So, as I understand it, you 0wn a machine in one organization, then use it to tunnel over to Wi-Fi in the building next door, 0wn another machine there, rinse and repeat until you've created the world's least consensual mesh network?
They are exploiting that Wifi didn't have 2fa, because they couldn't overcome 2fa. A company accross the street had a machine that both was accessible by ethernet and wifi and they used that as a bridge.
Conclusions:
1. Anything that doesn't have 2fa is leaking like a sieve.
2. The targeted company needs to implement 2fa for their Wifi as well.
Not mentioned, but I assume that their 2fa is using specialised hardware gadgets like Yubikey and not texts or totp, because else they could target the cell phones, and like everything else they are leaking, or they are attacking the cell phone base stations.
Final conclusion:
A network is as strong as the weakest link. In that case Wifi was not protected by strong 2fa and could be used to breach.
My conclusion is that being on the corporate Wi-Fi should not give you access to anything. There should not have been any advantage to getting on the Wi-Fi, it should be treated like the public internet.
A separate VPN, with MFA, should be required to access anything.
When WiFi security was really bad I worked at a company that didn't use it at all. You connected to the WiFi without any authentication and then had to connect to a VPN server that used 2FA auth.
Corporate WiFi based on a password and a device certificate is fine. For BYO devices, you have a separate WiFi network that does require a VPN to reach the corporate network.
Also a VPN is just another perimeter. You wouldn't want a single device like a printer getting successfully attacked leading to everything in your network getting compromised. The real solution is to use a zero trust architecture
Final, final conclusion: if a computer is networked, consider it and the data on it to be semi-public. Make decisions about what to do and store on that computer with that assumption in mind.
Final, final, final conclusion: Interacting with a computer makes it networked even if you're not intentionally using traditional networking technologies (TEMPEST attacks, arbitrary code execution through direct user input, etc).
Final, final, final, final conclusion: due to the complexity of computers, the only reliable way to achieve a moderate security in a system is to prevent it from being powered on.
The concept of C-I-A addresses this. Confidentiality, Integrity, Availability. If a system is not available for use then all the confidentiality of communications and integrity of data is useless.
Physical access has always been game over. Having a networked computer means your threat model is literally everyone on the planet, which is a much bigger problem than keeping people from physically getting access.
Direct physical access by the attacker isn't strictly necessary (i.e. operation Olympic Games) to "network" a computer you otherwise believe isn't networked. Unless you're bootstrapping from nothing attackers have tons of potential "ins" (firmware, the operating system, application software) to introduce backdoors or side-channels.
I've very nearly reached the point of just assuming all "modern" computers are effectively "networked", even if only by ultra-low bandwidth, exceedingly high-latency unidirectional side channels. Just bringing an "untrusted" computer into proximity of a "trusted" computer (say, having a smartphone in your pocket) might be enough to allow for exfiltration of data from the "trusted" system (assuming there's a side-channel in the "trusted" computer you're unaware of).
Ooh! This is a fascinating approach. I'm still skeptical that this is widespread enough of an issue to warrant the same level of caution as connecting a computer to the Internet, but I'd love to read more about examples of this actually happening in the real world (ie not researchers with full control of the environment) if you have any.
Eludes me why they didn't have device-certificate-based auth for their Enterprise WiFi in addition to the username+password. Basically comes for free with AD and NPS.
Being able to validate credentials via the public facing website without MFA was a considerable problem as well. Also not locking down accounts after failed attempted logins.
Wifi with 802.1X and certs would have been fine here without MFA.
Yes, and it's already the default in consumer electronics.
That's also why I don't get all the pearl clutching over dodgy unencrypted wifi: if your security relies on your wifi operator being nice, you are doing it wrong.
The main thing encrypting wifi does (or rather should do..) for you is keeping your neighbours from stealing all your bandwidth.
Devices that are authorized to be on the corporate network should not need usernames and passwords to connect to the wifi. That should be controlled by certificates managed by the IT department.
The goal here was to circumvent 2FA on devices located inside the Org A office.
On-prem systems prompt for 2FA. So the attacker knew a user/password combo, but couldn't leverage it directly because they would have triggered 2FA.
But the 802.1x didn't have 2FA enabled. So using the user/password combo they already had, they just needed to approach the target network over WiFi in order to bypass the 2FA requirement.
