CVE-2022-23088: Exploiting A Heap Overflow In The Freebsd Wi-Fi Stack
https://www.zerodayinitiative.com/blog/2022/6/15/cve-2022-23088-exploiting-a-heap-overflow-in-the-freebsd-wi-fi-stack [www.zerodayinitiative.com]
2022-06-16 18:38
tags:
exploit
freebsd
programming
security
wifi
In April of this year, FreeBSD patched a 13-year-old heap overflow in the Wi-Fi stack that could allow network-adjacent attackers to execute arbitrary code on affected installations of FreeBSD Kernel. This bug was originally reported to the ZDI program by a researcher known as m00nbsd and patched in April 2022 as FreeBSD-SA-22:07.wifi_meshid. The researcher has graciously provided this detailed write-up of the vulnerability and a proof-of-concept exploit demonstrating the bug.
source: L
Wireless is a trap
https://www.benkuhn.net/wireless/ [www.benkuhn.net]
2020-06-15 03:36
tags:
networking
turtles
wifi
I used to be an anti-wire crusader. I hated the clutter of cables, and my tendency to unconsciously chew on them if they got anywhere near my face. But running into bug after tricky wireless bug—mostly while trying to make my video calls work better—I’ve apostasized. The more I’ve learned about wifi, Bluetooth and related protocols, the more I’m convinced that they’re often worse, on net, than wires.
This starts off with the usual, but then there’s some real wtf.
Qt included a component which would poll for networks every 30 seconds whenever a “network access manager” was instantiated, causing pretty much any Qt app using the network to degrade your wifi for ~5 out of every 30 seconds. There were already multiple bug reports for this issue, one of which was declared “closed” by an engineer because they allowed users to use an environment variable to disable the polling.
source: Dfly
Something in the Air
https://www.theatlantic.com/technology/archive/2020/05/great-5g-conspiracy/611317/ [www.theatlantic.com]
2020-05-18 02:37
tags:
article
policy
science
tech
wifi
The coronavirus pandemic is sparking baseless theories about the dangers of 5G. But the fear that wireless technology is slowly killing us isn’t new—and it doesn’t appear to be going away anytime soon.
TEMPEST@Home - Finding Radio Frequency Side Channels
https://duo.com/labs/research/finding-radio-sidechannels [duo.com]
2020-04-27 06:01
tags:
opsec
security
sidechannel
solder
wifi
As the test procedures in the TEMPEST standards are rudely made unavailable to us as they are considered “classified” we have to do the next best thing and make up our own. This article aims to make barely acceptable analogies about how radios work and show that you really don’t need that much in terms of know-how and equipment to find and take advantage of leaky radio signals. Towards the end, we will apply what we have learned to find a signal that can exfiltrate data out of a radio-less and air-gapped desktop workstation through a wall and 50ft away.
EASYCHAIR - CIA covert listening devices
https://www.cryptomuseum.com/covert/bugs/ec/index.htm [www.cryptomuseum.com]
2020-01-15 18:04
tags:
article
hardware
history
opsec
wifi
EASYCHAIR – also written as Easy Chair or EC – was the codename of a super secret research project, initiated by the US Central Intelligence Agency (CIA), aiming to develop covert listening devices (bugs) based on the principle of the Resonant Cavity Microphone – also known as The Great Seal Bug or The Thing – that had been found in 1952 in the study of the US ambassador’s residency in Moscow, hidden in a donated wooden carving of the Great Seal of the United States.
Upon discovery of The Thing, many US agencies – including the CIA – investigated the possibility of using the new – hitherto unknown – technology to its own advantage. The secret research took place in the Netherlands at the Dutch Radar Laboratory (NRP) in Noordwijk.
source: grugq
Wifi deauthentication attacks and home security
https://mjg59.dreamwidth.org/53968.html [mjg59.dreamwidth.org]
2019-12-27 15:21
tags:
ioshit
security
wifi
So, the attack is to simply monitor the network for any devices that fall into the address range you want to target, and then immediately start shooting deauthentication frames at them once you see one. I hacked airodump-ng to ignore all clients that didn’t look like a Ring, and then pasted in code from aireplay-ng to send deauthentication packets once it saw one. The problem here is that wifi cards can only be tuned to one frequency at a time, so unless you know the channel your potential target is on, you need to keep jumping between frequencies while looking for a target - and that means a target can potentially shoot off a notification while you’re looking at other frequencies.
