BadMesher: New Attack Surfaces of Wi-Fi Mesh Network

Presented at Black Hat Europe 2021, Nov. 11, 2021, 10:20 a.m. (40 minutes)

With the increasing number of internet access devices, the application and research of the Internet of Things (IoT) have become popular day by day. As an IoT infrastructure, Wi-Fi networks play a significant role in providing quick and easy communication services for IoT devices. Furthermore, Wi-Fi Mesh has advantages in self-organization, self-management, and self-healing as a new networking technology, improving flexibility and reliability compared to the traditional network.

In this session, we will start with the EasyMesh designed and certified by Wi-Fi Alliance. Then, we will pay attention to the security issues in the implementation of Wi-Fi Mesh. In detail, we will focus on the attack surfaces in network build and network control and share attack ideas for different Wi-Fi Mesh roles.

In the research progress, we will summarize the types of memory corruption caused by the parse of Type-Length-Value (TLV) and design an automatic fuzzing tool called MeshFuzzer. We will share the design of MeshFuzzer and the difficulties in implementation. Furthermore, we will introduce how we cover all roles and stages in Wi-Fi Mesh.

In practice, we evaluate our tools in MT7915 Wi-Fi chipset, the world’s first single-chip ‘Wi-Fi six Wave one plus’ and ‘Bluetooth five’ combo solution which supports Easy Mesh well. MeshFuzzer has found several memory corruption vulnerabilities and got 19 CVEs. We will introduce some of the typical vulnerabilities in network build and network control.

Finally, we will put forward safety recommendations and the research direction in the future.


Presenters:

  • Ying Wang - Security Researcher, Baidu
    Ying Wang is a security researcher of Baidu Security. She focuses on automated vulnerability detection technology , such as dynamic symbolic execution and fuzzing. Now, she engages in fuzzing of AI frameworks and wifi protocol.
  • Ye Zhang - Security Researcher, Baidu
    Ye Zhang is a security researcher of Baidu Security, he's interested in reverse engineering and bug hunting, recently he focuses on IoT security and fuzzing stuff, he reported issues to Apple, Google, Microsoft etc.
  • Dongxiang Ke - Security Researcher, Baidu
    Dongxiang Ke is a Security Researcher of Baidu Security, recently he focuses on IoT security and Wireless Security.
  • Lewei Qu - Security Researcher, Baidu
    Lewei Qu is a Security Researcher of Baidu Security, he's interested in bug hunting and fuzzing, he recently focuses on IoT/Mobile security and Wireless Security, he reported security issues to Google、Oricle、Android vendors such as Mediatek,Xiaomi,OPPO etc.

Links:

Similar Presentations: