logo

BadMesher: New Attack Surfaces of Wi-Fi Mesh Network

Conference:  BlackHat USA 2021

2021-11-11

Summary

The presentation discusses the development of an automatic bug hunting tool called MeshFarther for identifying security vulnerabilities in Windows-based mesh networks. The tool uses mutation strategies to identify potential issues and can be adapted for use with other mesh vendors and smartphone mesh solutions. The presentation also covers the process of fast network building and network control.
  • MeshFarther is an automatic bug hunting tool for identifying security vulnerabilities in Windows-based mesh networks
  • The tool uses mutation strategies to identify potential issues
  • MeshFarther can be adapted for use with other mesh vendors and smartphone mesh solutions
  • The presentation covers the process of fast network building and network control
The presentation provides an example of how MeshFarther was used to trigger an out-of-bound security issue in the progress m6 of the network build process. The tool was able to capture the crash log and identify the issue for further investigation.

Abstract

With the increasing number of internet access devices, the application and research of the Internet of Things (IoT) have become popular day by day. As an IoT infrastructure, Wi-Fi networks play a significant role in providing quick and easy communication services for IoT devices. Furthermore, Wi-Fi Mesh has advantages in self-organization, self-management, and self-healing as a new networking technology, improving flexibility and reliability compared to the traditional network. In this session, we will start with the EasyMesh designed and certified by Wi-Fi Alliance. Then, we will pay attention to the security issues in the implementation of Wi-Fi Mesh. In detail, we will focus on the attack surfaces in network build and network control and share attack ideas for different Wi-Fi Mesh roles. In the research progress, we will summarize the types of memory corruption caused by the parse of Type-Length-Value (TLV) and design an automatic fuzzing tool called MeshFuzzer. We will share the design of MeshFuzzer and the difficulties in implementation. Furthermore, we will introduce how we cover all roles and stages in Wi-Fi Mesh. In practice, we evaluate our tools in MT7915 Wi-Fi chipset, the world’s first single-chip ‘Wi-Fi six Wave one plus’ and ‘Bluetooth five’ combo solution which supports Easy Mesh well. MeshFuzzer has found several memory corruption vulnerabilities and got 19 CVEs. We will introduce some of the typical vulnerabilities in network build and network control.Finally, we will put forward safety recommendations and the research direction in the future.

Materials:

Tags: