So, the latest "fundamental security flaw in wifi" is now making the rounds of the news organizations. This appears to be a campaign for publicity by Dept.of Information Eng.,University of Padova, Italy ahead of INFOCOM 2025 of what they term the BREAK attack.
Here's a typical sky-is-falling article:
How secure is your Wi-Fi network? Research uncovers major vulnerability in wireless networking technology
Details of the attack are here:
INFOCOM2025_BREAK_2025.pdf
Buried in the paper is the following:
"we reverse-engineered the channel sounding procedure implemented on Asus RTAC86U Wi-Fi devices. The Wi-Fi chipset in such devices is the Broadcom BCM4365, featuring a D11 microcontroller whose behavior can be modified using the Nexmon framework"
I thought it was fascinating that they decided to attack a BCM4365 to build their modified firmware, instead of a more open chipset, but they did. Maybe they are trying to make other people have a harder time duplicating what they did with other chips.
Nevertheless, even if Broadcom makes changes to the BCM4365 that breaks whatever they are doing, since there's plenty of BCM4365 based devices out there that can be used to build attack weapons with their code, this can't be stuffed back into the bottle once it's out there.
Obviously, the biggest flaw is the attacker has to be within radio transmission distance of the AP they are attacking, but I'm wondering if there's any mitigation possible in the firmware other than turning off MU-MIMO or if we are just going to have to wait for wifi 8 and disable Beamforming?
1 Like
They go through an awful lot of effort ("might lead to serious security issues") just to abuse standards to perform EW (electronic warfare). Why not just jam the spectrum? This is less an indictment of wifi but rather praise of its resilience.
This smells of "we need funding".
1 Like
Because someone else already published a paper on how to jam the spectrum before they did.
Hopefully they don't dislocate their shoulders patting themselves on the back.
It's too bad they couldn't have used their expertise reverse engineering Broadcom's crap to actually fix the open source Broadcom driver with the newer Broadcom chips.
2 Likes
Just wanted to toss in a thought here... apologies for necro'ing a thread...
- MU groups assume that all client stations are associated with the AP
- How can an unauthenticated client poison the MU groups tracked by the AP, unless the network is open, even then unless the client MAC addr is cloned as the attacking station...
- PMF (802.11w) seems to be a clean way to avoid this type of attack, as most NDP requests and responses are going to be management frames, so having security here is a plus
- Device Under Test (DUT) is interesting - it's a Broadcom SoftMAC device, so either closed source WL or brcmsmac is in use - anyways, no disclosure on what's going on over there with the drivers
So how I look at it - the sky is not falling for most - still a good reminder perhaps to keep firmware up to date, and also to make educated choices for both client and AP hardware...