[HN Gopher] Security researcher found Wi-Fi vulnerabilities that...
___________________________________________________________________
Security researcher found Wi-Fi vulnerabilities that existed since
the beginning
Author : teleforce
Score : 181 points
Date : 2021-05-13 09:33 UTC (13 hours ago)
(HTM) web link (www.theverge.com)
(TXT) w3m dump (www.theverge.com)
| kordlessagain wrote:
| Is this caused by me building my own auth system?
| dspillett wrote:
| _> the design flaws are hard to abuse because..._
|
| This is good.
|
| _> in practice the biggest concern are the programming mistakes
| in Wi-Fi products since several of them are trivial to exploit._
|
| Any indication which devices are known to be affected? None of
| the pages I've read so far give that information. Though it could
| be that this information is subject to "responsible disclosure"
| and won't be released until manufacturers have had a reasonable
| amount of time to release patches.
| walterbell wrote:
| All devices are affected, that's why there was a 9-month
| embargo for Linux. Some vendor devices were silently patched
| during that period.
| est31 wrote:
| Dupe: https://news.ycombinator.com/item?id=27121918
| dmix wrote:
| 95% of the internet traffic is now TLS according to Google:
|
| https://transparencyreport.google.com/https/overview?hl=en
|
| Most of the most severe attacks require HTTP and physical
| proximity. So we're fortunate of the huge drive towards HTTPS
| since Snowden's 2013 releases when it was around ~55% (I've seen
| the rise in numbers correlated before).
|
| But it also recommends upgrading your router. I wonder how many
| routers and IoT device companies are actually releasing firmware
| updates. And quality ones at that...
| commandlinefan wrote:
| > the most severe attacks require HTTP
|
| Well, for the services that use HTTP, anyway - there's still a
| lot of non-HTTP traffic out there like SMTP and DNS. Devices
| still use SNMP, too, and often connect over wifi.
| huachimingo wrote:
| Like with every old phone: they will not patch it. Then they
| will tell you to buy a new one or a similar but new model.
| fpgaminer wrote:
| Once someone is on your LAN, HTTPS isn't the end-all-be-all
| protection. If, for example, a website hasn't enabled HSTS, or
| they have but they don't have HSTS preload and the user hasn't
| visited them before.
| BeefWellington wrote:
| TLS is useful and should be the default for everything;
| However, it is not the protection everyone seems to assume it
| is for several reasons:
|
| 1. Users generally still click "Accept & Continue" when they
| see certificate warnings.
|
| 2. A given app can easily disable certificate validation and
| blindly trust the other end. For web browsers, great they do it
| well. Other applications often disable certificate validation
| altogether. Plenty of mobile apps I've seen fail to do proper
| certificate validation, though thankfully it is becoming less
| common thanks to vendor platforms removing the option to be
| horribly insecure.
|
| 3. An attacker can still see which domain names and/or
| hostnames you're accessing.
|
| The simplest useful thing I could think of with this might be
| is finding a given WiFi network's IP on the Internet, in those
| circumstances where the hardware permits you to create your own
| frames.
| tialaramex wrote:
| > 1. Users generally still click "Accept & Continue" when
| they see certificate warnings.
|
| In Firefox HSTS blocks this entirely. There is no "Accept"
| option at all. In Chrome HSTS means the only way to "accept
| and continue" is to type whatever the current magic bypass
| phrase is, the ordinary "accept and continue" option isn't
| there.
| grishka wrote:
| And even without HSTS, most web browsers bury the option to
| continue deep enough that for most users it could as well
| not exist. In Chrome you have to click "details" and there
| will be a tiny link to "continue anyway".
| 0xbadcafebee wrote:
| This is a vulnerability more than a benefit. If you
| _need_ to access a website and can 't because of ominous
| errors, most users will simply try a different device. If
| the user always browses a specific site on their desktop,
| and the desktop hits an HSTS warning, the user will
| immediately try it on their phone, which has never
| visited the site, and thus has no HSTS record, and will
| then click through any certificate warning. As far as the
| user is concerned, the website or their internet
| connection (or both) are just screwed up.
|
| Web browsers have never taken any of this seriously.
| Their hilariously poor UX around errors and warnings,
| their half-baked mitigation schemes, their reluctance to
| figure out new industry solutions for extremely common
| problems like _setting up a wireless access point_ , etc.