e2k19 Hackathon Report: Stefan Sperling on GoT and wireless
https://undeadly.org/cgi?action=article;sid=20191219205600 [undeadly.org]
2019-12-20 03:51
tags:
git
openbsd
update
wifi
Finding the hotel room of a target
https://twitter.com/josephfcox/status/1201628379943964673 [twitter.com]
2019-12-03 04:20
tags:
opsec
tweet
wifi
War dial hotel WiFi login... Room number and last name login.
source: cox
The day when starting a receiver fixed the transmitter
http://rachelbythebay.com/w/2019/11/13/sdrlag/ [rachelbythebay.com]
2019-11-14 16:56
tags:
hardware
investigation
perf
wifi
Have you ever tried to do something, but had it fail and weren’t really sure why? Did you then try to fall back to doing something you could actually measure in order to then get a handle on the problem? I had something like this happen quite a while back with some software defined radio stuff. Here’s how it went.
Fixing up KA9Q-unix, or "neck deep in 30 year old codebases.."
http://adrianchadd.blogspot.com/2019/09/fixing-up-ka9q-unix-or-neck-deep-in-30.html [adrianchadd.blogspot.com]
2019-09-28 19:50
tags:
freebsd
networking
retro
social
wifi
Anyhoo, I’ve finally been mucking around with AX.25 packet radio. I’ve been wanting to do this since I was a teenager and found out about its existence, but back in high school and .. well, until a few years ago really .. I didn’t have my amateur radio licence. But, now I do, and I’ve done a bunch of other stuff with a bunch of other radios. The main stumbling block? All my devices are either Apple products or run FreeBSD - and none of them have useful AX.25 stacks. The main stacks of choice these days run on Linux, Windows or are a full hardware TNC.
The Cold War spy technology which we all use
https://www.bbc.com/news/business-48859331 [www.bbc.com]
2019-08-26 03:54
tags:
history
tech
wifi
KNOB Attack
https://knobattack.com/ [knobattack.com]
2019-08-16 05:00
tags:
crypto
exploit
security
standard
tech
wifi
Paper: https://www.usenix.org/conference/usenixsecurity19/presentation/antonioli
We present an attack on the encryption key negotiation protocol of Bluetooth BR/EDR. The attack allows a third party, without knowledge of any secret material (such as link and encryption keys), to make two (or more) victims agree on an encryption key with only 1 byte (8 bits) of entropy. Such low entropy enables the attacker to easily brute force the negotiated encryption keys, decrypt the eavesdropped ciphertext, and inject valid encrypted messages (in real-time). The attack is stealthy because the encryption key negotiation is transparent to the Bluetooth users. The attack is standard-compliant because all Bluetooth BR/EDR versions require to support encryption keys with entropy between 1 and 16 bytes and do not secure the key negotiation protocol. As a result, the attacker completely breaks Bluetooth BR/EDR security without being detected. We call our attack Key Negotiation Of Bluetooth (KNOB) attack.
source: green
Dragonblood new results
https://wpa3.mathyvanhoef.com/#new [wpa3.mathyvanhoef.com]
2019-08-05 01:31
tags:
crypto
exploit
security
sidechannel
standard
wifi
August 2019 — During our initial disclosure, the Wi-Fi Alliance privately created security recommendations to mitigate our attacks. In these recommendations, they claim that Brainpool curves are safe to use, at least if products securely implement Dragonfly’s quadratic residue test (i.e. it must be implemented without side-channel leaks). However, we found that using Brainpool curves introduces a second class of side-channel leaks in the Dragonfly handshake of WPA3. In other words, even if the advice of the Wi-Fi Alliance is followed, implementations remain at risk of attacks. This demonstrates that implementing Dragonfly and WPA3 without side-channel leaks is surprisingly hard. It also, once again, shows that privately creating security recommendations and standards is at best irresponsible and at worst inept.
