
WiFi deauthentication attacks and home security - edward
https://mjg59.dreamwidth.org/53968.html
======
punnerud
In Norway/Oslo there is a lot of people with equipment sending
deauthentication packages, jamming neighboring equipment, and one of the main
reason for slow Internet (lot of jitter). Did some research on this together
with The Norwegian Communications Authority (NKOM) to isolate the problem.

If you want to check for yourself if someone close by i sending
deauthentication packages; fire up a Mac and:

1\. Open Wi-Fi-diagnostics and change to 'Sniffer' from the Window-tab

2\. Dump 30sec-1min of data. The dump is saved to /var/tmp ending with .pcap

3\. Open the .pcap file in WireShark and search for wlan[0] == 0x0C

For all the different WiFi packages to filter for:
[https://www.willhackforsushi.com/papers/80211_Pocket_Referen...](https://www.willhackforsushi.com/papers/80211_Pocket_Reference_Guide.pdf)

The router Synology RT2600AC is the only one I have found that guard against
deauthentication packages by supporting WPA3 and PMF (encrypt management
frames). iOS 13, Mac OS Catalina and Windows 10 support WPA3 so it comes down
to your router.

~~~
the8472
> by supporting WPA3 and PMF (encrypt management frames).

OpenWRT 19.07 adds wpa3 support and the linux kernel supports 802.11w so
probably many more APs could be secured.

~~~
Avamander
You don't have to have WPA3 to have PMF though. You just have to search more
which APs support 802.11w.

~~~
thw0rted
Just to clarify: the attack depends on reading (unencrypted) management
packets going from the AP to the device, and if PMF is enabled on the AP, it
will only send encrypted management packets so the attack is not possible. Is
that it?

------
gmueckl
I am NOT a laywer, but I checked how much of what the article describes is
illegal in Germany. The answer is just about everything.

Installing a doorbell with a camera that looks into the hallway is illegal.
You may not record what happens in public spaces on security cameras. And even
inside your home, you still have to ask for consent to make an audio
recording. Otherwise, this constitutes a crime.

Also, sniffing Wifi for data not aimed at you is illegal. The law is quite
broad and covers unencrypted data. Sniffing MACs of devices that don't
communicate with your own network falls under that. Sending deauthenticarion
packages using those MACs proves the intent to deliberately obtain that data.
Thus might even result in a prison sentence. Deliberately interfering with the
operation of a Wifi network may also constitute computer sabotage, but the bar
for that is higher.

EDIT: I also forgot: creating the program that is intended to specifically
interfere with the doorbell is also punishable. This is one of the rare cases
where the preparation of a crime constitutes a separate crime in itself. The
same goes for the distribution of such tools.

~~~
looperhacks
You might find it interesting that some German universities [1] actively send
out deauthentication packages to clients that connect to SSIDs that are not on
their internal whitelist to "protect" the clients from "rogue APs".

A lecturer from my Hochschule was fired for protesting this practice.

[1]:
[https://meinehochschulebehindertdaswlan.de/](https://meinehochschulebehindertdaswlan.de/)

~~~
picselated
From a network admin's perspective- this is necessary to protect the integrity
of the air space. It discourages the use of rogue AP's which wreck the channel
utilization for everyone. It's common to find this feature in enterprise wifi
systems. Some actively spoof the SSID of the rogue AP in order to draw the
client back to the institution's network.

~~~
gruez
And what about the people who don't/can't use the institution's network? Why
should the institution be allowed to effectively monopolize the unlicensed
airwaves?

~~~
tzs
If I was in some kind of debate club or moot court or something like that and
got assigned to side that is supposed to argue for allowing this, I'd probably
look into some kind of property rights approach and make a distinction between
radio waves transiting the property and radio waves that originate on the
property.

The property owner could make not operating an access point on the property a
condition of granting permission to enter the property. Someone who then
operated an access point would be trespassing and they (and their access)
point could be evicted. In other words, the property owner is already allowed
to monopolize those unlicensed airwaves on their property.

If they choose to exercise this monopoly by using technical measures to stop
other access points from working, rather than by physically evicting those
access points, why should that make a difference as long as those technical
measures do not interfere with access point not on their property?

