Anvil Secure recently published a post and whitepaper covering conntrack flaws that are common with many linux routers and linux "multihomed" devices. In this post we'll cover SPR, how our process mitigated the highest risk vulnerabilities, how we fixed the rest and other improvements we're making to be resilient against attacks like this in the future.

Overview​

Conntrack is part of Linux Netfilter and is an integral part of a stateful firewall for allowing Network Address Translation on a network. A router uses it to allow clients to establish connections through the uplink interfaces.

Anvil Secure published details on how devices often fail to lock down their firewalls correctly since Conntrack operates at layer 3. External attackers that are one hop away can abuse this to spoof IP addresses and send traffic to internal interfaces on devices and routers for an established connection managed with conntrack. For most of our users, this limits the attack to compromised or hostile ISP providers, which is an uncommon (but not unheard of attack vector). However, since the WiFi Pod can be used as a travel router, it's important to us that they are can withstand being attached to a hostile network.

The riskiest of the attacks happen to not affect SPR.

Here is an overview of how SPR helps defend users against attacks with multicast services. The capabilities let SPR users enjoy the benefits of multicast while also being able to constrain the attack surfaces to trusted devices only.

Overview​

1. Every WiFi device is placed on its own VLAN and has a unique Group Key blocking Direct Station to Station Multicast traffic
2. We employ a configurable multicast proxy to relay whitelisted multicast services. It support mDNS and SSDP by default for ease of use. The multicast proxy and mDNS & SSDP relaying can be completely turned off though.
3. We also support setting a tag for multicast services to limit relaying traffic to only devices with the same tag applied.

Envision a homelab scenario with a feature-rich router that's suitable as a container host with storage and memory. Locking down the router's container network policy is surprisingly difficult to set up and manage.

SPR makes it easy with secure by default network controls. Instead of worrying about IP ranges and interfaces, join the interfaces to the groups of devices they can communicate with and set internet access policy.

Association in the 802.11/ WiFi World comes in the "loose" variety of the term, and why Hostapd disconnect events are confusing...

As a quick recap: when a station connects to an Access Point, it goes through a series of request/reply interactions. Several frames are in play including Probes, Authentication, Association, and finally Data frames with EAPOL. The EAPOL payloads perform all the fun cryptography with the passphrase for WPA2, WPA3, and 802.1X Authentication mechanisms.

Rust is taking off in the Linux Kernel and improved support and features make it possible to develop drivers with Rust.

How Does WiFi Location Positioning & Tracking Work?​

All Apple Smartphones and Laptops as well as Google Devices passively collect Access Point Names (the SSID) and their hardware address (the BSSID), and they then tag it with the GPS location. With billions of customers, tech giants have been able to build databases that contain the physical position of almost every access point in the world.

Researchers from the University of Maryland published that the privacy features in the public APIs were insufficient to protect the privacy of individuals. See the paper from Erik Rye, Dave Levin for the details: "Surveilling the Masses with Wi-Fi-Based Positioning Systems"

Krebs On Security has a through review of the issue: "Why Your Wi-Fi Router Doubles as an Apple AirTag"

Modular Router Hardware​

I'm excited to announce that Supernetworks will be releasing Compute Module based and Pi5 Expansion HAT based access points. The HATs and Compute Modules are expected to be generally available this summer.

The second tenant of Sustainability is Reuse. Companies like Framework have been spearheading the charge towards a better form of computing by building upgradable laptops and soon other devices.

With what the Raspberry Pi Foundation offers people, we are able to bring some of the benefits of modular computing to Access Points as well. Modularity takes ownership one step further, letting people reuse the hardware for other projects, and upgrade it to make it powerful, without any soldering required.

Midnight Sun Qualifiers 2024​

Over the weekend a ctf team I help with, HackingForSoju, hosted the Midnight Sun CTF Qualifiers. The finals will take place in Stockholm, Sweden on June 14-16.

I put together a challenge around WPA3's Password Authenticated Key Exchange: Dragonfly

WPA3 has quite a few notes during our our wifi training where we discuss the background to the protocol, because it was so very worrisome from the start.

Introducing SPR-TailScale​

We've released a new iteration of the TailScale integration for SPR! This plugin was put together with @willy_wong.

CVE-2024-28084 Patched in Inet Wireless Daemon 2.16​

While preparing some wifi security training, we found a double free vulnerability affecting APs and Stations running iwd. This issue was reported and patched with fixes available starting in version 2.16.