That guest SSID you set up for your neighbors may not be as secure as you think
-
That guest SSID you set up for your neighbors may not be as secure as you think
-
That guest SSID you set up for your neighbors may not be as secure as you think
@dangoodin Can someone please translate this quote into something meaningful?
"Our research physically wiretaps the wire altogether so these sophisticated attacks will work."
-
That guest SSID you set up for your neighbors may not be as secure as you think
@dangoodin I feel like VLANs are really just the solution here?
That's what I was planning on setting up at my home network in any case for IoT devices
-
That guest SSID you set up for your neighbors may not be as secure as you think
@dangoodin@infosec.exchange vlan tho
-
R relay@relay.mycrowd.ca shared this topic
-
@dangoodin I feel like VLANs are really just the solution here?
That's what I was planning on setting up at my home network in any case for IoT devices
@0x76 @dangoodin I mean, I think the interesting piece is client isolation is weird nonstandard and shouldn’t be relied on by itself.
Adding VLANs adds additional layers of complexity. An attacker could still attempt VLAN Tagging packets.
This could legitimately change a lot of network threat models. Many network issues/vulns have probably been downgraded in severity on the basis of “this doesn’t matter because Client Isolation exists”.
-
R relay@relay.infosec.exchange shared this topic
-
@0x76 @dangoodin I mean, I think the interesting piece is client isolation is weird nonstandard and shouldn’t be relied on by itself.
Adding VLANs adds additional layers of complexity. An attacker could still attempt VLAN Tagging packets.
This could legitimately change a lot of network threat models. Many network issues/vulns have probably been downgraded in severity on the basis of “this doesn’t matter because Client Isolation exists”.
@morattisec @dangoodin yeah I'm definitely surprised even enterprise gear doesn't have more robust client isolation.
-
@morattisec @dangoodin yeah I'm definitely surprised even enterprise gear doesn't have more robust client isolation.
@0x76 @dangoodin True. A problem you can’t just throw money at to upgrade something is worse.
Research like this is also rough because it’s entirely possible the response is just that hardware vendors do a PR response unless they get a lot of flak they can’t dodge.
Cynically, I could see vendors saying, “what we’ve done is put VRAM on our newer switch and APs, and now frames/packets are dropped via AI model”. Then selling that to all the companies with a budget and leaving consumer-grade equipment saddled with needing defense-in-depth because “legacy” Client Isolation is now considered best effort.
IMO, the money from fixing consumer protections isn’t going to be seen as worth it unless the fix is incredibly simple to dev and roll out retroactively.
-
@0x76 @dangoodin True. A problem you can’t just throw money at to upgrade something is worse.
Research like this is also rough because it’s entirely possible the response is just that hardware vendors do a PR response unless they get a lot of flak they can’t dodge.
Cynically, I could see vendors saying, “what we’ve done is put VRAM on our newer switch and APs, and now frames/packets are dropped via AI model”. Then selling that to all the companies with a budget and leaving consumer-grade equipment saddled with needing defense-in-depth because “legacy” Client Isolation is now considered best effort.
IMO, the money from fixing consumer protections isn’t going to be seen as worth it unless the fix is incredibly simple to dev and roll out retroactively.
@morattisec @dangoodin yeah I'd see them quicker pull the feature entirely than some kind of proper fix. Do think it would be good it some kind of standard could be developed for client isolation in future, but that's likely far in the future
-
@morattisec @dangoodin yeah I'd see them quicker pull the feature entirely than some kind of proper fix. Do think it would be good it some kind of standard could be developed for client isolation in future, but that's likely far in the future
@0x76 @dangoodin I think the WiFi 8 spec is coming soon? Maybe the body for that might be able to at least add something into the spec (if it exists)
-
@0x76 @dangoodin I think the WiFi 8 spec is coming soon? Maybe the body for that might be able to at least add something into the spec (if it exists)
@morattisec @dangoodin would be curious to see if there's anything there, if not, how these things work will probably be a 9 thing
-
R relay@relay.an.exchange shared this topic