~~~
gruez
>If they choose to exercise this monopoly by using technical measures to stop
other access points from working, rather than by physically evicting those
access points, why should that make a difference as long as those technical
measures do not interfere with access point not on their property?

By the same argument, can I also ban cellphones from my property and set up
cellphone jammers to enforce this ban? You're free to set up arbitrary "rules"
and ban people from your property for it, but that doesn't mean you're
deputized by the government to do whatever you want to enforce those rules.

~~~
im3w1l
Emergency calls are given a lot of special protections, and for this reason,
you cannot.

------
cwingrav
I need help with something much more nefarious. I know of a location in a
downtown area where someone has set up a malicious wifi "thing". I'm guessing
the PWNAGOTCHI since the device changes patterns and comes and goes? It has
learned how to use deauth to do man-in-the-middle attacks and absolutely
closed down wifi in a half block radius by sending RTC packets of 12 second
wait times and also waiting for others to send RTC packets and transmitting
over them. Businesses close to it have no wifi. As you move away, wifi starts
to improve. And no, it's not flooded as there is plenty of open air time not
being used by the many devices there.

Steps taken: \- Have talked to multiple business owners nearby and they can't
figure out why their wifi won't work. \- Comcast Business is worthless and
weeks of calls by business owners and multiple tickets have led to nothing. \-
Have talked to the mayor of the town and their tech guy agrees something is
wrong. \- A "smart guy" that works for the government doing security did a
quick scan and said it was because one wifi was on a channel between 1 and 6
so the overlap was causing the problem... that wasn't it. \- Have approached
university researchers to see if their students would be interested in looking
at/for it. No response. \- Have walked with laptop watching signal strength
and know roughly which building it is coming from.

From what I understand, there is NOTHING one can do to attack it, other than
sending massive RF interference, which would be a crime in itself.

How the heck does one get rid of this thing? Any suggestions?

~~~
mehrdadn
Confused, it seems you realize this might be a crime, but you've talked to
everyone except the most obvious point of contact—law enforcement. Is there a
reason that's not an option?

~~~
cwingrav
Agreed. But evidence? I've tried to convince the businesses to talk to the
police. But, what they heck do the police/businesses do? How do you prove that
there is a crime? They probably would believe me and would probably knock on
doors and probably get a warrent. Then what? I'm not a professional cyber
security person so how do I prove that device if found is causing damage?

Also, the device is intermittent. I can collect traces, but who do I send them
to?

~~~
pnutjam
I called the police once when I noticed a wifi AP that was MiTM'ing traffic at
the local Kroger. They sent someone out and said it was a misconfigured system
in the Deli.

Guy was real nice and seemed to understand what I was worried about.

~~~
patcheudor
In the US, what law makes it illegal to MitM network traffic using a WiFi evil
twin or other technique? I'm genuinely curious because I was under the
impression there are generally no such statutes and that the only thing that
would be illegal is if the MitM used found credentials.

~~~
sonotathrowaway
Possibly the CFAA?

~~~
patcheudor
The CFAA only applies to protected computers and intrusion into those
computers. Watching network traffic or modifying network traffic in a MitM
possition, without using found credentials doesn't seem to rise to the level
of a computer intrusion. Of course, it's unlikely a protected computer is
going to be connecting to a public WiFi AP in the first place..

[https://en.wikipedia.org/wiki/Protected_computer](https://en.wikipedia.org/wiki/Protected_computer)

~~~
mehrdadn
> The only computers, in theory, covered by the CFAA are defined as "protected
> computers".

> In practice, any ordinary computer has come under the jurisdiction of the
> law, including cellphones, due to the interstate nature of most Internet
> communication.

[https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act#P...](https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act#Protected_computers)

------
l33tman
Seems widespread; sad state of affairs... wonder how many locations suffer
from (mis)configured APs battling each other..

