Hi and thanks so much for the valuable research!! I know it has been asked a lot here already, and probably some in-deep reading would help figure that out by myself. But I’ve noticed that you used Cisco 9130 APs, and noticed only part of the attack work on those. So wanted to ask whether you tested those with just IP based network separation, or also the VLAN-based one? Also, since you’ve mentioned the findings have been communicated to the vendors and the WiFi alliance alike, may I ask you to maybe share a CVE number here? I (as probably a lot of us here), use some of the hardware mentioned for personal goals/hobby in my home setup, and find it fun to keep that setup reasonably protected for the sake (fun) of it. Much appreciated!
We don't have a CVE number. Whether devices/networks are affected also highly depends on the specific configuration of the device/network. This means that some might interpret some of the identified weaknesses as software flaws, but other weaknesses can also be seen as configuration issues. That's actually what makes some of our findings hard to 'fix': it's easy to say that someone else is responsible for properly ensuring client isolation :) Hence also hard to really assign CVE(s).
One of the main takeaway issues, in my view, is that it's just hard to correctly deploy client isolation in more complex networks. I think it can be done using modern hardware, but it's very tedious. We didn't test with VLAN separation, but using that can definitely help. Enterprise devices also require a high amount of expertise, meaning we might have missed some specialised settings.. So I'd recommend testing your Wi-Fi network, and then see which settings or routing configurations to change: https://github.com/vanhoefm/airsnitch
I think you could apply specific CVEs to specific devices + setting combination, as:
CVE 1 : router brand X software version Y.Z configured with client isolation does not provide sufficient isolation that it cannot be broken with air snitch.
CVE 2 : router brand A software version B.C configured with client isolation does not provide sufficient isolation that it cannot be broken with air snitch.
CVE are handed out like candy in Java land for artifacts that have code that only opens up a vulnerability when another package is available and the first artifact is misconfigured. So I think you would be fully in your right to claim a CVE and list all affected versions of devices/firmwares there.
used one with my magic mouse 1, never would have paid upwards of $40 for it. was quite handy tho, to avoid scratching the delicate white plastic, despite it barely fit. Issey Myake knit lanyard pocket -- what a joke! Buckle up folks, we're definitely in a bubble.
Same exact experience here and also with the left AirPod. Everything goes well until the AirPods get just a little bit wet or greasy (say, in the rain, after a run, or a few hours into wearing them) — then the seal loosens and I get a painful high-pitched hum when trying to put it back in it is place. I wonder how safe that sound is bc its pretty uncomfortable.
The seal also changes with any significant jaw movement (which I also do a lot in-flight normally) — noticeable degradation of noise cancellation, which then goes away (not sure if its the foam or anc adjusting).
Tried to use my AirPods Pro 2 earhooks, which partially solved it - although at the cost of that crispy sound. Found best to just wipe the AirPods dry/gently blow around the grills before adjusting (which makes them unusable for running unless you’re willing to stop all the time).
Such a shame every APP iteration has some noticeable flaw. And especially when they solved a similar problem between the first and the second gen.
reply