OpenHarbors - Dynamic Tunneling of WPA over IP/L2TP
Linus Lüssing
linus.luessing at c0d3.blue
Sat Jun 22 15:14:18 PDT 2024
On Sat, Jun 22, 2024 at 11:51:45PM +0200, Linus Lüssing wrote:
> On Thu, Jun 20, 2024 at 11:46:58AM +0800, kinbell4 wrote:
> > EAP-TLS does not need trusted AP, certificate will prevent fake server,
Or let me give a more concrete attack scenario which I believe a
remote authenticator would solve and current WPA Enterprise setups
are likely susceptible to (though there you could just do
without the L2TP part):
Given a facility like a university or hospital using WPA
Enterprise. The APs have a RADIUS client with TLS enabled.
The WiFi APs in such facilitiies are often visible and relatively easy
to access. Maybe at night the attacker gets 5min to temporarilly
remove it. Or during day with the right cloths and a ladder
(social engineering 101).
I can then either through serial or direct flash access install a
backdoor on the AP. Or just read the RADIUS/TLS client's certificate
or key. The AP is compromised / untrusted now.
For the backdoor'd AP: You can now obviously read the unencrypted
packets as the WiFi AP will encrypt/decrypt the packets from the
WiFi client. And have access to the facilities internal network
just like the authorized WiFi client.
Similarly you could use the the RADIUS client certificate
to make and install your own untrusted/rogue/replacement AP with
the same ESSID at the same spot.
With the remote authenticator I could instead move it into a locked
server room for instance. So that packets would stay encrypted
on/over any AP and any cable all the way into the server room.
One dedicated place with a lot more physical protection.
Then the right cloths and a ladder wouldn't be enough anymore
to read the unencrypted frames or to get intranet access. I
would need a physical key to access this particular server room.
And it would be more easy/cheaper to physically protect this one
place compared to dozens of places all around a campus or hospital,
for each WiFi AP.
More information about the Hostap
mailing list