Aug 14 2023

Ford Cars WiFi Vulnerability Let Attackers Execute Remote Code

Category: Remote code,Wi-Fi Securitydisc7 @ 9:02 am

Ford recently identified a buffer overflow flaw in the Wi-Fi driver used by it in the SYNC 3 infotainment system. After the discovery, Ford quickly alerted about this flaw and disclosed the vulnerability publicly.

Car hijacking by hackers exploiting various functions of the car is known, but the real-world execution of such attacks remains challenging.

While there are certain vulnerabilities that cause immediate serious consequences, enabling threat actors to open and start the cars by exploiting the vulnerabilities remotely.

Since this system is used in the Ford and Lincoln vehicles, so, the successful exploitation of this flaw could enable threat actors to perform remote code execution.

This vulnerability has been tracked as “CVE-2023-29468,” and it was detected by a researcher who reported this flaw to the Wi-Fi module supplier, Texas Instruments (TI).

Flaw Profile

  • CVE ID: CVE-2023-29468
  • Summary: The TI WiLink WL18xx MCP driver does not limit the number of information elements (IEs) of type XCC_EXT_1_IE_ID or XCC_EXT_2_IE_ID that can be parsed in a management frame. Using a specially crafted frame, a buffer overflow can be triggered which can potentially lead to remote code execution.
  • TI PSIRT ID: TI-PSIRT-2022-120160
  • CVSS Score: The CVSS base score for this issue can range from 8.8 to 9.6.
  • Affected Products: WILINK8-WIFI-MCP8 version 8.5_SP3 and earlier

Ford’s Response

The SYNC3 infotainment system offers in-car WiFi, connectivity, voice commands, and third-party apps. The vulnerability concerns Ford customers, but no known exploits were reported. 

Moreover, the attackers need physical proximity to an exposed, running engine with Wi-Fi enabled for a successful attack.

Ford’s investigation concludes that this vulnerability won’t impact vehicle safety, as the infotainment system firewall prevents control interference with steering, throttling, and braking.

Besides this, Ford assured that soon it will release the online software patch for USB installation. Meanwhile, customers who are concerned about the flaw can disable the Wi-Fi via SYNC 3’s Settings menu or check the vehicle’s SYNC 3 status online.

Wireless Security Architecture: Designing and Maintaining Secure Wireless for Enterprise

CISSP training course

InfoSec tools | InfoSec services | InfoSec books

Tags: WiFi Vulnerability

Aug 06 2023

WiFi Penetration Testing Guide

Category: Wi-Fi Securitydisc7 @ 8:37 am


The Ultimate Kali Linux Book: Perform advanced penetration testing using Nmap, Metasploit, Aircrack-ng, and Empire, 2nd Edition

CISSP training course

InfoSec tools | InfoSec services | InfoSec books

Tags: WiFi Penetration Testing

Aug 02 2023


Category: Hacking,Wi-Fi Securitydisc7 @ 7:21 am

TP-Link has released a fix for a severe vulnerability in its Archer AX21 router. This vulnerability might have allowed attackers to take control of the device and carry out arbitrary operations.

This vulnerability, which has been assigned the identifier CVE-2023-31710, was discovered after a heap-based buffer overflow bug was discovered in the TP-Link Archer AX21 router’s /usr/lib/ component. Xiaobye, an adept security researcher, is the one who discovered this security weakness and exposed it in full, which made it possible for TP-Link to quickly devise a solution to the problem. The absence of input sanitization in relation to the variable content_length is at the heart of the problem that we are now facing. A clever adversary might potentially alter this variable, which provides information on the length of the data included in the TMP packet. This vulnerability may be exploited by a  hacker by submitting a request to the router that was painstakingly designed, which would then cause the router to carry out the commands. Archer routers only allow ‘admin’ users, who are endowed with full root access. This exacerbates the severity of the problem. Therefore, in the event that a threat actor is successful in getting command execution, that actor would therefore take control of the router and acquire administrative capabilities.

This security flaw affects particular router versions, including Archer AX21(US)_V3_1.1.4 Build 20230219 and Archer AX21(US)_V3.6_1.1.4 Build 20230219, among others. Nevertheless, TP-Link has released patches for these versions, which may be found under the names Archer AX21(US)_V3.6_230621 and Archer AX21(US)_V3_230621, respectively. It is recommended that consumers who are affected get their routers up to date as soon as they can.

Xiaobye has continued his commendable efforts to shed light on this matter by publishing a compelling video presentation of exploiting the CVE-2023-31710 vulnerability on his Github repository.

In order to strengthen the safety of your router, you should take additional precautions in addition to updating the firmware on it.