[https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortig...](https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-
wireless-54/suppress-rogue-ap.htm)

"In addition to monitoring rogue APs, you can actively prevent your users from
connecting to them. When suppression is activated against an AP, the FortiGate
WiFi controller sends deauthentication messages to the rogue AP’s clients,
posing as the rogue AP, and also sends deauthentication messages to the rogue
AP, posing as its clients."

~~~
mattkirman
Rogue APs are generally defined as APs that you don't manage but have been
connected to your wired network. Obviously this could be a significant
security risk. I don't think they're sending deauth messages to every
client/AP they see.

[https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortig...](https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-
wireless-54/monitor-rogue-ap.htm)

~~~
shawnz
It looks like it allows you to mark any AP as "rogue" even if they're not
detected as "on-wire" despite that not being the purpose of the feature.

------
FartyMcFarter
Did I read the article correctly in that it is possible to disrupt WiFi
networks to make devices disconnect from it, without breaking its encryption?
Wow.

~~~
Nextgrid
Regardless of any encryption, wireless can always be disrupted via jamming.
Even if management frames were encrypted you can still disconnect devices by
jamming the signal.

~~~
rocqua
The power requirements for jamming are much higher. Making it much easier to
detect a jammer, and harder to run one. Also quite a bit more illegal.

Besides, jamming has a much less targeted effect than a de-auth.

~~~
Nextgrid
When talking about home security I doubt the attacker cares much about
legality, and detection requires specialised equipment, by the time it is
brought in the robbery has already been committed and the attacker is long
gone.

------
aledalgrande
I think the title should be changed to something like "how to protect your
privacy with Wifi deauthentication".

Incidentally, I was considering one of these devices as an addition to my home
automation setup, then I realized that it would not be cool to monitor every
person getting out of the elevators on my floor.

~~~
Jnr
I suppose the idea of the article is to resist your neighbours monitoring you
as you come home? That is actually a pretty good idea.

Also, deauth isn't anything new and you don't have to 'hack' anything in
aircrack-ng since all of the tools for this are available out of the box, with
nice configuration to select what has to be included and what excluded from
deauth.

~~~
mjg59
If you want to do this against arbitrary endpoints without knowing the channel
they're on you can't just parse airodump-ng output and pass that to aireplay-
ng - it takes too long. The hack is just to automate this within the same
process.

------
oops
Does deauthing it actually stop it from recording and later uploading?

Wouldn’t the Ring just buffer and send once it rejoined the network?

~~~
pak9rabid
I doubt Ring devices have the local storage to do this.

------
mikorym
> The industry doesn't seem to have learned from this.

I think industries follow the money. If the end user doesn't absolutely demand
security features, then there won't be such features. Typically people who
obsess about security build a product that provides security as a product (vs.
a camera as a product).

The guy who wrote Minix makes this argument (and no, he doesn't dislike Linux
Torvalds): There are solutions to security problems, but you need to be
interested in them in the first place. The military for example is interested
in microkernels because in their case security is critical. Minix I believe is
written more for reliability (e.g.: uptime) and (better) security comes as a
added benefit.

------
aritmo
People send deauth packets just for fun, as part of social networking. While
it is fun for the sender, the those that are affected, are probably very
annoyed.

[https://pwnagotchi.ai/](https://pwnagotchi.ai/)

~~~
kozak
Just beware that in many jurisdictions using that thing on other people's
devices is punishable by serious jail terms. Sometimes even possession of such
a device.

------
oefrha
> The most interesting one here is the deauthentication frame that access
> points can use to tell clients that they're no longer welcome. These can be
> sent for a variety of reasons, including resource exhaustion or
> authentication failure. And, by default, they're entirely unprotected.
> Anyone can inject such a frame into your network and cause clients to
> believe they're no longer authorised to use the network, at which point
> they'll have to go through a new authentication cycle - and while they're
> doing that, they're not able to send any other packets.

Anyone has background info on why the hell WiFi spec is designed this way?

