packets you must process (e.g. to start the session). So it requires a whitelist to properly enforce, but all your conformance tests will pass without it. Easy to miss.
I think this will make for an excellent litmus test for companies that make wifi products. Is this a critical fix? No. Is it important, if not critical? Yes.
Some vendors aren't going to care about this in the least and won't offer any updates.
Some will only fix this in new and future devices.
And perhaps some will update all their devices going back several years.
Currently I buy used 802.11ac Airport Extremes for wireless for people because they're simple, they stay out of the way, and the last time there was a major update, Apple updated every Airport model all the way back to the Airport Express from 2008.
But I want to be able to buy new wifi devices, and how vendors handle this will inform me about which ones I'll buy going forward.
Maybe because it's the same year they announced they were dropping support for it?
Time to get a newer piece of gear. This is the problem with software - it doesn't age like a fine wine; it has to be maintained - and that usually means someone is going to have to be paid to do the not so fun work of maintaining and fixing old stuff that is no longer "OoOh tEh sHiNeY!"
> certain devices accept plaintext aggregated frames that look like handshake messages. An adversary can exploit this by sending an aggregated frame whose starts resembles a handshake message and whose second subframe contains the packet that the adversary wants to inject.
That reminds me of a thread [0] that came up a month ago mentioning discussion of packets in packets [1]. That paper was from 2011!
From my experience with TP-LINK software, you don't need to worry about this attack. The attack demonstrated is complex, requires physical proximity and a lot of knowledge about the target.
Meanwhile, your router will probably give any attacker root if they ask it nicely. TP-Link doesn't seem to care about device security at all if you're already paid for the device, so don't expect any updates and expect a whole range of vulnerabilities to be exploitable against your router.
Now, it must be said, TP-Link is no D-Link, a company that almost seems to add security problems to their software intentionally with their awful software quality, but if you're conscious about security, any consumer device will probably have a whole bunch of exploits that would work easier and more reliably.
EDIT: replaced the word "access" with "proximity" to avoid confusion.
What? You just need a high enough gain antenna and you can carry it out much further away than it appears your wifi reaches. Isn't physical access, being able to touch the computer?
I suppose I used the term wrong, but you do need to be within receiving range and depending on the attack you need to win a race condition, so it's not that far from the generally accepted use of "physical access".
Meanwhile, many consumer routers can be hacked by adding something similar to <img src=192.168.1.1/admin/changesettings.cgi/> to a page or malicious ad. I don't think general consumers should be worried about someone aiming a high gain antenna at your router unless you work at a company dealing with sensitive information or places like embassies. The alternatives are much easier and much cheaper to execute.
Fragmentation is usually disabled in home APs. I've played with it on hostapd, but didn't find a performance improvement, and investigating withe WireShark found even 64k packets were not being fragmented. Is the same true for enterprise AP?
I wonder if hardcoding your DNS servers will help. I guess sometimes this is not possible because in corporate environments DNS servers are sent via DHCP.
“ More technically, the impact of attacks can also be reduced by manually configuring your DNS server so that it cannot be poisoned. Specific to your Wi-Fi configuration, you can mitigate attacks (but not fully prevent them) by disabling fragmentation, disabling pairwise rekeys, and disabling dynamic fragmentation in Wi-Fi 6 (802.11ax) devices.”
So yes, but as you say lots of things can override your explicit DNS settings. Even browsers can do it these days.
Run WireGuard. Effectively treat WiFi as untrusted and VPN over it. Have WireGuard send over your DNS on the other side, and have that DNS use D-o-T or D-o-H depending on your threat model.
Use Ethernet on stationary devices, and WiFi on mobile devices.
Authenticating the remote end of the connection (which all decent software does because using it on other people's WiFi would be very unsafe otherwise) makes it irrelevant.
I've always felt an always listening radio, especially the ones in televisions that try to connect to anything it can, in any device is a big gaping security hole. We've already seen how Bluetooth makes things vulnerable. If you're truly worried about security, go with the cable.
> In three years or so, the Wi-Fi specification is scheduled to get an upgrade that will turn wireless devices into sensors capable of gathering data about the people and objects bathed in their signals... When 802.11bf will be finalized and introduced as an IEEE standard in September 2024, Wi-Fi will cease to be a communication-only standard and will legitimately become a full-fledged sensing paradigm... tracking can be done surreptitiously because Wi-Fi signals can penetrate walls, don't require light, and don't offer any visible indicator of their presence.
IEEE 802.11bf paper: https://arxiv.org/abs/2103.14918
Papers on device-free wireless sensing (DFWS): https://dhalperi.github.io/linux-80211n-csitool/
Remote sensing with low-cost ESP32 and 802.11n: https://academic.oup.com/jcde/article/7/5/644/5837600