Hacking Exposed Wireless, Third Edition: Wireless Security Secrets & Solutions (Hacking Exposed)

CISSP training course

InfoSec tools | InfoSec services | InfoSec books


May 31 2023


Category: Wi-Fi SecurityDISC @ 11:32 am

Researchers from Tsinghua University and George Mason University have discovered a significant weakness in the NPU chipset. By exploiting this flaw, attackers are able to eavesdrop on data being broadcast across 89% of real-world Wi-Fi networks.

Hardware acceleration, such as the use of NPU chipsets in Wi-Fi networks, increases the data transmission rate and decreases latency. However, it also creates security problems owing to the direct transmission of wireless frames by Access Point (AP) routers.

Researchers from Tsinghua University and George Mason University have recently found a security weakness in the wireless frame forwarding mechanism used by the NPU. Attackers may take use of the vulnerability to conduct a Man-in-the-Middle attack (MITM) on Wi-Fi networks by circumventing the need for rogue access points (APs). Intercepting a victim’s plaintext communication while avoiding link layer security methods such as WPA3 is possible with this technique. The research paper that  team wrote has been approved for presentation at the 2023 IEEE Symposium on Security and Privacy.

The scenario shown in Figure  depicts a situation in which an attacker and a victim supplicant are both connected to the same Wi-Fi network in order to access Internet services. Imagine that you have successfully completed the phone authentication process and are now able to access the Wi-Fi network at Starbucks. Each session to the AP router is protected by a Pairwise Transient Key (PTK) session key, and the Wi-Fi network that you are trying to connect to has WPA2 or WPA3 installed to provide security.

They made the discovery that the security methods, such as WPA2 and WPA3, may be readily evaded, giving attackers the ability to read the plaintext of the victim supplicant’s communication. An impersonation of the access point (AP) is created by the attacker via the use of spoofing the source IP address. The attacker then sends a victim supplicant an ICMP redirect message, which is an ICMP error message with a type value of 5.

Because of the need to maximize performance, the NPU in the AP router (for example, Qualcomm IPQ5018 and HiSilicon Gigahome Quad-core) would immediately transfer the bogus message of ICMP redirection that it has received to the victim supplicant. After receiving the message, the victim supplicant will be deceived into changing its routing cache and substituting the next hop to the server with the IP address of the attacker. This will allow the attacker to get access to the server. Because of this, future IP packets that were supposed to be sent to the server are instead routed to the attacker at the IP layer. This gives the attacker the ability to send the packets to their intended destination. The MITM attack is successfully carried out by the attacker, who does not make use of any rogue AP in the process. This allows the attacker to intercept and change the traffic of the victim supplicant invisibly.

Both Qualcomm and Hisilicon have verified that their NPUs are susceptible to the vulnerability that prohibits AP devices from successfully blocking faked ICMP redirect packets. This vulnerability has been given the identifier CVE-2022-25667 by Qualcomm.

Adding features to access points that will slow down maliciously constructed ICMP redirection. If the message has clear unlawful features (for instance, the source IP address of the message is provided with the AP’s IP address, and the message can only be created by the AP itself), then the AP should block and discard the message as soon as it is detected. This strategy depends on the participation of both the NPU chip makers and the AP suppliers in a collaborative effort.
Improving the ability of supplicants to check the ICMP packets that they have received. The supplicant has the ability to successfully detect bogus ICMP messages and mount a defense against this attack provided it ensures that the source IP address and source MAC address of the received ICMP message are consistent with one another.

The Home Network Manual: The Complete Guide to Setting Up, Upgrading, and Securing Your Home Network

InfoSec tools | InfoSec services | InfoSec books

Tags: WPA2, WPA3

Mar 30 2023

New WiFi Flaw Let Attackers Hijack Network Traffic

Category: Cyber Attack,Wi-Fi SecurityDISC @ 8:27 am

A fundamental security issue in the design of the IEEE 802.11 WiFi protocol standard, according to a technical study written by Domien Schepers, Aanjhan Ranganathan, and Mathy Vanhoef of imec-DistriNet, KU Leuven, allows attackers to deceive access points into exposing network frames in plaintext.

When the receiver is in sleep mode, for example, Wi-Fi devices routinely queue frames at different tiers of the network stack before sending.

WiFi frames are data packages comprising a header, data payload, and trailer containing data like the MAC addresses of the source and destination and control and management information.

By keeping track of the busy/idle states of the receiving points, these frames are broadcast in a regulated manner to prevent collisions and maximize data exchange performance.

According to the researchers, queued/buffered frames are not sufficiently protected from attackers, who can control data transmission, client spoofing, frame redirection, and capturing.

Adversary Can Abuse the Power-Save Mechanisms

The initial version of the 802.11 standards already included power-saving features that let clients go into a sleep or doze mode to use less power. All frames intended for a client station are queued when it goes into sleep mode because it sends a frame to the access point with a header that includes the power-saving flag.

Nevertheless, the standard does not specify how to manage the security of these queued frames and does not impose any time restrictions on how long the frames may remain in this state.

