back to article With ICMP magic, you can snoop on vulnerable HiSilicon, Qualcomm-powered Wi-Fi

A vulnerability identified in at least 55 Wi-Fi router models can be exploited by miscreants to spy on victims' data as it's sent over a wireless network. Eggheads in China and the US have published details of a security shortcoming in the network processing units (NPUs) in Qualcomm and HiSilicon chips found at the heart of …

  1. sitta_europea Silver badge

    "... Qualcomm was informed of the vulnerability in late 2021 and published an advisory last November."

    They kept quiet for a year?

  2. Adam JC

    Requirements to execute

    "Also, the attacker needs to: be able to directly communicate with the victim's device via the Wi-Fi network"

    So...

    Scenario 1 - An SSID protected by WPA2/3 - They either need to crack the WPA-PSK before getting onto the network in the first place to execute the attack or

    Scenario 2 - 'Guest/Public' WiFi - No WPA2/3 - I can't remember the last time I observed a public/open WiFi network that didn't isolate each wireless client from each other, either via on-AP subnetting or client isolation so would be much trickier in practice.

    Sounds like it's not an easy fix though.. and once fixed it could have a fairly significant performance impact/overhead.

  3. abend0c4 Silver badge

    This issue resides within the NPU

    It seems to be a feature of wireless hardware of all kinds that it contains an opaque and proprietary binary blob (yes, I know, certification....). That's a problem for trust and for obsolescence.

  4. Anonymous Coward
    Anonymous Coward

    2023 and ICMP Redirect attack is still a thing.

  5. sev.monster

    So is this ultimately silicon, firmware, or software? It sounds like firmware but the article doesn't make it very clear.

    1. JT_3K

      It's ultimately low-level chips that are forwarding spoofed traffic without thought. The crux is that the attacker and victim are connected to the same network. The attacker crafts an ICMP redirect packet with source of the router itself and destination of the victim and sends it. The router should immediately know that it can't *receive* a packet that it seemingly crafted and should drop the packet, but the low-level chips running it are simply forwarding the packet to the victim without questioning it. The argument seems to be that "it would take a lot of processing power to check every message so we don't" but in reality, no chip should forward this message as it didn't come from the device itself. Tighter controls around ensuring the sender *is* the sender is probably the fix, although equally controls that define the router has sent packets that it's purported to have sent would also fix this.

      My interest is that it seems to have been proven on "all in one" router/wifi/?modem? networks (where there's no excuse as it operates all sides of the discussion and should know whether it originated these packets), but I wonder what would happen where the router, switch and multiple APs are distinct devices: would for instance a UniFi AP allow such an attack as at a chip-level it can't distinguish this packet came from another user and not from the router it expects to communicate with via a wired interface? What about in a mesh environment?

  6. Anonymous Coward
    Anonymous Coward

    Eggheads vs Boffins

    So this twerk was done by "Eggheads in China and the US". Where were the Boffins on this?

    1. mIVQU#~(p,

      Re: Eggheads vs Boffins

      We’re not allowed to say boffins anymore, it’s sexist.

      1. Jamie Jones Silver badge

        Re: Eggheads vs Boffins

        They call the "boffins" further down the article.

        1. Fruit and Nutcase Silver badge

          Re: Eggheads vs Boffins

          You start off with an Egghead, then after incubating them for a while, you end up with a Boffin

          1. Norman Nescio

            Re: Eggheads vs Boffins

            Do they have multicoloured noses and preferentially eat fish?

      2. jgarbo
        Coat

        Re: Eggheads vs Boffins

        But "eggheads" is sexist, since they must be female (coming from a hen).

      3. Roland6 Silver badge

        Re: Eggheads vs Boffins

        Well…

        Egghead is also slang for a bald man…

        It would seem boffin originated from military research.

        Given the earliest reference to boffin seems to have been in the air force, I suspect it is a word play on Backroom boys that resulted in a word that sounded like a bird, which given the air force flies birds… lending the word some parallels with “a patchy server” which became “apache server”.

        [https://wikidiff.com/egghead/boffin?utm_content=cmp-true , https://www.worldwidewords.org/topicalwords/tw-bof1.htm ]

        1. Fruit and Nutcase Silver badge

          Re: Eggheads vs Boffins

          Boffin, nearly bald - Professor Heinz Wolff, ticks all the boxes

          https://www.theregister.com/2017/12/18/heinz_wolff_obituary/

          https://www.heinzwolff.co.uk/

        2. Anonymous Coward
          Anonymous Coward

          Re: Eggheads vs Boffins

          I never liked their music, but to each their own.

  7. vtcodger Silver badge

    A caution

    Network folks may be tempted to solve problems like this by turning ICMP off completely. I mean who cares all that much about whether ping works? Unfortunately, there's a drawback. Something called Path MTU Discovery (PMTUD) depends on ICMP in both IPv4 and IPv6. Break PMTUD, and you may end up with something called Blackhole Routing. That sounds bad. And it is. What happens is that small message packets fly through to their destination. Large packets simply disappear. But the symptom people see is that some programs work fine. Others don't. Or maybe some options of some program work fine but others don't. This is not easy to diagnose and is harder to fix since the problem may be on someone else's computer. It's not even all that easy to figure out whose.

    And yes, it really does happen. Back in my working days, I encountered it several times.

    So, if you are tempted to improve your security profile by turning ICMP off, it might be a good idea to read and understand the Wikipedia article https://en.wikipedia.org/wiki/Path_MTU_Discovery Maybe it's OK to live without ICMP ... and maybe it isn't

    1. Anonymous Coward
      Anonymous Coward

      Re: A caution

      Ha, that takes me back, sometime in the mid 80s I had a case where two different Unix boxes could talk to each other fine but FTP broke when files got over about 1400 ish or so bytes :-)

    2. Jamie Jones Silver badge

      Re: A caution

      "Network folks may be tempted to solve problems like this by turning ICMP off completely. "

      If they are, your being far too kind describing them that way!

      1. sev.monster

        Re: A caution

        Call them what they are: Not work, folks.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like