Wi-Fi of more than a billion PCs, phones, gadgets can be snooped on. But you're using HTTPS, SSH, VPNs... right?
A billion-plus computers, phones, and other devices are said to suffer a chip-level security vulnerability that can be exploited by nearby miscreants to snoop on victims' encrypted Wi-Fi traffic. The flaw [PDF] was branded KrØØk by the bods at Euro infosec outfit ESET who discovered it. The design blunder is otherwise known as …
COMMENTS
-
-
Thursday 27th February 2020 11:59 GMT NonSSL-Login
Yet another backdoor in Chinese products to snoop on traffic..oh wait, Broadcom & Cisco are American, must be a bug! /Sarcasm
How useful this could be depends on how well the client OS/software reconnects and re-transmits and how many errors get shown on the desktop I would guess. Repeated warnings vs silent recovery would make a huge difference in whether someone investigates the reconnects or not.
You can make a wifi de-auther using a ESP8266 board which is about the size of a flat finger but i'm not sure if it possible to modify that project to read the known encryption key traffic after. Something to look in to!
-
Thursday 27th February 2020 01:07 GMT Tom Paine
Unpopular opinion
(Devil's advocacy!)
MitM attacks on unencrypted network traffic do happen, but unless you're the target of a nation state, they're not really worth worrying about.
There, I said it!
Now -- of course -- I've been making myself and the sec dept unpopular for donkey's years by whining on about telnet and FTP to management, just as much as the next grunt in the infosec trenches, but in retrospect the benefit was more about compliance than actual security benefit. (And of course it helps getting stuff patched, or skipped of its EOL, making at least some token effort to harden configs, etc.
-
Thursday 27th February 2020 02:02 GMT diodesign
"MitM attacks on unencrypted network traffic do happen"
This isn't about that at all, so you're more strawman builder than Satan's attorney.
This is about forcing a nearby device to encrypt data with a key you know (0x00000000), and you can snoop on this data over the air to decrypt it.
C.
-
Thursday 27th February 2020 04:47 GMT Nate Amsden
Re: "MitM attacks on unencrypted network traffic do happen"
Really seems like the poster is implying the concept is similar and the end result is the same, regardless if you are using an unencrypted wifi connection or you exploit something that allows you to decrypt the packets, you get the data the same. The likelihood of something like that happening is very low. Probably should be more concerned about connecting to public wifi in general and the infrastructure in place there(the stuff that sees the traffic after it is terminated on the AP with whatever wifi encryption is used etc).
I go out of my way to avoid public wifi in general, out of just a little paranoia. I'll usually tether to my phone at hotels/etc even if it means a slower experience unless for whatever reason that is completely unusable (signal strength wise). I don't do any media streaming so generally my network data usage is quite low.
-
-
Thursday 27th February 2020 10:42 GMT Muscleguy
Re: "MitM attacks on unencrypted network traffic do happen"
Do they need to know the name of your wifi to spew them or will my non broadcasting router still accept the spew despite being hidden?
Most of my neighbours are using bog standard out of the box named equipment which will be much tastier targets than sniffing for our hidden wifi.
-
Thursday 27th February 2020 11:58 GMT Anonymous Coward
Re: "MitM attacks on unencrypted network traffic do happen"
Most of my neighbours are using bog standard out of the box named equipment which will be much tastier targets than sniffing for our hidden wifi.
Yeah, the proliferation of WiFi networks starting with "BT" or "Virgin" or "SKY" are dead giveaways.
My visible one is called 'DeadMansHandle'. The hackers can go for that with my blessing. Nothing other than guests use it.
-
Thursday 27th February 2020 12:18 GMT Peter Gathercole
Re: "MitM attacks on unencrypted network traffic do happen"
Even your hidden ESSIDs for WiFi networks are visible, they just don't broadcast their name.
I use Kismet on Linux to get a picture of the WFii networks around me, which shows a very alarming situation where I stay when I'm working away from home. There are over 20 networks within range, over both 2.4 and 5GHz bands. Causes significant congestion and connectivity problems when everybody is streaming media in an evening.
WiFi just doesn't appear to be that suitable for large blocks of flats.
-
Thursday 27th February 2020 21:50 GMT Nick Ryan
Re: "MitM attacks on unencrypted network traffic do happen"
Other than being a fundamental problem with WiFi and sharing the available bandwidth along with the handshaking and cooperation protocols between all functioning devices in a channel... most auto-channel selection algorithms are so braindead that all they do is pick the same channel as every other Access Point in the area. End result? 12 devices on one channel and nothing on any of the others...
Yes, I'm aware that there is often badly behaving non-standard WiFi kit such as doorbells, garage remotes, baby-cams and so on abusing WiFi frequencies but the keenness for auto channel systems to use the same channel as every other device in the area seems to go way beyond such things.
WiFi tends to suck in any congested area - offices, high density housing and so on
-
-
-
Thursday 27th February 2020 14:44 GMT Nate Amsden
Re: "MitM attacks on unencrypted network traffic do happen"
My home wifi broadcasts. I wanted to disable it but then read that caused the clients to broadcast at least when they are not connected. I do have mac filtering enabled. I know it's not difficult to spoof macs, but it helps with the casual case of someone trying to connect, on top of an ok password.(16 letters 1 number 1 special char rest is average complexity).
-
Thursday 27th February 2020 20:03 GMT Roland6
Re: "MitM attacks on unencrypted network traffic do happen"
>Do they need to know the name of your wifi to spew them or will my non broadcasting router still accept the spew despite being hidden?
I see the myth of hidden SSID's as a security feature still persists. The laugh is that it is even less secuire than NAT.
Whilst your home AP doesn't send out it's SSID in the usual way, it still does periodically send it out ...
However, the biggest issue, is that instead of your AP sending out the SSID - all your devices have to now constantly broadcast your SSID in an attempt to locate your home network. It is a trivial job to build a listener AP that picks up these requests and then broadcasts the appropriate SSID, in response to which your device will automatically try to connect... Depending on the security and key strength you've used a session can be up and running in minutes...
Personally, the best security mechanism I've determined is to camouflage your bog-standard out-of-the-box router by changing its SSID(s) to something else eg. Hogwarts (but not your actual address), as then an attacker has to do a MAC address lookup and some guesswork to try and determine which manufacturers router you might be using and thus what vulnerabilities might exist..
Now when out-and-about your devices will be listening for your SSID and not advertising it.
Obviously, if you use well known public hotspots, you are still vulnerable when out-and-about to people running spoof AP's for these services. However, at least they can't use services like Wigle to geolocate where your home AP might be...
-
Thursday 27th February 2020 21:29 GMT rcxb
Re: "MitM attacks on unencrypted network traffic do happen"
will my non broadcasting router still accept the spew despite being hidden
It's not "hidden" it's just not "advertising." That means your WiFi isn't broadcasting out its name every few seconds, when otherwise doing nothing. Whenever there's any traffic on your WiFi at all, the SSID is being sent out on every one of those packets, and is trivial to find. Disabling advertisements does nothing but make things harder for the already-inept.
Just go install WiFi Analyzer on your mobile to see all the "hidden" devices in your area.
-
-
Thursday 27th February 2020 14:37 GMT Nate Amsden
Re: "MitM attacks on unencrypted network traffic do happen"
True but even more unlikely. Last i recall there were over 50 SSIDs broadcasting within range of my laptop. I'll add my home wifi is restricted similar to DMZ, no access to my internal network. I use a nice asus AP in 'AP' mode which hangs off a port on my openbsd firewall which handles dns, dhcp, and general network routing.
99.9% of the time my laptop where i do the bulk of my computing sits on my desk connected to ethernet. I do make use of a few powerline ethernet adapters that are on my internal network. I feel those are less vulnerable than wifi but not perfect. They have some limited encryption, but more importantly are protected to some degree being the signal has a hard time crossing an electrical breaker. Add the unlikely scenario that there is an attacker i feel pretty safe. Though the thought has crossed my mind locking that network segment down more.
I'm sure my setup is overkill I don't have much if anything worth trying to steal. So the paranoia is not justified. BUT as a systems and network person for over 20 years its not difficult to setup and runs without trouble for years at a time.
(Posted from my phone on home wifi about to get out of bed 630am here)
-
-
Thursday 27th February 2020 20:35 GMT Roland6
Re: powerline ethernet adapters
>They are radios. Someone nearby can connect without the wiring. The mains provides power and helps the transmission. They'll connect over an air gap if one end is on a generator!
Not seen any real problems with the HomePlug AV2 compatible adaptors (I run one within 12-inches of my HiFi's FM aerial) and connect my HiFi to the mains using the mains pass through socket - I do this just to see for myself the reality of the claims people make...
Although this is the UK and not the US, so this might introduce some important differences.
.
As for those complaining about noise on their audio system - if your audio system is that good why doesn't it already have at least ferrite collars or a filtering mains adaptor.
The only problem I've seen is that they don't mix well, so best to use plugs from the same vendor and all runing the same firmware release. As for security, well as usual don't use the manufacturers default password/phrase and keep it long!
-
-
Friday 28th February 2020 08:06 GMT Mage
Re: powerline ethernet adapters
No, they are radios in the sense that DSL is, just not tested as such. Only the very fastest models will interfere with FM. It's MW & SW they interfere with. In some cases the lighting wires radiate and DSL can suffer interference (same band), but that's rare.
Surge protectors, breakers, UPS units etc rarely cause problems but poorly filtered SMPSUs will stop them working.
At least they are encrypted.
Some get RFI certification by either not connecting to data or testing only unit.
-
-
Monday 2nd March 2020 12:59 GMT phuzz
Re: powerline ethernet adapters
Powerline ethernet works great in some buildings, but if your house is more than a hundred years old, then get ready for all sorts of fun. Like finding you have multiple separate loops in the same room, none of which can be used to connect to each other. Or, having to run an ethernet cable between two rooms, to bridge two separate circuits.
(And you're probably trying out powerline ethernet because old houses and wifi often don't work well together)
-
-
-
-
-
-
Thursday 27th February 2020 04:25 GMT doublelayer
Re: Unpopular opinion
As has been pointed out, that's not really at issue here. But also, it's not correct either. Of the various methods of getting attacked, MITMing is lower on the list of concerns, but it doesn't require nation-state level effort, and it doesn't have nation-state limited value. An attacker can set up a WiFi MITM device for relatively cheap. If it works for them, they can hope to grab some passwords, access tokens, or credit card numbers from you. True, at this point we've likely encrypted nearly everything that is that sensitive, but we've done this because at one point we didn't and we realized what a disaster it could be for people to pluck them out of our unencrypted network traffic. Not to mention that there are other things you can do with a functioning MITM system; I've only discussed the possibilities involved in reading network traffic, but sending some unexpected traffic to the user also offers some interesting possibilities, albeit at a higher risk to the attacker.
-
-
-
Thursday 27th February 2020 08:19 GMT Anonymous Coward
A lot of WiFi traffic may be local....
... should people setup VPNs between their mobe and their PC? Or between their PC and their partner? Or their NAS? And that's for home network. Think about company ones, and how big local traffic may be, not all of that encrypted.
There's a lot to capture even in local traffic....
-
-
-
Friday 28th February 2020 03:56 GMT doublelayer
Re: A lot of WiFi traffic may be local....
Well, most web traffic is HTTPS now, and most machine-to-machine protocols in heavy use are encrypted as well with SSH having replaced many more classic ones. But you're correct, a lot of traffic isn't encrypted on a LAN. For that reason, we're usually somewhat protective of who we let onto our LANs. An exploit that lets an unauthenticated user read our traffic is much worse than one that lets others on our LAN read our traffic.
-
-
-
-
Thursday 27th February 2020 13:04 GMT Anonymous Coward
But...
Having singled out the iPhone (6S and later) as vulnerable, it's a bit disingenuous not to point out that Apple has patched the issue in the latest iOS updates (and ditto for MacOS). Also, it's not just Apple hardware that's affected and much of that isn't subject to such regular patching. Of course, as a vulnerability, it's one of those that exists but is a limited risk to the majority of users.
-
Thursday 27th February 2020 15:23 GMT James O'Shea
Re: But...
El Reg's attitude towards Apple has got to be so bad that I automatically discount at least 50% of anything bad they say about Apple, and automatically inflate by at least 50% the (rare) good things they say about Apple. El Reg's Apple-bashing has become quite reliable. They're like a certain movie reviewer I read; anything he likes I know that I won't, and anything he hates I know I'll like. When El Reg says something bad about Apple, there's usually a lot that's good which they don't mention. I go and have a look for myself, having been alerted to the possibilities of new features by El Reg's negative coverage. Thanks so much, Vulture Central!
-
Thursday 27th February 2020 18:10 GMT JohnFen
Problematic WPA2
I stopped allowing non-VPN connections through my home WiFi a number of years ago (except for with the isolated open AP I run), because I don't trust WPA2 to provide anywhere near sufficient protection. There have been a few times that I've been happy that I did this, and this is one of those times.
-
Thursday 27th February 2020 18:53 GMT whitepines
Proactive security
Our reaction to the not-so-recent forced locking of WiFi device firmware was to treat the entire WiFi network segment (yes, it's a separate physical segment) in each building as hostile. Corporate WiFi (aside from the public encrypted AP, on its own separate network segment attached to the public side of things) gets you DHCP and a VPN server connection, everything else is blocked.
Looks like the fears were in fact justified after all, and the proactive mitigation worked perfectly in the end since we don't have to change anything or disrupt business in any way due to this inevitable vulnerability in the closed source AP firmware. Happy days...