The access point dequeues the buffered frames, adds encryption, and transmits them to the target after the client station has awakened.

Attack Diagram

In this case, a hacker might impersonate a network device’s MAC address and transmit power-saving frames to access points, making them queue up frames for the intended target. To obtain the frame stack, the attacker then sends a wake-up frame.

Typically, the WiFi network’s group-addressed encryption key or a pairwise encryption key, specific to each device and used to encrypt frames sent between two devices, are used to encrypt the transmitted frames.

By providing authentication and association frames to the access point, the attacker can force it to transmit the frames in plaintext or encrypt them using a key provided by the attacker, changing the security context of the frames.

“As a result of the attack, anyone within the communication range of the vulnerable access point can intercept the leaked frames in plaintext or encrypted using the group-addressed encryption key, depending on the respective implementation of the stack (i.e., user-space daemon, kernel, driver, firmware).”, explain the researchers.

Network Device Models That Are Known To Be Vulnerable:

“An adversary can use their Internet-connected server to inject data into this TCP connection by injecting off-path TCP packets with a spoofed sender IP address,” researchers warn.

“This can, for instance, be abused to send malicious JavaScript code to the victim in plaintext HTTP connections with as goal to exploit vulnerabilities in the client’s browser.”

The researchers warn that these attacks may be exploited to inject malicious content, such as JavaScript, into TCP packets.

Cisco is the first firm to recognize the significance of the WiFi protocol weakness, acknowledging that the attacks described in the paper may be effective against Cisco wireless access point products and Cisco Meraki products.

“This attack is seen as an opportunistic attack, and the information gained by the attacker would be of minimal value in a securely configured network.” – Cisco.

The company advises implementing mitigating strategies such as employing software like Cisco Identity Services Engine (ISE), which can impose network access restrictions by implementing Cisco TrustSec or Software Defined Access (SDA) technologies.

“Cisco also recommends implementing transport layer security to encrypt data in transit whenever possible because it would render the acquired data unusable by the attacker,” Cisco.

Hacking Exposed Wireless, Third Edition: Wireless Security Secrets & Solutions 

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: Hijack Network Traffic

Mar 29 2023


Category: Hacking,Wi-Fi SecurityDISC @ 8:01 am

An adversary may circumvent encryption for some communications by exploiting a flaw in the widespread 802.11 protocol, which enables them to do so. The university researchers that made the discovery claim that the flaw enables an adversary to “trick access points into leaking frames in plaintext, or encrypted using the group or an all-zero key.”

Due to the fact that it is a flaw in the Wi-Fi protocol, it impacts more than one implementation. A ground-breaking academic paper with the provocative title “Framing Frames: Bypassing Wi-Fi Encryption by Manipulating Transmission Queues” was made available to the public on March 27, 2023. This document revealed flaws in the 802.11 Wi-Fi standard. Because of these vulnerabilities, an attacker could be able to impersonate a targeted wireless client and reroute frames that are already in the transmit queues of an access point to a device that the attacker controls. In this post, we will analyze the workings of this opportunistic attack and investigate the many preventative measures that may be taken to protect your network from this danger.

The attack, which has been given the name “MacStealer,” is directed against Wi-Fi networks that include hostile insiders and takes advantage of client isolation bypasses (CVE-2022-47522). Even if clients are unable to communicate with one another, it is able to intercept communication at the MAC layer. Wi-Fi networks that use client isolation, Dynamic ARP inspection (DAI), and other mechanisms meant to prevent clients from attacking one another are susceptible to this issue.

The first company to recognize the flaw was Cisco, which said that the attacks described in the research article might be effective against Cisco Wireless Access Point devices and Cisco Meraki products with wireless capabilities. Cisco was the first firm to admit the issue.

The client authentication and packet routing processes in Wi-Fi networks function independently of one another, which is the root cause of the security hole known as CVE-2022-47522. The usage of passwords, users, 802.1X IDs, and/or certificates is required for authentication, although MAC addresses are what determine how packets are routed. This inconsistency may be exploited by a malicious insider who disconnects a victim from the network and then reconnects to it using the victim’s MAC address and the attacker’s credentials. As a consequence of this, any packets that are still on their way to the victim, such as data from a website, will instead be received by the attacker.

The following are the three basic stages of this attack:

The attacker will wait for the victim to connect to a susceptible Access Point (AP), at which point the attacker will submit a request to an internet server. For example, the attacker may send an HTTP request to a website that only displays plaintext.
Steal the Identifying Information of the Victim: The perpetrator of the attack removes the victim’s network connection before the AP has a chance to process the server’s response. After that, the attacker creates a fake version of the victim’s MAC address and logs in to the network using their own credentials.
Intercept the Response: At this step, the access point (AP) pairs the attacker’s encryption keys with the victim’s MAC address. This gives the attacker the ability to intercept any pending traffic that is destined for the victim.
It is essential to keep in mind that the communication that is being intercepted may be secured by higher-layer encryption, such as that provided by TLS and HTTPS. Therefore, regardless of whether or not a higher-layer encryption is being used, the IP address that a victim is talking with may still be discovered by this approach. This, in turn, exposes the websites that a victim is viewing, which, on its own, might be considered sensitive information.