I think it nicely demonstrates the difference between "own" (legally and appropriately) and "0wn" taking control by hacking but exerting as much control as "own".
Adding a serious response in case [0] it's a serious question: "0wn" is a kind of in-joke among hacker/security communities. [1] In particular, it differs from "own" in that it connotes "forcibly taking control of", rather than formal legal ownership. Another version is "pwn" which is a marginally newer and more-associated with online gaming.
Darknet Diaries #151 has an Australian dude explaining a form of this type of attack and how he stole money out of a middle eastern bank for a wealthy client. Maybe it's not exactly the same but it struck me as similar because he uses weak WiFi security as part of the exploit chain as well as hopping between compromised residential networks to obfuscate the origin.
This is a little different. What he was doing is essentially setting up proxies all over the world.
These guys hacked into a machine connected by ethernet with an idle wifi adapter, then used that idle wifi adapter to connect to the wifi of a company nearby.
> These guys hacked into a machine connected by ethernet with an idle wifi adapter
And having an idle wifi adapter like that is common nowadays. For some reason, many desktop PCs intended to stay in a single fixed place come from factory with a built-in wifi card and built-in antennas. You'd think that would make these PCs more expensive, but apparently wifi cards are cheap nowadays?
I worked for an MSP (Managed Service Provider) when the pan hit. A bunch of our clients took their workstations home (CAD designers) and couldn't get online because they had no wifi.
I understand wanting to save a few bucks times dozens of employees, but I always thought my company was fucking stupid for letting them purchase those machines with no backup for if their network card failed. Turned out this was a much worse situation.
All that said, if you aren't using wifi to connect to the network, turn the damn thing off.
> A bunch of our clients took their workstations home (CAD designers) and couldn't get online because they had no wifi.
> I understand wanting to save a few bucks times dozens of employees, but I always thought my company was fucking stupid for letting them purchase those machines with no backup for if their network card failed. Turned out this was a much worse situation.
That's not exactly a difficult situation. Get an external wifi adapter. They're currently $10-$20 on Amazon.
You don't need to invest in exotic preparation for a problem that is so trivial to fix when it arises.
WiFi and Bluetooth are usually provided by the same device, and it makes sense to want Bluetooth on a desktop. So you get WiFi essentially for free if you get Bluetooth.
It seems it would be far easier to just mail the company a raspberry pi, a battery and a GSM module. Address it to someone nonexistant so it doesn't get opened for a few days.
The real news is that the wifi didn't use 2FA like the rest of the system.
I'm reminded of this defcon talk: https://m.youtube.com/watch?v=qLCE8spVX9Q (What the Fax?) where the nearest neighbor was a multifunction fax/printer and the initial attack was faxing it some updated firmware and telling it to print to memory instead of paper.
I suspect every organization is as secure as its least secure/capable decision maker.
It's a scary thing as all you have to do is add one decision, one ignorant person and it's bad news.
I've worked in orgs where we made big leaps in security, very proud of our work. Then one ignorant person who had the authority made a decision with no valid benefit to anyone, completely compromised everything.
Seen it time and again.
Not sure if that was the case as far as the credentials went in this situation, but it always seems to be the human element as far as curious choices goes.
Russia is quite far away to send a plane small enough to fly low over the building and drop a device onto the roof, and I don't think you're allowed to throw things out of an airliner window anyway
I mean a normal passenger on a normal plane making a normal trip to an office building and finding a hidden location where to tape a small box with an arduino in it. Maybe even on the outside so you can use solar power? Though it only needs to last long enough to compromise a machine inside the network.
This would be nothing new, I remember ages ago in the days of WEP that you could buy a small box that would collect enough handshakes to let you crack the WEP password.
It was pretty easy to do without buying the box if you had a network card you could put into monitor mode. Fun thing was that you only needed one handshake initially, then you could replay it and collect the responses which were each initialized differently.
I've tried the WPA equivalent attack (capture handshake, crack offline...) against targets with physical security that extended beyond their wifi. It was a bit arduous and fiddly and expensive and risky. If I could've compromised a neighbor and gotten the handshakes without traveling for them I'd definitely have preferred that option.
