|
| ▲ | eqvinox 3 hours ago | parent | next [-] |
| It's not a big deal because the Ars Technica summarisation is wrong. You can (and enterprise controllers do in fact) tie IPs and MACs to association IDs (8bit number per client+BSS) and thus prevent this kind of spoofing. I haven't had time to read the paper yet to check what it says on this. Also client isolation is not considered "needed" in home/SOHO networks because this kind of attack is kinda assumed out of scope; it's not even tried to address this. "If you give people access to your wifi, they can fuck with your wifi devices." This should probably be communicated more clearly, but any claims on this attack re. home networks are junk. |
| |
| ▲ | supernetworks 2 hours ago | parent [-] | | This is mostly accurate, to clarify the association IDs tie into what VLANs will be assigned and that does block all of the injection/MITM attacks. This also assumes that the VLAN segments are truly isolated from one another, as in they do not route traffic between each other by default including for broadcast and multicast traffic. However client isolation should be a tool people have at their disposal. Consider the need for people to buy cloud IOT devices and throw them on a guest network (https://arstechnica.com/security/2024/09/massive-china-state...). It's also about keeping web-browsers away from these devices during regular use, because there are paths for malicious web pages to break into IOT devices. | | |
| ▲ | eqvinox an hour ago | parent [-] | | What exactly a VLAN is (or rather, properly: broadcast domain) gets kinda fuzzy in enterprise controller based wifi setups… and client isolation isn't really different from what some switches sell as "Private VLAN" (but terminology is extremely ambiguous and overloaded in this area, that term can mean entirely different things across vendors or even products lines). What exact security guarantees you get really depends on the sum total of the setup, especially if the wireless controller isn't also the IP router, or you do local exit (as opposed to haul-all-to-controller). | | |
| ▲ | supernetworks an hour ago | parent [-] | | Yep, unfortunately fuzzy. For enterprise wifi deployments, one amusing thing to do when configuring 802.1X is to test ARP spoofing the upstream radius server after associating, and self-authenticate. It might be interesting to go and apply some of the sneaky packet injection mechanisms in this paper actually to try to bypass ARP spoofing defenses. |
|
|
|
|
| ▲ | john_strinlai 3 hours ago | parent | prev | next [-] |
| you are definitely correct that it is potentially a big deal because it breaks expectation around network segmentation and isolation however, most people will read "breaks wi-fi encryption" and assume that it means that someone can launch this attack while wardriving, which they cant. |
| |
| ▲ | ProllyInfamous 3 hours ago | parent [-] | | >assume that it means that someone can launch this attack while wardriving, which they cant. As a former wardriver (¡WEPlol!), it only makes this more difficult. In my US city every home/business has a fiber/copper switch, usually outside. A screw-driver and you're in. Granted, this now becomes a physical attack (only for initial access) — but still viable. ---- >the next step is to put [AirSnitch] into historical context and assess how big a threat it poses in the real world. In some respects, it resembles the 2007 PTW attack ... that completely and immediately broke WEP, leaving Wi-Fi users everywhere with no means to protect themselves against nearby adversaries. For now, client isolation is similarly defeated—almost completely and overnight—with no immediate remedy available. ---- I think the article's main point is that so many places have similarly-such-unsecured plug-in points. Perhaps even a user was authorized for one WiFi network segment, and is already "in" — bless this digital mess! | | |
| ▲ | tmp10423288442 an hour ago | parent | next [-] | | You have a modem that you can attach to those switches? They’re completely unauthenticated? | | |
| ▲ | ProllyInfamous an hour ago | parent [-] | | Both, yes. Physical hardware isolation. ---- As a funny personal anecdote, my brother is a state judge. His most personal thoughts & correspondances are crafted upon typewriters (mine as well). He isn't officially allowed to just use any phone/computer/network. He is a "high value target" [0], My personal attorney still doesn't use "the cloud" for client documents (which is respectable) — has local servers, mostly offline. No typewriter, though =P ---- I'm just an electrician. [0] Does it bother anybody else that Pam Bondi has reports specifically of which documents each congressman reviewed (photographed by AP, during recent testimony)? |
| |
| ▲ | 3 hours ago | parent | prev [-] | | [deleted] |
|
|
|
| ▲ | _bernd an hour ago | parent | prev | next [-] |
| In addition to equvinox (hey again):
In enterprise networks you should rely on 802.1x or what's also valid use case is the use of ipsec to ensure the local client connection is "safe". |
| |
|
| ▲ | athrowaway3z 3 hours ago | parent | prev | next [-] |
| Meh. The computers that: - must not be accessible because their services don't use authentication/encryption - and share a wifi with potential attackers is just not that large. They exist, but the vast majority runs in places that don't care about security all that much. This should be a signal to fix the two things I mention, not to improve their wifi/firewall security. |
|
| ▲ | jeffbee 3 hours ago | parent | prev [-] |
| Anyone who relies on client isolation was just waiting to get pwned anyway. |
| |
| ▲ | ProllyInfamous an hour ago | parent [-] | | This is effectively victim blaming. Most of us are just users. Even corporate users (relying upon other contractors' default configurations). Is it grandma's fault that her ISP-issued router came with vulnerabilities exposing mammy's entire digital life? On a massive scale, this is a huge security disclosure of the hardware -level. —justbee |
|