All Corporate WPA1, WPA2, and WPA3 networks are vulnerable to the attack in exactly the same way. This is due to the fact that the attack does not take use of any cryptographic features of Wi-Fi; rather, it takes advantage of the way in which a network decides to which client packets should be transmitted, sometimes known as routing.

To summarize, the attack described in the “Framing Frames” study is a worrying vulnerability that presents the possibility of adversaries being able to intercept and perhaps read sensitive information that is being carried across Wi-Fi networks. It is essential for businesses to take all of the required steps, such as implementing strong security measures and using mitigations that have been advised, in order to guarantee the safety and security of their networks.

Using 802.1X authentication and RADIUS extensions are two methods that may be utilized to stop MAC address theft. Safeguarding the MAC address of the gateway, putting in place Managed Frame Protection (802.11w), and making use of virtual local area networks (VLANs) are all viable mitigations. The use of policy enforcement techniques using a system such as Cisco Identity Services Engine (ISE), which may limit network access by utilizing Cisco TrustSec or Software Defined Access (SDA) technologies, is something that Cisco advises its customers to do. It is also recommended by Cisco to implement transport layer security in order to encrypt data while it is in transit if it is practicable to do so. This would prevent an attacker from using the data they have collected.

Hacking Exposed Wireless, Third Edition: Wireless Security Secrets & Solutions 

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: 802.11, Hacking Exposed Wireless, WPA1, WPA2, WPA3

Jan 18 2023

Wireless Penetration Testing Checklist – A Detailed Cheat Sheet

Category: Cheat Sheet,Pen Test,Wi-Fi SecurityDISC @ 4:13 pm

Wireless Penetration testing actively examines the process of Information security Measures which is Placed in WiFi Networks and also analyses the Weakness, technical flows, and Critical wireless Vulnerabilities.

The most important countermeasures we should focus on are Threat  Assessment, Data theft Detection, security control auditing, Risk prevention and Detection, information system Management, and Upgrade infrastructure and a Detailed report should be prepared.What is Wireless Penetration Testing?

Wireless Penetration Testing is aimed to test wireless infrastructure to find vulnerabilities in the network. Testing involves both manual testing techniques and automated scans to simulate a real-world attack and identify risks.Why is wireless penetration testing important?

Usage of Wi-Fi access dramatically increased nowadays, and the quality of Wi-Fi security is in question. By using Wi-Fi access thousands of transaction processing every minute.
If the network is vulnerable it allows hackers to launch various attacks and intercept the data.

Common Wireless Network Vulnerabilities

  • Deployment of Vulnerable WEP Protocol
  • Man-in-the-Middle Attacks
  • Default SSIDs and Passwords
  • Misconfigured Firewalls
  • WPA2 Krack Vulnerability
  • NetSpectre – Remote Spectre Exploit
  • Warshipping
  • Packet Sniffing
  • Warshipping

Wireless Penetration Testing Checklist

Let’s take a detailed look at the Wireless Penetration Testing Checklist and the steps to be followed.

Framework for Wireless Penetration Testing

  1. Discover the Devices connected with  Wireless Networks.
  2. Document all the findings if Wireless Device is Found.
  3. If a wireless Device is found using Wifi Networks, then perform common wifi Attacks and check the devices using WEP Encryption.
  4. If you found WLAN using WEP Encryption then Perform WEP Encryption Pentesting.
  5. Check whether WLAN Using WPA/WPA2 Encryption. If yes then perform WPA/WPA2 pen-testing.
  6. Check Whether WLAN using LEAP Encryption. If yes then perform LEAP Pentesting.
  7. No other Encryption Method was used which I mentioned above, Then Check whether WLAN using unencrypted.
  8. If WLAN is unencrypted then perform common wifi network attacks, check the vulnerability which is placed in the unencrypted method and generate a report.
  9. Before generating a Report make sure no damage has been caused to the pentesting assets.

Wireless Pentesting with WEP Encrypted WLAN

  1. Check the SSID and analyze whether SSID is Visible or Hidden.
  2. Check for networks using WEP encryption.
  3. If you find the SSID as visible mode then try to sniff the traffic and check the packet capturing status.
  4. If the packet has been successfully captured and injected then it’s time to break the WEP  key by using a WiFi cracking tool such as Aircrack-ng, or WEPcrack.
  5. If packets are not reliably captured then sniff the traffic again and capture the Packet.
  6. If you find SSID is the Hidden mode, then do Deauthentication for the target client by using some deauthentication tools such as Commview and Airplay-ng.
  7. Once successfully Authenticated with the client and Discovered the SSID is, then again follow the Above Procedure which is already used for discovering SSID in earlier steps.
  8. Check if the Authentication method used is OPN (Open Authentication) or SKA (Shared Key Authentication). If SKA is used, then bypassing mechanism needs to be performed.
  9. Check if the STA (stations/clients) are connected to AP (Access Point) or not. This information is necessary to perform the attack accordingly.