| toast0 wrote:
| If you (as a site owner) care about HSTS, you'll likely
| get your site included in the preload list, which closes
| the other device loophole for the most part. (There
| certainly are some devices with browsers that don't get
| updates and/or don't do HSTS preload, but can't fix
| everyone).
| 0xbadcafebee wrote:
| The preload list is another crap web browser mitigation.
|
| _" Hey, we have this problem with our browsers where the
| security is trivially defeated a number of ways. What are
| we gonna do about it? ......... I got it! We'll make
| extra security optional!"_
|
| As a regular web user, I should be able to _know_ if the
| site I 'm using is secure from MITM. But that's basically
| unknowable, because for any given site you're on, there
| may be a half dozen different kinds of duct tape
| implemented in different ways. I just have to hope nobody
| wants to hack me. All the mitigations might as well not
| exist.
| foobarbecue wrote:
| thisisunsafe...
| Wowfunhappy wrote:
| > Users generally still click "Accept & Continue" when they
| see certificate warnings.
|
| I am one of these users. _However,_ that doesn 't mean the
| warning isn't useful--it puts me on high alert that something
| may be wrong, that I shouldn't trust any information on the
| site and I shouldn't enter any important information onto the
| site.
|
| I am of course also more technically inclined than the
| average user, and so I don't know that this applies to
| everyone. Even so, I wonder if the metric necessarily means
| what it initially seems to mean.
| Bulpi wrote:
| I'm already disagreeing with your main point 1)
|
| My parents don't know how to do this and would call me and
| stop trying to 'solve it'
|
| Chrome and Firefox are quite visual in this regard.
| petjuh wrote:
| And the drive to HTTPS was initiated by "evil" Google (like
| free email with >2GB which was unheard of at the time).
| JohnWhigham wrote:
| Companies always act in their best interests. Occasionally
| those interests will align with those of the end users.
| haukem wrote:
| More usage of HTTPS helps Google's business.
|
| 1.) ISPs can not change the content of websites their users
| are watching to modify or add additional advertisements.
| Companies have to buy advertisements at Google.
|
| 2.) It is harder for ISP to analyze the web traffic of
| their customers to build profiles which they can sell. Only
| Google has these information.
|
| 3.) When people feel safer in the Internet they buy more
| stuff on the Internet. Business will buy more
| advertisements on the Internet, probably at Google.
| Fnoord wrote:
| > like free email with >2GB which was unheard of at the time
|
| If its free, you're the product. Yet people don't know. Call
| me old fashioned but I rather pay for my e-mail services.
| tialaramex wrote:
| > If its free, you're the product.
|
| I'm not sure this is even useful as a rule of thumb, let
| alone generally true.
|
| Let's Encrypt certificates and Debian are both "free" in
| the sense you mean, are you somehow "the product" for
| those?
|
| Everywhere I'm aware of in the world, COVID-19 vaccines are
| free, are you "the product" when immunised against a deadly
| disease? How so?
|
| Air is free, am I the product for like... trees? How does
| this work?
|
| And in contrast it's pretty clear that many expensive
| things Americans buy treat them as the product anyway,
| because it's free revenue. So the rule of thumb doesn't
| even help you to avoid being scammed, it just means you're
| more willing to pay for the chance.
| toast0 wrote:
| > Everywhere I'm aware of in the world, COVID-19 vaccines
| are free, are you "the product" when immunised against a
| deadly disease? How so?
|
| The people making the vaccines are getting paid, although
| the vaccine is the product. The people sticking the
| vaccine in my arm are getting paid, my arm is the
| product. (Sort of)
|
| The US government is compelling insurance companies to
| pay for it, and paying for it in absence of insurance,
| because excess death is a drag on the economy.
| officeplant wrote:
| >I'm not sure this is even useful as a rule of thumb, let
| alone generally true.
|
| Because free is a limited word. Which is why we have free
| as in beer / free as in freedom / libre vs free, the list
| goes on and on.
|
| "If its free, you're the product" is a perfectly fine
| statement to help average folks navigate the modern tech
| consumer world outside of opensource efforts.
|
| >Everywhere I'm aware of in the world, COVID-19 vaccines
| are free, are you "the product" when immunised against a
| deadly disease? How so?