~~~
cwingrav
A man-in-the-middle attack is what can happen here. Deauth and then the device
tries to reauth. At that point, the attacker can pose as the router and
collect the password hash. The WiFi spec has serious problems.

~~~
Someone1234
WiFi doesn't work the way you're claiming. You can use Deauth to be
obnoxious/DoS but MITM could be accomplished without Deauth (via higher signal
strength + cloned SSID) and WiFi Auth doesn't involve sending a "password
hash" over the air that can be "collected."

WiFi is protected via PSK (pre-shared [encryption] key), public cryptography
(via CA generated key-pairs), or RADIUS. With RADIUS auth you may be able to
harvest the username but the password is used as a PSK which is a shared
secret between the client and RADIUS server. This is a two way check (i.e. the
client confirms the RADIUS backed WiFi AP has the password too). After they
both confirm each other has the password, a different encryption key is used.

There's no WiFi Auth protocol that I know of that involves sending a password
over the air (hashed or otherwise).

~~~
zamadatix
Absolutely false, the PTK is sent over the air and is constructed from a hash
of the PMK, client/ap MAC, and client/AP Nonce. The attack the parent comment
is describing is exactly why WPA3 was made with SAE. One need only capture 2
packets of the initial handshake to start offline cracking by comparing MICs
and then you can decrypt the entire conversation since there was no perfect
forward secrecy in WPA2 and older.

Also what you describe with RADIUS is incorrect as well but there are too many
ways to configure 802.1x and RADIUS to cover all of why in a comment. Overall
it is considered safer than WPA2 though so the conclusion is sound.

~~~
Someone1234
> Absolutely false

Let's first off go back to what I was replying to:

> At that point, the attacker can pose as the router and collect the password
> hash.

By claiming my correction is "absolutely false" you're asserting that the
above statement is "absolutely true." But even your technically unsound
correction doesn't actually address the underlying inaccuracy of the original
statement or why you seemingly believe it is "absolutely true."

It is also pretty clear from your reply that you're attempting to muddy the
waters by conflating the PTK with the PSK or any other "password." The PTK
isn't a password. It isn't like a password, and in order to derive it you need
additional information which you need to attack (which is easier than
attacking the PSK itself, thus WPA3's improvements, but doesn't make the above
statement technically sound or true).

Your post reads like you decided to correct before having any corrections to
actually make then tried to muddy the topic as much as possible in the hope
that others would be fooled. Plus is "collect the password hash" really a hill
worth dying on for WiFi Auth? That's obviously an unsound technical claim,
that isn't how the protocol works at all (and you seemingly must know that
given your knowledge).

> Also what you describe with RADIUS is incorrect as well but there are too
> many ways to configure 802.1x and RADIUS to cover all of why in a comment.

So it is "incorrect" because I simplified it rather than describing the
process in intricate technical detail? And you won't point out why it was
"incorrect" because it is too technically difficult..? K.

~~~
zamadatix
> > At that point, the attacker can pose as the router and collect the
> password hash.

> By claiming my correction is "absolutely false" you're asserting that the
> above statement is "absolutely true."

Correct.

> technically unsound correction

Please explain how.

> It is also pretty clear from your reply that you're attempting to muddy the
> waters by conflating the PTK with the PSK or any other "password."

The PMK is part of the PTK hash. When using a PSK the PSK = the PMK. Not much
to conflate, the PTK is a hash of the password with other variables. Exactly
as I explained.

> in order to derive it you need additional information which you need to
> attack

I already explained how the rest of the information needed to derive the PTK
is sent in the handshake frames.

> Your post reads like...

Please stick to talking about WiFi authentication.

> Plus is "collect the password hash" really a hill worth dying on for WiFi
> Auth?

Prior to WPA3, yes - as explained already.

> So it is "incorrect" because I simplified it rather than describing the
> process in intricate technical detail?

It was incorrect because the password isn't used as a PSK so cracking the PTK
gets you a nonce instead of the user password.

> And you won't point out why it was "incorrect" because it is too technically
> difficult..?

