This reminds me of the WPS reaver attack, which is a complete facepalm from an implementation perspective. Only 11,000 possible combinations, and trying 1 key every other second would net you the WPA password in < ~5 hours.
"In 2011, a security researcher named Stefan Viehböck discovered a flaw in this implementation. The concept he introduced was based on the following facts:
Out of the 8 digits of the PIN, the last digit is a checksum, which leaves 7 digits to guess. The PIN is validated by dividing it into 2 halves. So first half leaves 10^4 = 10,000 guesses & 2nd half leaves 10^3 = 1000 guesses. So a total of 11000 guesses only, where it should be 10^8 = 100000000 guesses."
Best of all, WPS was enabled by default on most access points and there was no delay on retries.
What makes it even worse is this happened after the whole WEP debacle. You'd think the Wi-Fi Alliance would do some security auditing, but they were obviously more focused on collecting certification fees.
Eh yeah, you shouldn't use WPA2 as your sole defence against data exfiltration. Nice way to drive traffic to your website though..
The underlying work here is good and interesting. If companies are going to hype bugs, let it be for stuff like this!
Tell that to the hard working folks that define the standard, I'm sure they'll appreciate it..
Like any such metric, CVSS is far from perfect, however, in the real world you are sometimes called upon to express things in a quantitative manner even if they are better expressed in a qualitative manner, for instance when you need to justify security spending in a corporate environment, or in the context of compliance reporting. Do you know of a better tool/standard?
> If companies are going to hype bugs, let it be for stuff like this!
That's a bit like crying wolf though, isn't it? It desensitises people to actual issues and takes focus and funds away from them. This kind of fear based marketing might be useful if your goal is to suck a naive client dry for a year or so, if you are actually trying to make the world a safer place it does more harm then good.
An attacker can trigger a dissociation between the device and the access point. The dissociation causes the device to zero its temporary encryption key called the TK (transient key), which is the key used to encrypt traffic between the device and the access point. Unfortunately, some data frames still on the device could then be encrypted with this zero key and sent anyway. Because the key is known to be zero, the attacker can decrypt these few data frames (a couple of kilobytes) trivially. Since the attacker can trigger this at will, they can leak an unbounded amount of data.
It's essentially a race condition in hardware between clearing keys and finishing sending off the last few packets inside the transmission buffer. Nasty!
This is going to require you to patch your firmware.
Edit to add: this vulnerability essentially upgrades a class of well-known DoS attacks against WiFi networks to potential data exfiltration. On the other hand I feel like that intentionally exploiting this combination for data exfiltration by actively causing disassociations is not exactly practical attack, because you are going to cause significant disruption to operation of the network, ie. the target users are just going to give up and complain that the network is broken.
edit: I can't reply to the comment below about iOS updates because the comment is dead, but I just would like to interject that iOS and macOS updates can, and sometimes do, contain firmware updates for hardware. The release notes for the macOS update that contains the fix doesn't specify if the fix is in firmware or software, but I suspect it is in the former.
Also, the boundaries between firmware, hardware and (driver) software are pretty murky as far as Wi-Fi drivers are concerned: I remember reading that many FullMAC devices contain their own firmware in a ROM and have some room in on-chip RAM for patches (but not an entirely new firmware image!). These patches can be uploaded at device initialisation time and are contained in the device driver.
This is similar conceptually to microcode, both in that such updates are not persistent (i.e. have to be applied again after every boot) and optional (compared to a mandatory firmware blob upload, you won't notice if your driver is outdated or simply not installing updates for a known vulnerability).
> Also, the boundaries between firmware, hardware and (driver) software are pretty murky as far as Wi-Fi drivers are concerned
Yeah, this is why I ask if it can be fixed via software. I've been utterly surprised at the amount of bugs that exist in firmware but can be mitigated on the seemingly software-side of things.
I have a device that used the brcmfmac driver on Linux until today, and am hoping I won't have to shelve it forever.