That last line.
source: solar
g2k19 Hackathon Report: Stefan Sperling on Access Points and Ghosts
http://undeadly.org/cgi?action=article;sid=20190611075252 [undeadly.org]
2019-06-11 15:32
tags:
networking
openbsd
update
wifi
This AP was promptly attacked! But with OpenBSD on both AP and client, I now had a full view of the battle field and made our hackroom’s wifi immune to de-auth attacks. I don’t have enough brain juice to come up with a good heuristic for this, so users need to manually cast a de-auth attack immunity spell by setting the new ‘stayauth’ nwflag with ifconfig(8). Note that this flag needs to be set on clients as well as the AP, because a de-auth army will target them separately.
Security Issue with Bluetooth Low Energy (BLE) Titan Security Keys
https://security.googleblog.com/2019/05/titan-keys-update.html [security.googleblog.com]
2019-05-17 14:05
tags:
auth
hardware
security
wifi
Due to a misconfiguration in the Titan Security Keys’ Bluetooth pairing protocols, it is possible for an attacker who is physically close to you at the moment you use your security key -- within approximately 30 feet -- to (a) communicate with your security key, or (b) communicate with the device to which your key is paired.
Bluetooth security is... challenging.
Reverse-engineering Broadcom wireless chipsets
https://blog.quarkslab.com/reverse-engineering-broadcom-wireless-chipsets.html [blog.quarkslab.com]
2019-04-17 18:09
tags:
best
exploit
fuzzing
hardware
investigation
networking
security
wifi
In this blogpost I provided an account of various activities during my 6 months as an intern at Quarkslab, my project involved understanding the Linux kernel drivers, analyzing Broadcom firmware, reproducing publicly known vulnerabilities, working on an emulator to run portions of firmware, fuzzing and finding 5 vulnerabilities (CVE-2019-8564, CVE-2019-9500, CVE-2019-9501, CVE-2019-9502, CVE-2019-9503). Two of those vulnerabilities are present both in the Linux kernel and firmware of affected Broadcom chips. The most common exploitation scenario leads to a remote denial of service. Although it is technically challenging to achieve, exploitation for remote code execution should not be discarded as the worst case scenario.
Very good.
Don’t miss the disclosure timeline at the end.
source: green
Dragonblood - Analysing WPA3's Dragonfly Handshake
https://wpa3.mathyvanhoef.com/ [wpa3.mathyvanhoef.com]
2019-04-12 23:14
tags:
networking
paper
security
sidechannel
wifi
One of the main advantages of WPA3 is that, thanks to its underlying Dragonfly handshake, it’s near impossible to crack the password of a network. Unfortunately, we found that even with WPA3, an attacker within range of a victim can still recover the password of the network. This allows the adversary to steal sensitive information such as credit cards, password, emails, and so on, when the victim uses no extra layer of protection such as HTTPS. Fortunately, we expect that our work and coordination with the Wi-Fi Alliance will allow vendors to mitigate our attacks before WPA3 becomes widespread.
A brief history of Wi-Fi security protocols from “oh my, that’s bad” to WPA3
https://arstechnica.com/gadgets/2019/03/802-eleventy-who-goes-there-wpa3-wi-fi-security-and-what-came-before-it/ [arstechnica.com]
2019-03-11 21:33
tags:
networking
security
wifi
Enjoy our primer on the ups and downs of Wi-Fi protocols since the mid-1990s.
Remotely compromise devices by using bugs in Marvell Avastar Wi-Fi: from zero knowledge to zero-click RCE
https://embedi.org/blog/remotely-compromise-devices-by-using-bugs-in-marvell-avastar-wi-fi-from-zero-knowledge-to-zero-click-rce/ [embedi.org]
2019-01-19 21:20
tags:
exploit
fuzzing
investigation
security
wifi
With this research, I’m going to answer the question that has had to be answered for quite a time: to what extent is Marvell WiFi FullMAC SoC (not) secure. Since the wireless devices with the analyzed chip aren’t fully researched by the community yet, they may contain a tremendous volume of unaudited code, which may result in severe security issues swarming devices equipped with WLAN cards.
source: HN
Counting All Cars
https://tedium.co/2018/11/08/electronic-toll-collection-history/ [tedium.co]
2018-11-15 17:33
tags:
article
cars
history
policy
transport
wifi
Pondering the evolution of electronic tolling, the system that doesn’t slow you down even as it charges you to use it. It has roots in the theremin—sorta.
RFID from the great seal bug to your windshield.