Given we are still trying to agree how the 4 way handshake works and what
parts get hashed in it, yes - it is.

.

[https://www.wifi-professionals.com/2019/01/4-way-handshake](https://www.wifi-
professionals.com/2019/01/4-way-handshake)

[https://security.stackexchange.com/questions/66008/how-
exact...](https://security.stackexchange.com/questions/66008/how-exactly-
does-4-way-handshake-cracking-work)

[https://www.aircrack-ng.org/doku.php?id=cracking_wpa](https://www.aircrack-
ng.org/doku.php?id=cracking_wpa)

------
jacquesm
The proper thing to do here would be to call a HOA meeting to decide whether
or not devices like these should be allowed in the common spaces. Typically a
HOA will have pretty strict rules in the articles and household rules about
what you can and can not do in common areas. Another angle is that you may
live in a place where two party consent is required for recording, this is not
a public space ('the street') nor is it a private area (the dwelling of the
owner of the device).

Running this software is likely illegal depending on the jurisdiction might be
anything from a misdemeanor to a crime.

------
zie1ony
Does that mean you can monitor when someone is pushing your neighbors' ring
bell?

~~~
mjg59
You can certainly detect when your neighbour's doorbell is streaming video,
yes.

~~~
AngryData
Interesting, you could use it to turn your neighbors devices into
unintentional motion detection sensors without them ever knowing. You could
use it for foot traffic analysis or something.

------
0x0aff374668
He doesn't describe an attack, he describe literally what 802.11 was designed
to do. An attack is forcing a deauth and then stealing the 4-way handshake
data and, say, cracking WEP. Which is why WEP was decommissioned ... _checks
notes_ ... 15 years ago.

No need to edit aircrack-ng, WireShark does what he did natively (filter out
and set channels), and a good realtek chipset allows you to set the scan
interval so you can cover more channels (which is why the new ALFAs suck).

Also the DTIM and keepalive can be set such that the MCU can sleep while the
phy link maintains a connection without a costly handshake, esp. if using TLS
<1.3 to talk to the cloud. Reconnecting costs a shit ton of energy so they
usually don't disconnect.

Hacking Wi-Fi has become exceptionally more difficult, as noted by the slow
dating of materials at DefCon's WiFi Village over the past 8 years: cracking
WPA2 is basically so hard no one bothers, even in CtF games.

~~~
thw0rted
Denial of service is also a type of attack.

------
instaheat
Does anyone here believe there is now a market for securing the masses against
the obvious gaping security issues associated with these devices?

"Smarter Home Networks" and creating a business around bolstering security on
the slew of IoT devices available today.

------
bscphil
I'm not familiar with these devices. Are they not capable of caching a little
(15 seconds or so) of recorded video (or much more audio) for sending later
when it re-auths with the access point?

~~~
rbritton
Probably, but it would block the alerting feature they highlight in their ads.
That said, I find motion detection alerting to be useless on outdoor-facing
cameras due to vegetation, weather, and wildlife. The false positive rate
makes it annoying.

------
rsync
I've said it before and I'll say it again:

20+ years ago when I was a Windows sysadmin, you could immediately discern the
technological savviness and technological _maturity_ of an individual by
looking at their system tray:

The number of little icons in their system tray was inversely proportional to
their level of this kind of technological maturity.

The system tray of 2019 is connected/smart/cloud devices in ones home.

------
allset_
Depending on where you live, your neighbors recording audio may be illegal and
you should confront them about it
[https://www.southerncaliforniadefenseblog.com/2018/04/do-
rin...](https://www.southerncaliforniadefenseblog.com/2018/04/do-ring-
doorbell-cameras-violate-wiretapping-laws-pc-632.html)

~~~
joecool1029
Unlikely. Devices installed for security purposes cannot trigger wiretapping
charges since there's no reasonable expectation of privacy in a public place
and no intent to record confidential conversations in the first place.

Either way, it's not a well written post. I'd shred it here but the comments
below it already cover what I would have said.