For the length of time this article covered you would need a power source and to not have your box discovered for months. Probably something out on the street isn't going to fulfill both of those requirements so you'd be trying to enter "Enterprise A" which is unlikely given the presumed elevated security profile this article implies (any guesses who?). With what they pulled off the "box" that ended up being used was something already plugged in next door and very much supposed to be there. Seems easier than any physical attack would have been.
Reusing existing digital compromise toolkits on a presumably far less hardened targets across the street is far easier than trying to deploy hardware thousands of miles away.
The timeline here for the entire sequence of events is 1-2 weeks.
> Volexity now determined the attacker was connecting to the network via wireless credentials they had brute-forced from an Internet-facing service. However, it was not clear where the attacker was physically that allowed them to connect to the Enterprise Wi-Fi to begin with. Further analysis of data available from Organization A’s wireless controller showed which specific wireless access points the attacker was connecting to and overlayed them on a map that had a layout of the building and specific floors.
This is the kind of hackery I'd enjoy seeing in a blockbuster movie.
I think Ubiquiti have that built into their AP/network management software. You can define a floorplan and drop your APs into it to understand dead zones etc, and you have granular data on which clients are connected to which APs
So, as I understand it, you 0wn a machine in one organization, then use it to tunnel over to Wi-Fi in the building next door, 0wn another machine there, rinse and repeat until you've created the world's least consensual mesh network?
They are exploiting that Wifi didn't have 2fa, because they couldn't overcome 2fa. A company accross the street had a machine that both was accessible by ethernet and wifi and they used that as a bridge.
Conclusions:
1. Anything that doesn't have 2fa is leaking like a sieve.
2. The targeted company needs to implement 2fa for their Wifi as well.
Not mentioned, but I assume that their 2fa is using specialised hardware gadgets like Yubikey and not texts or totp, because else they could target the cell phones, and like everything else they are leaking, or they are attacking the cell phone base stations.
Final conclusion:
A network is as strong as the weakest link. In that case Wifi was not protected by strong 2fa and could be used to breach.
My conclusion is that being on the corporate Wi-Fi should not give you access to anything. There should not have been any advantage to getting on the Wi-Fi, it should be treated like the public internet.
A separate VPN, with MFA, should be required to access anything.
My current org restricts wifi by user and by device in Active Directory. Thus you need to be whitelisted twice to get access.
We use 2fa pretty much everywhere, but I don't think we use it there. But it certainly wouldn't hurt as yet another layer.
Wifi adapters should be disabled via Group Policy for wired devices anyway.
Active Directory?
You are already powned.
When WiFi security was really bad I worked at a company that didn't use it at all. You connected to the WiFi without any authentication and then had to connect to a VPN server that used 2FA auth.
Corporate WiFi based on a password and a device certificate is fine. For BYO devices, you have a separate WiFi network that does require a VPN to reach the corporate network.
Also a VPN is just another perimeter. You wouldn't want a single device like a printer getting successfully attacked leading to everything in your network getting compromised. The real solution is to use a zero trust architecture
it should be a factor (defense in depth) but not the ONLY factor.
> Final conclusion: A network is as strong as the weakest link.
Final conclusion: Do not trust a device just because it happens to be on your local network.
Final, final conclusion: if a computer is networked, consider it and the data on it to be semi-public. Make decisions about what to do and store on that computer with that assumption in mind.
Final, final, final conclusion: Interacting with a computer makes it networked even if you're not intentionally using traditional networking technologies (TEMPEST attacks, arbitrary code execution through direct user input, etc).
Final, final, final, final conclusion: due to the complexity of computers, the only reliable way to achieve a moderate security in a system is to prevent it from being powered on.
The concept of C-I-A addresses this. Confidentiality, Integrity, Availability. If a system is not available for use then all the confidentiality of communications and integrity of data is useless.
Physical access has always been game over. Having a networked computer means your threat model is literally everyone on the planet, which is a much bigger problem than keeping people from physically getting access.
Direct physical access by the attacker isn't strictly necessary (i.e. operation Olympic Games) to "network" a computer you otherwise believe isn't networked. Unless you're bootstrapping from nothing attackers have tons of potential "ins" (firmware, the operating system, application software) to introduce backdoors or side-channels.
