I'm sure that more creative versions exist, but a very common way is the WiFi deauth attack.
The advantage is that it works on the protocol level, so you don't have to nuke the entire spectrum for the entire neighbourhood (which would attract attention)
How would this work for scenarios where people take advantage of the free network hotspot connectivity provided by some Wi-Fi and cellular providers? anyone who travels throughout even a moderately dense coverage area would swiftly accumulate a history of hundreds if not thousands of briefly-connected ssids? It seems like constantly broadcasting this data would result in fairly noticeable performance degradation.
AT&T smart wifi is a recent example, it manages discovery of different system partner ssids through an app. But even if the SSID was exactly the same, the bssid would be different in every case, and that's the unique (mod spoofing) station identifier.
It's hard and generally unnecessary to protect wireless protocols against DoS, since jamming almost always works. Military transceivers do try, but as I understand it it's well beyond just designing the protocol carefully.
It's not just denial of service. First step is to kick the client off. That's DoS. Next step is spoof the station so when it tries logging back in it grabs the password. I am asking how to mitigate against that, and don't see anything beyond disabling auto logging and password rotation.
802.1x allows for the client to validate the authentication server by way of X.509 certificates, although this normally does require manual configuration since there is no global namespace to tie an ESSID to like there is for domain names in normal TLS. Mutual asymmetric key auth is available through EAP-TLS as well, but I could see that being a rare feature on cameras.
Actually, why there is not? Company should be able to just get cert for wifi.company.com and then be allowed to just call its network wifi.company.com...
I replaced my Orbi network with Eeros. Same SSID, same password, but almost nothing in my house (smart devices, phones, computers, Alexa) would use it until I logged in again on each device. I'm not sure how it's done, but something's in place.
Did you configure the Eero to spoof the Orbi's BSSID?
It's not really "secure" in the academic sense of the word, but many devices record the BSSID along with the SSID to be a little more safe from hijacking.
It's trivial to spoof the BSSID if you're an attacker since it's something that's just advertised wirelessly.
The dumping of energy into noise in bands variants tend to be very short ranged because of physics.
Malicious clients/APs need much less energy to DoS a network Wi-Fi network. WPA3
adds optional PMF (802.11w) to protect against rogue deauth over WPA2. Also, not deploying 802.11r but deploying WPA-3 only mode and device/user cert-based 802.1x auth also help.
> The dumping of energy into noise in bands variants tend to be very short ranged because of physics.
Sure, but compliant Wifi devices use miniscule transmit power. If you're a criminal you can easily hook up a car battery/generator to a 1000 W transmitter and cover a pretty wide area, or use a directional antenna to focus it a bit more on your target. These sorts of jammers definitely exist, too. Downside though is you're also lighting a huge beacon that says "HELLO I AM DOING SOMETHING ILLEGAL", so you will not be able to keep it up forever. Protocol-based attacks are more discrete, but newer APs (especially enterprise) have countermeasures.
I dunno how legit they are but a Google search finds examples claiming a 20 W jammer can cover 500 meters. I'm skeptical that's accurate but it's probably within an order of magnitude. Enough to cover a house, and a large transmitter would plausibly be able to block out a larger facility.
Adding a couple of thoughts I had while reading it:
- If the criminals' jamming only needs to protect their identity when people look at footage in the future (as opposed to taking offline a large facility's entire network of cameras so that security can't tell where the criminals are in real time) then they could potentially carry the jammer with them, in which case it just needs to be strong enough to block any camera within sight rather than the full building
- In addition to scaling the power of a jammer to take out a big enough area, they could place multiple jammers around the location, either to combine to a larger area or to expand on your directional antenna idea to target individual networked items (cameras, routers, whatever). Even if having many of them means there isn't time to collect them all again when leaving, assuming the crime's pay-off is significant then it could easily still be cost-effective to consider them single use jammers (I'm assuming it wouldn't be hard for people smart enough to plan this sort of crime to make sure that the left-behind jammers can't be traced back to them as an easy solve for the police).