If clients are connected to the AP, an Interactive packet replay or ARP replay attack needs to be performed to gather IV packets which can be then used to crack the WEP key.

If there’s no client connected to the AP, Fragmentation Attack or Korex Chop Chop attack needs to be performed to generate the keystream which will be further used to reply to ARP packets.

10. Once the WEP key is cracked, try to connect to the network using WPA-supplicant and check if the AP is allotting any IP address or not.”EAPOL handshake“.

Wireless Penetration Testing with WPA/WPA2 Encrypted WLAN

  1. Start and Deauthenticate with WPA/WPA2 Protected WLAN client by using WLAN tools Such as Hotspotter, Airsnarf, Karma, etc.
  2. If the Client is Deaauthenticated, then sniff the traffic and check the status of captured EAPOL Handshake.
  3. If the client is not Deauthenticate then do it again.
  4. Check whether the EAPOL handshake is captured or Not.
  5. Once you captured the EAPOL handshake, then perform a PSK Dictionary attack using coWPAtty, Aircrack-ng to gain confidential information.
  6. Add Time-memory trade-off method (Rainbow tables) also known as WPA-PSK Precomputation attack for cracking WPA/2 passphrase. Genpmk can be used to generate pre-computed hashes.
  7. If it’s Failed then Deauthenticate again and try to capture again and redo the above steps.

LEAP Encrypted WLAN

  1. Check and Confirm whether WLAN is protected by LEAP Encryption or not.
  2. De-authenticate the LEAP Protected Client using tools such as karma, hotspotter, etc.
  3. If the client is De authenticated then break the LEAP Encryption using a tool such as asleapto steal the confidential information
  4. If the process dropped then de-authenticate again

Wireless Penetration Testing with Unencrypted WLAN

  1. Check whether SSID is Visible or not
  2. Sniff for IP range if SSID is visible then check the status of MAC Filtering.
  3. If MAC filtering is enabled then spoof the MAC Address by using tools such as SMAC
  4. Try to connect to AP using IP within the discovered range.
  5. If SSID is hidden then discover the SSID using Aircrack-ng and follow the procedure of visible SSID which I Declared above.

Wireless Penetration Testing

Checkout our previous posts on InfoSec “Cheat Sheet”

InfoSec books | InfoSec tools | InfoSec services

Tags: cheat sheet

Sep 17 2022

Critical Vulnerabilities Found in Devices That Provide WiFi on Airplanes

Category: Security vulnerabilities,Wi-Fi SecurityDISC @ 1:31 pm

The Flexlan FXA3000 and FXA2000 series LAN devices made by the Japan-based firm contain two critical vulnerabilities tracked as CVE–2022–36158 and CVE–2022–36159.

Necrum Security Labs’ researchers Samy Younsi and Thomas Knudsen have discovered two critical vulnerabilities in the wireless LAN devices manufactured by Contec. The company specializes in industrial automation, computing, and IoT communication technology.

Research Details

Reportedly, the Flexlan FXA3000 and FXA2000 series LAN devices made by the Japan-based firm contain two critical vulnerabilities tracked as CVE–2022–36158 and CVE–2022–36159.

For your information, these devices are used in airplanes to offer internet connectivity. The abovementioned series of devices offer WiFi access points in airplanes to ensure uninterrupted high-speed internet communication so that passengers could enjoy music, movies, and even purchased goodies during the flight. Hence, these vulnerabilities can allow an adversary to hack the inflight entertainment system and more.

Critical Vulnerabilities Found in Devices That Provide WiFi on Airplanes
FXA2000 (left) and FXA3000 (right)

Researchers discovered the first vulnerability (CVE–2022–36158) while performing the firmware’s reverse engineering. They identified a hidden page, which wasn’t listed in the Wireless LAN Manager interface. This page facilitates the execution of Linux commands on the device with root privileges. They could then access all system files and open the telnet port to gain complete access to the device.

The second vulnerability (CVE–2022–36159) entailed the use of hard-coded, weak cryptographic keys and backdoor accounts. While investigating, they also learned that the shadow file contained the has of two users, including root and user, and within a few minutes they could access them through a brute-force attack.

How to Fix the Issues?

In their blog post, researchers explained that the device owner could change the account’s user password from the web admin’s interface, which is the primary reason behind the emergence of these flaws. The root account is reserved for Contec for maintenance purposes.