I've very nearly reached the point of just assuming all "modern" computers are effectively "networked", even if only by ultra-low bandwidth, exceedingly high-latency unidirectional side channels. Just bringing an "untrusted" computer into proximity of a "trusted" computer (say, having a smartphone in your pocket) might be enough to allow for exfiltration of data from the "trusted" system (assuming there's a side-channel in the "trusted" computer you're unaware of).
Ooh! This is a fascinating approach. I'm still skeptical that this is widespread enough of an issue to warrant the same level of caution as connecting a computer to the Internet, but I'd love to read more about examples of this actually happening in the real world (ie not researchers with full control of the environment) if you have any.
Eludes me why they didn't have device-certificate-based auth for their Enterprise WiFi in addition to the username+password. Basically comes for free with AD and NPS.
'Free' still means you need some expertise in setting it up and running it.
Being able to validate credentials via the public facing website without MFA was a considerable problem as well. Also not locking down accounts after failed attempted logins.
Wifi with 802.1X and certs would have been fine here without MFA.
> A network is as strong as the weakest link.
Depends on how you look at it. We have end-to-end security with things like https, so we don't need to worry about the links in the middle.
The BeyondCorp strategy. It also means that network and endpoints can be off the shelf. Big fan of this strategy.
Yes, and it's already the default in consumer electronics.
That's also why I don't get all the pearl clutching over dodgy unencrypted wifi: if your security relies on your wifi operator being nice, you are doing it wrong.
The main thing encrypting wifi does (or rather should do..) for you is keeping your neighbours from stealing all your bandwidth.
Devices that are authorized to be on the corporate network should not need usernames and passwords to connect to the wifi. That should be controlled by certificates managed by the IT department.
The goal here was to circumvent 2FA on devices located inside the Org A office.
On-prem systems prompt for 2FA. So the attacker knew a user/password combo, but couldn't leverage it directly because they would have triggered 2FA.
But the 802.1x didn't have 2FA enabled. So using the user/password combo they already had, they just needed to approach the target network over WiFi in order to bypass the 2FA requirement.
From thousands of kilometers away, to make attribution/legal issues even more complex.
why do you type 0wn (zero) instead of own?
I think it nicely demonstrates the difference between "own" (legally and appropriately) and "0wn" taking control by hacking but exerting as much control as "own".
Putting the "hacker" back in Hacker News, I guess
i believe it’s pronounced H4x0r
Excuse me I thought this was business news? I want my zero money back.
m0ney?
They were reaching for the "p" key and hit "0" by mistake.
Adding a serious response in case [0] it's a serious question: "0wn" is a kind of in-joke among hacker/security communities. [1] In particular, it differs from "own" in that it connotes "forcibly taking control of", rather than formal legal ownership. Another version is "pwn" which is a marginally newer and more-associated with online gaming.
[0] https://xkcd.com/1053/
[1] https://en.wikipedia.org/wiki/Leet
> "0wn" is a kind of in-joke among hacker/security communities.
In my experience, the security community says "pop".
Gives the term "desk pop" a whole new meaning!
Cuz it's k00l
The best is to never get pwned.
Darknet Diaries #151 has an Australian dude explaining a form of this type of attack and how he stole money out of a middle eastern bank for a wealthy client. Maybe it's not exactly the same but it struck me as similar because he uses weak WiFi security as part of the exploit chain as well as hopping between compromised residential networks to obfuscate the origin.
This is a little different. What he was doing is essentially setting up proxies all over the world.
These guys hacked into a machine connected by ethernet with an idle wifi adapter, then used that idle wifi adapter to connect to the wifi of a company nearby.
> These guys hacked into a machine connected by ethernet with an idle wifi adapter
And having an idle wifi adapter like that is common nowadays. For some reason, many desktop PCs intended to stay in a single fixed place come from factory with a built-in wifi card and built-in antennas. You'd think that would make these PCs more expensive, but apparently wifi cards are cheap nowadays?
I worked for an MSP (Managed Service Provider) when the pan hit. A bunch of our clients took their workstations home (CAD designers) and couldn't get online because they had no wifi.
I understand wanting to save a few bucks times dozens of employees, but I always thought my company was fucking stupid for letting them purchase those machines with no backup for if their network card failed. Turned out this was a much worse situation.
All that said, if you aren't using wifi to connect to the network, turn the damn thing off.