> If the criminals' jamming only needs to protect their identity when people look at footage in the future ... within sight rather than the full building
Ideally a well-designed camera would buffer locally when its WiFi path is down. But there's always limits there and I suppose if the criminal started the jamming a bit before entering line of sight, it should work. Then again I suppose most security cameras probably don't buffer at all or just barely enough to smooth out a network hiccup.
Yeah hand carryable jammers are a thing you can find them for sale easily which kinda blows my mind considering there's (AFAIK) no legal use for them, nor even any grey area semi-valid use. Granted I've never bought one so maybe all the stores in Google results are fake but I doubt it.
Jammers also aren't super expensive and don't need to be supervised, it's entirely possible a thief could just leave a big one in a trash can or something and then abandon it.
All that said though I don't think this is a credible threat against anywhere with minimum legitimate security. Everything should be hardwired and battery backed up in any reasonable security system. It's mostly a thing that would effect cheap residential systems.
Sale is one thing, but possession and use are a separate thing. If you happen to build a faraday cage on your own private property and want to run some sort of thing that is a jammer within it the FCC isn't going to come after you. It's intentional radiators they care about.
What you can't do is operate a business and fill the lobby for example with jammers that wipe out cell phone service and then require people to pay for access via WiFi.
Is it maybe legal to jam wifi signals if either a) your jamming is restricted to inside your private building, with absolutely no leakage outside, or b) the same except regarding property lines rather than physical walls (e.g. if you had a weak jammer in the middle of your private field, whose jamming signals were undetectable at each edge of the field)?
My guess would be that A is legal and B might not be, but I've never had reason to look up the relevant laws and I don't know if it would be the same in different countries either.
But yeah, I doubt most purchases of portable jammers are for legal use.
b) is not legal, people have gotten fined for interfering with RF signals on their own property (e.g. stores, restaurants etc). People interfering with GPS or cellular on their own property is also common and highly illegal, and I assume the same laws would apply to wifi. Problem is you can't stop RF propagating off your property lines in that scenario, and noise jamming in the wifi bands can effect other more sensitive equipment that operate in the same bands. But like most things FCC related, you can likely get away with it if you aren't egregious.
a) I've never been quite sure. People do testing in Faraday cages so there has to be some exception. I'm pretty sure as long as you aren't interfering externally and are being responsible nobody is gonna fine you.
GSM blockers are easy to buy. Unsecured camera logins can be detrimental too, manufacturers use a lot of the same default login information and they keep it readily available to anybody who knows where to look or how to ask properly.
Also if there was inside knowledge, perhaps by a VAR who maintains the CCTV - They usually use the same login/password information for every individual camera which makes it too easy to just log in directly to the camera via IP and kill it.
Or if you're going to post a shallow dismissal, at least say something interesting about why you're dismissing, unlike your comment which literally adds nothing to the conversation and doesn't educate anyone who doesn't already know what led you to your opinion.
Drawing attention to the fact that people choose the absolute most vulnerable possible equipment and then express shock when it's exploited is hardly a shallow dismissal. Is your complaint that the GP wasn't sufficiently verbose for your tastes? What's the minimum word count required to call bullshit?
No not to do with the length. They were responding to someone asking how wifi jammers work, and they didn't address the question at all they just criticised anyone who puts themselves in a situation where wifi jamming affects their security setup. Which may be a reasonable opinion, but didn't, in my opinion*, address the question they were replying to nor did it add anything to the conversation generally as it didn't give any explanation - meaning readers either already agree and think "that sentence sums up my views" or they don't already think that in which case the sentence does nothing to change their mind.
* But I'm not god, nor am I perfection personified, you're very welcome to disagree with my opinion. (Though to be completely honest I am a bit surprised that two people replied disagreeing with me, I'd expected my view that the comment didn't belong on this site wouldn't be controversial, so maybe my judgement is off in this case. But I've not been convinced to change my mind.)
How do these work? (I made this account to ask this)