~~~
bkor
> Devices installed for security purposes cannot trigger wiretapping charges
> since there's no reasonable expectation of privacy in a public place

These ring devices are also installed outside of the US. The law is entirely
different in other countries. A statement as "no reasonable expectation of
privacy": why not? Just because people could record and film you doesn't mean
it's allowed or that it's ok.

For Netherlands: You cannot just have a camera recording the public. Though
there's a bit of leeway, meaning if you have a camera recording your property
it's logical that it'll record a bit of the road. You just have to minimize
that bit. Interestingly enough, police actually encourages the installation of
Ring camera's (so specifically Ring over anything else). It seems you can
install these if it's just in front of your door and property. However, if
they're on a flat (where neighbours need to walk by your door to get to your
door), then you cannot have these.

~~~
AmericanChopper
> For Netherlands: You cannot just have a camera recording the public. Though
> there's a bit of leeway, meaning if you have a camera recording your
> property it's logical that it'll record a bit of the road. You just have to
> minimize that bit.

This is simply not at all true. You can film anything you want in public. I
believe the laws around publishing photographs or films of other people is a
bit more complex though.

~~~
rocqua
Pointing a permanent security camera at a public space as a private person
really is illegal.

This is different from occasionally using a handheld camera.

Because one is surveillance that is meaningfully different from what you could
do just by watching someone, and the other is not (this is my argument, not
sure whether this is the legal argument in NL)

~~~
AmericanChopper
Well that scenario is prohibited by the GDPR (though I’m not sure if different
authorities would have differing views on that). But the statement that you
cannot film public scenes or the people who happen to be in them is simple
false.

~~~
bkor
This article is about a Ring camera and something installed on a door. These
things are static and do not move around. That is what I was referring to.

You could read this as something else, but IMO it was pretty obvious what I
was referring to. And for static cameras I'm entirely correct. For other
cameras there's been various new restrictions for them as well.

Your summary of "cannot film public scenes or the people who happen to be in
them is simple false" for one distorts what I wrote, secondly, if you do this
with a static camera, you will have a problem and your statement is _not_
true. Friends had a "crazy lady" with cameras pointing at public space. It
took a while, but eventually the cameras were removed. Something similar you
can find via Google, plus (work) building security mentions the same.

------
dom96
It's surprising how easy it is to perform a deauth attack, you can also gain
some information just by scanning the airwaves about the devices connected to
a particular router.

I created a little tool as a test of this a while back:
[https://github.com/dom96/deauther](https://github.com/dom96/deauther)

------
stevekemp
If you go to /r/esp8266 there are far too many posts from kiddies asking for
help with their deauther projects.

------
Reventlov
>Finally, none of this is even slightly new. A presentation from Def Con in
2016 covered this, demonstrating that Nest cameras could be blocked in the
same way. The industry doesn't seem to have learned from this.

Well that's a kind of fundamental flaw of Wifi networks, so you're kinda stuck
with this if you use Wifi, nope ?

~~~
Piskvorrr
Says in the article "unless you use 802.11w" So, fixable; just not supported
by everything.

~~~
londons_explore
Even 802.11w doesn't fix the fundamental problem... WiFi runs in an unlicensed
band, and anything else in those bands might disrupt it. There is no service
guarantee. You should never rely on it working, especially not for security or
safety.

~~~
mjg59
Anything running over rf is vulnerable to jamming. It's really just a matter
of how much disruption an attacker is willing to cause.

~~~
capableweb
> Anything running over rf is vulnerable to jamming

Yeah, and the same sentence can be changed to "Anything running anywhere is
vulnerable to something" and it's still true. I guess the valuable lessons are
"There is never any service guarantee" and "something will always go wrong"
when you want to built something reliable.

------
nullc
Owner of wired cameras that do not store data in the cloud unaffected.

~~~
superkuh
Yep. Wired is always best. You get (almost) the entire electromagnetic
spectrum to yourself for each device. There's no reason to share a single
spectrum if you don't have to.