> A bunch of our clients took their workstations home (CAD designers) and couldn't get online because they had no wifi.
> I understand wanting to save a few bucks times dozens of employees, but I always thought my company was fucking stupid for letting them purchase those machines with no backup for if their network card failed. Turned out this was a much worse situation.
That's not exactly a difficult situation. Get an external wifi adapter. They're currently $10-$20 on Amazon.
You don't need to invest in exotic preparation for a problem that is so trivial to fix when it arises.
WiFi and Bluetooth are usually provided by the same device, and it makes sense to want Bluetooth on a desktop. So you get WiFi essentially for free if you get Bluetooth.
Anybody else get a feeling it was Volexity that did all this research? Interesting story none the less
77 instances of 'Volexity' on that page. LOL
It seems it would be far easier to just mail the company a raspberry pi, a battery and a GSM module. Address it to someone nonexistant so it doesn't get opened for a few days.
The real news is that the wifi didn't use 2FA like the rest of the system.
This wouldn’t make it through building security. My last large corp x-rayed all packages and would notice a nonexistent recipient immediately.
What proportion of companies do that?
I'm reminded of this defcon talk: https://m.youtube.com/watch?v=qLCE8spVX9Q (What the Fax?) where the nearest neighbor was a multifunction fax/printer and the initial attack was faxing it some updated firmware and telling it to print to memory instead of paper.
Kind of wild they didn’t rotate all the creds after the first, second hacks.
I suspect every organization is as secure as its least secure/capable decision maker.
It's a scary thing as all you have to do is add one decision, one ignorant person and it's bad news.
I've worked in orgs where we made big leaps in security, very proud of our work. Then one ignorant person who had the authority made a decision with no valid benefit to anyone, completely compromised everything.
Seen it time and again.
Not sure if that was the case as far as the credentials went in this situation, but it always seems to be the human element as far as curious choices goes.
What’s wrong with the tried-and-tested technique of flying a guy or girl over there to drop a small gadget in WiFi proximity?
Russia is quite far away to send a plane small enough to fly low over the building and drop a device onto the roof, and I don't think you're allowed to throw things out of an airliner window anyway
I mean a normal passenger on a normal plane making a normal trip to an office building and finding a hidden location where to tape a small box with an arduino in it. Maybe even on the outside so you can use solar power? Though it only needs to last long enough to compromise a machine inside the network.
This would be nothing new, I remember ages ago in the days of WEP that you could buy a small box that would collect enough handshakes to let you crack the WEP password.
It was pretty easy to do without buying the box if you had a network card you could put into monitor mode. Fun thing was that you only needed one handshake initially, then you could replay it and collect the responses which were each initialized differently.
I've tried the WPA equivalent attack (capture handshake, crack offline...) against targets with physical security that extended beyond their wifi. It was a bit arduous and fiddly and expensive and risky. If I could've compromised a neighbor and gotten the handshakes without traveling for them I'd definitely have preferred that option.
For the length of time this article covered you would need a power source and to not have your box discovered for months. Probably something out on the street isn't going to fulfill both of those requirements so you'd be trying to enter "Enterprise A" which is unlikely given the presumed elevated security profile this article implies (any guesses who?). With what they pulled off the "box" that ended up being used was something already plugged in next door and very much supposed to be there. Seems easier than any physical attack would have been.
Reusing existing digital compromise toolkits on a presumably far less hardened targets across the street is far easier than trying to deploy hardware thousands of miles away.
The timeline here for the entire sequence of events is 1-2 weeks.
or just do some fun hacking that doesn't have you at the location of the hack
Related discussion: https://news.ycombinator.com/item?id=42213178
> Volexity now determined the attacker was connecting to the network via wireless credentials they had brute-forced from an Internet-facing service. However, it was not clear where the attacker was physically that allowed them to connect to the Enterprise Wi-Fi to begin with. Further analysis of data available from Organization A’s wireless controller showed which specific wireless access points the attacker was connecting to and overlayed them on a map that had a layout of the building and specific floors.
This is the kind of hackery I'd enjoy seeing in a blockbuster movie.
I think Ubiquiti have that built into their AP/network management software. You can define a floorplan and drop your APs into it to understand dead zones etc, and you have granular data on which clients are connected to which APs