Therefore, an attacker armed with the root hard-coded password can conveniently access all FXA2000 and FXA3000 series devices.

In order to fix the first issue, the hidden engineering web page must be removed from the under-production devices because the default password is weak and makes it easy for an attacker to inject a backdoor into the device using this page.

Furthermore, the company needs to generate a unique password for each device during the production phase for the second issue.

As pointed out by Eduard Kovacs of SecurityWeek, in its advisory, Contec explained that the vulnerabilities are connected to a private webpage created for developers to execute system commands and the page isn’t linked to other pages available to users. These vulnerabilities have been addressed in versions 1.16.00 for the FX3000 series and 1.39.00 for FX2000 series devices.

WiFi 6: Protocol and Network

Tags: Critical Vulnerabilities, WiFi on Airplanes

Jul 12 2022

Flaws in the ExpressLRS Protocol allow the takeover of drones

Category: Access Control,Wi-Fi SecurityDISC @ 8:51 am

The protocol for radio-controlled (RC) drones, named ExpressLRS, is affected by vulnerabilities that can allow device takeover.

Researchers warn of vulnerabilities that affect the protocol for radio-controlled (RC) drones, named ExpressLRS, which can be exploited to take over unmanned vehicles.

ExpressLRS is a high-performance open-source radio control link that provides a low latency radio control link while also achieving maximum range.

According to a bulletin recently published, an attacker can take control of any receiver by observing the traffic from the associated transmitter.

Using only a standard ExpressLRS compatible transmitter, it is possible to take control of any receiver after observing traffic from a corresponding transmitter.

Security issues in the binding phase can allow an attacker to extract part of the identifier shared between the receiver and transmitter. The analysis of this part, along with brute force attack, can allow attackers to discover the remaining part of the identifier. Once the attacker has obtained the complete identifier, it can take over the craft containing the receiver, with no knowledge of the binding phrase, by using a transmitter. This attack scenario is feasible in software using standard ExpressLRS compatible hardware.

“ExpressLRS uses a ‘binding phrase’, built into the firmware at compile time to bind a transmitter to a receiver. ExpressLRS states that the binding phrase is not for security, it is anti-collision.” reads a bulletin published by NccGroup. “Due to weaknesses related to the binding phase, it is possible to extract part of the identifier shared between the receiver and transmitter. A combination of analysis and brute force can be utilised to determine the remaining portion of the identifier. Once the full identifier is discovered, it is then possible to use an attacker’s transmitter to control the craft containing the receiver with no knowledge of the binding phrase. This is possible entirely in software using standard ExpressLRS compatible hardware.”

The phrase used by the ExpressLRS protocol is encrypted using the hashing algorithm MD5 which is known to be cryptographically broken.

The experts observed that the “sync packets” that are exchanged between transmitter and receiver at regular intervals for synchronizing purposes leak a major part of the binding phrase’s unique identifier (UID). An attacker can determine the remaining part via brute-force attacks or by observing packets over the air without brute-forcing the sequences.

“Three weaknesses were identified, which allow for the discovery of the four bytes of the required UID to take control of the link. Two of these issues relate to the contents of the sync packet.

  1. The sync packet contains the final three bytes of the UID. These bytes are used to verify that the transmitter has the same binding phrase as the receiver, to avoid collision. Observation of a single sync packet therefor gives 75% of the bytes required to take over the link.
  2. The CRC initialiser uses the final two bytes of the UID sent with the sync packet, making it extremely easy to create a CRC check.” reads the advisory.

The third weakness occurs in the FHSS sequence generation.

  1. Due to weaknesses in the random number generator, the second 128 values of the final byte of the 4 byte seed produce the same FHSS sequence as the first 128.

The advisory recommends avoiding sending the UID over the control link. The data used to generate the FHSS sequence should not be sent over the air. It also recommends to improve the random number generator by using a more secure algorithm or adjusting the existing algorithm to work around repeated sequences.

ExpressLRS drones

Artificial Intelligence Applications for Drone Cyber Security

DISC InfoSec

#InfoSecTools and #InfoSectraining



Tags: drones, ExpressLRS Protocol

May 04 2022

Do You Need to Rethink AppSec With 5G?

Category: App Security,Wi-Fi SecurityDISC @ 8:55 am

It’s not quite everywhere yet, but 5G connectivity is growing rapidly. That’s a great thing for remote workers and anyone depending on a fast connection, but what kind of impact will 5G have on application security?

“The explosion of 5G is only going to put more pressure on teams to harden their application security practice,” said Mark Lambert, vice president of products at ArmorCode, via email. The reason is the increase in the attack surface.

More devices with high bandwidth will be connecting to your network systems and services. At the same time, Lambert pointed out, business leaders are demanding an increase in the pace of software delivery. As 5G use becomes the norm, so does the risk of apps without the security to support faster connectivity.

