[ale] Slightly OT - Verizon/McAfee scareware and testing Wireless Networks

Mon Jan 21 11:34:19 EST 2019

On 2019-01-21 06:58, Neal Rhodes wrote:
> Given this software is on every new Verizon Samsung phone, I can see a
> line of reasoning that it should NOT specifically describe possible
> exploits it has found to every possible potential amateur would-be
> hacker.   I can also see them attempting to up-sell me. 

No, it's because Verizon doesn't want to bother.  Some Verizon reps
replied to posts that say the software simply doesn't perform that level
of analysis.

> 
> Now, I understand in a hard wired context that a dumb hub would let you
> see all packets, while a switch would only let you see your traffic.
> I do not understand in a wireless context how your radio doesn't see all
> packets being broadcast if you can kick it into what used to be called
> "promiscuous mode".  

Promiscuous mode works at Layer 2 and above meaning you already have a
connection.  However, like an Ethernet switch, the access point won't
forward traffic back out to other clients for which a packet isn't
destined because that's a waste of resources.  You can set your wifi
card to promiscuous mode but you won't see much unless the AP is very
dumb and doing what it shouldn't be doing (echoing packets back out or
using bad security).  Depending on the hardware and the AP configuration
you may not be able to decode/decrypt the packets even if you did
capture them (each device gets a different set of ephemeral keys during
the connection negotiation and traffic destined to that device is
encrypted with those keys so other devices can't see the data).

Some specialized wifi receivers have monitor mode which is what you
would really use if you thought "promiscuous".  This works at the radio
level and captures all packets flying through the air but you have to be
disassociated from the network to do it.  This mode will capture raw
packets but they're all encoded/encrypted so you still have to work your
way through decoding/decrypting them.

If you read up on the KRACK vulnerability you'll see that it relies on
forcing the ephemeral keys of a victim to a known value so that the
attacker can decrypt traffic to and from that victim device.  But this
has to be done on a per device basis.