|
| For this you do actually provide data back to the
| providers of the vaccine (depending on country and
| agreements signed of course). Most of the free vaccine
| sites near me (USA) have a lot of obvious data collection
| along with the provided vaccine which I'm fine with.
| KMnO4 wrote:
| > Yet people don't know.
|
| I'm not sure that's true. Many people know and simply don't
| care.
|
| Using hypothetical _me_ as an example, why does it matter
| to _me_ that Google can read my emails? Why does it matter
| to _me_ that Google is improving their searches by tracking
| my activity? _I've_ got nothing to hide.
|
| And before you say "I've got nothing to hide" isn't a good
| reason to give up privacy and freedom... well that fight
| isn't here on HN. It's a fight with the hundreds of
| millions of privacy apathetic people who are winning the
| fight by a landslide.
|
| We can hate on FANG as much as we want, but if 2/3 of the
| population can validate their business model, does it even
| matter?
| sharot4 wrote:
| I think that most people implicitly assume that their
| communications are private.
|
| Mass surveillance is an open secret that is easier on the
| senses to ignore.
|
| Ignorance can be combatted with information. But now
| there's a "war on information" with companies like
| facebook (in true comedic fashion) being the arbiter of
| "truth". Facebook, one of the biggest players in the mass
| surveillance game.
|
| The business model is validated because of ignorance.
| Most people have no idea what pixel tags are, for
| instance, yet the web is oozing with them. When given the
| option, people prefer not to be surveilled. It is more or
| less inhuman to want to be watched surrepticiously. We
| call that stalking.
| alisonkisk wrote:
| If you have an idea to communicate, try to make it without
| burying it in sarcasm.
| tialaramex wrote:
| Those figures are for _Google 's_ services, so all those
| services can do TLS, but some of the clients don't.
|
| However the step change for HTTPS over the wider web is mostly
| a bunch of related mutually enabling changes:
|
| * Let's Encrypt launches
|
| * Google slightly penalizes plaintext HTTP in search
|
| * Browsers (Chrome, Safari, Firefox at least) stop offering new
| features outside Secure Context (so HTTPS for public sites) and
| begin deprecating or reducing scope of some older features
| outside that context.
|
| On smaller sites also don't underestimate
|
| * Prevalence of browsers/ devices without SNI falls a lot so...
|
| * Many bulk hosting sites begin offering cheap or free HTTPS
| virtual hosting, with SNI, where previously they only offered
| IP hosting for HTTPS at higher prices.
|
| In 2005 if I wanted my new one-joke web site to have HTTPS
| that's a bunch of _extra_ money, for one corny joke, it 's not
| worth it. Today, it's zero extra effort, if I make a new site
| it has HTTPS by default of course. If I see somebody whose host
| is trying to charge them money for this, these days it's rarely
| worth chipping in "You are being ripped off" because somebody
| else will be typing that already.
| Dinux wrote:
| This particular attack seems difficult in practice. Reassembled
| fragments still need to yield a checksum-valid frame. With TLS
| becoming the norm most laptop/mobile/server communication
| channels will not be affected.
|
| As mentioned in the paper, the problem is indeed that MCUs have
| become so cheap that every $7 light bulb is equipped with WiFi.
| The firmware on these devices is almost never updated after
| production. And even on devices that _are_ being updated, like
| philips hue, it 's often found that WiFi chipsets run their own
| firmware.
| AnotherGoodName wrote:
| >Reassembled fragments still need to yield a checksum-valid
| frame.
|
| For a 32bit checksum changing data will give you a 1 in
| 4,294,967,296 chance of being correct. So just keep bit
| twiddling some unimportant portion of the frame until you
| obtain a valid checksum. 4,294,967,296 is not a large number
| for a modern computer.
|
| These frame checksums are only intended for accidental bit
| flips. They aren't protection against someone creating fake
| frames with valid checksums.
| bruce343434 wrote:
| What is an MCU?
| Dinux wrote:
| https://en.m.wikipedia.org/wiki/Microcontroller
| sdfhbdf wrote:
| This is the website with the actual vulnerabilities:
|
| https://www.fragattacks.com
___________________________________________________________________
(page generated 2021-05-13 23:01 UTC)