“Application security teams need ways to quickly identify vulnerabilities within the DevSecOps pipeline and collaborate with development teams to escalate remediation,” said Lambert.

The IoT Dilemma

5G will accelerate the use of IoT devices, which in turn will accelerate app development for IoT devices. Based on the lack of priority for security in the application development process today, there is no indication that IoT software will be designed to handle the challenges of 5G security in the future. And there will be challenges.

The 5G systems won’t just connect phones, sensors and software to the internet. “On a high level, a 5G system comprises a device connected to a 5G access network which, in turn, is connected to the rest of the system called a 5G core network,” according to a whitepaper from Ericsson.

So, it won’t simply be all the new connections that are expanding the attack surface and creating an increased application security risk, but also the change in how 5G connects to the network. Rather than the one-way network that was in place under 4G, 5G brings a two-way communication capability, and, according to a Cyrex blog post, would “be linked in this two-way network and effectively would be public to those with the skills to exploit the link.”

5G, AppSec and the Cloud

Expect to see 5G lead to an increase in the adoption of cloud applications, said Kevin Dunne, president at Pathlock, in an email interview.

“Increased connectivity and connection speeds from anywhere will drive companies to invest in infrastructure that can be accessed from anywhere,” said Dunne. “Providing accessible applications will increase employee productivity, but it will also introduce new threats. With critical resources now on the public network, bad actors can access them from anywhere, increasing the number of threats to sensitive data and business processes.”

IT security teams will need to shift their focus from network-based perimeter protection to more modern approaches that look beyond what users can do in an application to what they are doing, Dunne added. “This helps to defend against modern attacks like phishing and ransomware which are increasingly common in cloud environments.”

It’s not all gloom and doom for 5G and application security. 5G can enhance app security, allowing developers to create more intelligent software and allowing them to use virtual hardware. 5G can also improve identity management and authentication that will make it more difficult for threat actors to infiltrate applications.

5G is expected to transform business reliance on IoT devices and cloud applications. Expect new threats and risks to go hand-in-hand with the innovations that 5G brings. Those responsible for application security will need to prepared with cybersecurity systems that will adapt to those threats.

5G SASE Security

5G Wireless: A Comprehensive Introduction

👇 Please Follow our LI page…

DISC InfoSec

#InfoSecTools and #InfoSectraining



Tags: 5G security, 5G Wireless, AppSec

Sep 03 2021

New BrakTooth flaws potentially impact millions of Bluetooth-enabled devices

Security flaws in commercial Bluetooth stacks dubbed BrakTooth can be exploited by threat actors to execute arbitrary code and crash the devices via DoS attacks.

A set of 16 security flaws in commercial Bluetooth stacks, collectively tracked as BrakTooth, can be exploited by threat actors to execute arbitrary code and crash the devices via DoS attacks.

The issues were discovered by the ASSET (Automated Systems SEcuriTy) Research Group from the Singapore University of Technology and Design (SUTD), their name comes from the Norwegian word “Brak” which translates to ‘crash’.

The BrakTooth flaws impact 13 Bluetooth chipsets from 11 vendors, including Intel, Qualcomm, and Texas Instruments, experts estimated that more than 1,400 commercial products may be impacted.

As of today, the researchers discovered 16 security vulnerabilities, with 20 common vulnerability exposures (CVEs) already assigned and four vulnerabilities are pending CVE assignment from Intel and Qualcomm.

“we disclose BrakTooth, a family of new security vulnerabilities in commercial BT stacks that range from denial of service (DoS) via firmware crashes and deadlocks in commodity hardware to arbitrary code execution (ACE) in certain IoTs.” reads the post published by the researchers. “All the vulnerabilities are already reported to the respective vendors, with several vulnerabilities already patched and the rest being in the process of replication and patching. Moreover, four of the BrakTooth vulnerabilities have received bug bounty from Espressif System and Xiaomi. “

The attack scenario tested by the experts only requires a cheap ESP32 development kit (ESP-WROVER-KIT) with a custom (non-compliant) LMP firmware and a PC to run the PoC tool they developed. The tool communicates with the ESP32 board via serial port (/dev/ttyUSB1) and launches the attacks targeting the BDAddress (<target bdaddr>) using the specific exploit (<exploit_name>).

The ASSET group has released the PoC tool to allow vendors to test their devices against the vulnerabilities


Guide to Bluetooth Security: Recommendations of the National Institute of Standards and Technology (Special Publication 800-121 Revision 1)

Tags: Bluetooth security

May 12 2021

WiFi devices going back to 1997 vulnerable to new Frag Attack

Category: Wi-Fi SecurityDISC @ 10:04 am
WiFi devices going back to 1997 vulnerable to new Frag Attacks | The Record  by Recorded Future

Source: WiFi devices going back to 1997 vulnerable to new Frag Attack

A Belgian security researcher has discovered a series of vulnerabilities that impact the WiFi standard, with some bugs dating back as far back as 1997 and affecting devices sold for the past 24 years.

The vulnerabilities, known as Frag Attacks, allow an attacker within a device’s WiFi radio range to gather information about the owner and run malicious code to compromise a device, may it be a computer, smartphone, or other smart device.

Devices are also vulnerable even if the WiFi standard’s security protocols were activated, such as WEP and WPA.

Design flaws in the WiFi standard itself

“Three of the discovered vulnerabilities are design flaws in the WiFi standard and therefore affect most devices,” said Mathy Vanhoef, the Belgian academic and security researcher who found the Frag Attacks.

The rest are vulnerabilities caused “by widespread programming mistakes [in the implementation of the WiFi standard] in WiFi products,” Vanhoef said.

“Experiments indicate that every WiFi product is affected by at least one vulnerability and that most products are affected by several vulnerabilities,” said Vanhoef, who is also scheduled to give an in-depth talk about his findings later this year in August at the USENIX ’21 security conference.

“The discovery of these vulnerabilities comes as a surprise because the security of WiFi has in fact significantly improved over the past years,” the Belgian researcher said.

Prior to disclosing the Frag Attacks today, Vanhoef previously discovered the KRACK and Dragonblood attacks. Vanhoef’s previous findings have helped the WiFi standard improve its security posture, but his latest findings reside in older sections of the WiFi protocol, not improved by his previous discoveries, and already deployed with devices in the real world for decades.

Guide and Tricks to Hack Wifi Networks

Feb 07 2021

Experts found critical flaws in Realtek Wi-Fi Module

Category: Wi-Fi SecurityDISC @ 12:25 am

Critical flaws in the Realtek RTL8195A Wi-Fi module could have been exploited to gain root access and take over devices’ wireless communications.

Researchers from Israeli IoT security firm Vdoo found six vulnerabilities in the Realtek RTL8195A Wi-Fi module that could have been exploited to gain root access and take control of a device’s wireless communications.

The Realtek RTL8195AM is a highly integrated single-chip with a low-power-consumption mechanism ideal for IoT (Internet of Things) applications in multiple industries. 

The module implements an “Ameba” API to allow developers to communicate with the device via Wi-Fi, HTTP, and MQTT, which is a lightweight messaging protocol for small sensors and mobile devices.

Realtek supplies their own “Ameba” API to be used with the device, which allows any developer to communicate easily via Wi-Fi, HTTP, mDNS, MQTT and more.

“As part of the module’s Wi-Fi functionality, the module supports the WEP, WPA and WPA2 authentication modes.” reads the analysis published by the experts.

“In our security assessment, we have discovered that the WPA2 handshake mechanism is vulnerable to various stack overflow and read out-of-bounds issues.”

WiFi Security #WiFiSecurity #WiFiVulnerabilities #WiFHacks

Apr 25 2020

Preparing a Secure Evolution to 5G

Category: cyber security,Information Security,Wi-Fi SecurityDISC @ 12:23 pm


Preparing a Secure Evolution to 5G

[pdf-embedder url=”” title=”5G CYBERSECURITY”]

Tech Talk: 5G Security

Security of 5G networks: EU Member States complete national risk assessments

Bye bye privacy with 5G

Subscribe to DISC InfoSec blog by Email

Tags: 5G privacy, 5G security

Apr 12 2019

‘Dragonblood’ Flaw In WPA3 Lets Hackers Easily Grab Your Wi-Fi Passwords

Category: Wi-Fi SecurityDISC @ 2:55 pm

In a research paper titled Dragonblood, published by security researchers Mathy Vanhoef and Eyal Ronen, it has been revealed that WPA3’s secure handshake called Simultaneous Authentication of Equals (SAE), commonly known as Dragonfly, is affected by password partitioning attacks.

Source: ‘Dragonblood’ Flaw In WPA3 Lets Hackers Easily Grab Your Wi-Fi Passwords

Artist's impression of wireless hackers in your computer.

Serious flaws leave WPA3 vulnerable to hacks that steal Wi-Fi passwords

Multiple Vulnerabilities in WPA3 Protocol

Enter your email address:

Delivered by FeedBurner

Tags: Wi-Fi security, WPA3

Apr 11 2019

Half of security pros would rather walk barefoot in a public restroom than use public Wi-Fi

Category: Wi-Fi SecurityDISC @ 2:06 pm

Public Wi-Fi is rife with security risks, and cybersecurity professionals aren’t taking any chances, according to a Lastline report.

Source: Half of security pros would rather walk barefoot in a public restroom than use public Wi-Fi

05 public wifi wi-fi

Enter your email address:

Delivered by FeedBurner

Tags: Information Privacy, PII security, Wi-Fi, wireless network security