Skip to content
 
If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(The Register)   Pre-jacking hits almost 50% in the online world as Farkers scoff at such rookie numbers   (theregister.com) divider line
    More: Interesting, Login, User, Attack, Attack!, Password, E-mail, popular internet services, internet accounts  
•       •       •

1431 clicks; posted to STEM » on 25 May 2022 at 7:50 AM (5 weeks ago)   |   Favorite    |   share:  Share on Twitter share via Email Share on Facebook



12 Comments     (+0 »)
View Voting Results: Smartest and Funniest
 
2022-05-25 8:21:11 AM  
I hate SSO. That is all.
 
2022-05-25 8:35:48 AM  
ELI5: if someone nearby sets up an SSID with the same name as mine, no security, and a stronger signal, what (if anything) prevents my device from connecting to theirs the next time I reboot?

Google results are surprisingly weak here. If anything they seem to suggest that nothing prevents this, and say stupid things like "check if you see two same names in your Wi-Fi list." But if true, that seems like it would be a huge security hole in the world, no?
 
2022-05-25 8:56:55 AM  

Yankees Team Gynecologist: ELI5: if someone nearby sets up an SSID with the same name as mine, no security, and a stronger signal, what (if anything) prevents my device from connecting to theirs the next time I reboot?

Google results are surprisingly weak here. If anything they seem to suggest that nothing prevents this, and say stupid things like "check if you see two same names in your Wi-Fi list." But if true, that seems like it would be a huge security hole in the world, no?


Someone can correct me on the technical details; I believe this is only a problem if you set up your endpoint to not broadcast its SSID, so that your device is then polling for it, which would trigger.

I'm under the impression that if your dendpoint is broadcasting when you set it as your device's default, there's a firmer "handshake".

I am backlogicing this out from someone commenting on why you wouldn't necessarily want to have your device not broadcast its SSID in a previous thread, and it made sense at the time, but maybe a nerd will come along to correct me.
 
2022-05-25 9:21:38 AM  

Quantumbunny: I hate SSO. That is all.


How else is Google going to track all your API activity and sell it to the highest bidder?
 
2022-05-25 9:58:39 AM  

Yankees Team Gynecologist: ELI5: if someone nearby sets up an SSID with the same name as mine, no security, and a stronger signal, what (if anything) prevents my device from connecting to theirs the next time I reboot?

Google results are surprisingly weak here. If anything they seem to suggest that nothing prevents this, and say stupid things like "check if you see two same names in your Wi-Fi list." But if true, that seems like it would be a huge security hole in the world, no?


Interesting. As you noticed, it seems like most of the results are about setting up a campus network, not looking at it as a possible attack. I would hope that the system would throw an error because the hostile AP doesn't have the expected encryption, but I don't actually know if that's the case.
 
2022-05-25 10:49:57 AM  

Quantumbunny: I hate SSO. That is all.


Federated identity is awesome (disclaimer: I do this).  Just using Facebook or Google for your IdP is stupid.
 
2022-05-25 2:38:41 PM  

syrynxx: Quantumbunny: I hate SSO. That is all.

Federated identity is awesome (disclaimer: I do this).  Just using Facebook or Google for your IdP is stupid.


Federated identify is great, if you want everyone federated to have the same information as a user. I know why companies/agencies like it. That doesn't mean I want them all having a way to tie together all the data they each have on me because it's each of their data is associated to the same login.

In some situations, I have the reverse problem, where the data you authorize to, is tied to your identity differently in each place, which makes federated logins bullshiat.

I could rant for hours about different scenarios, but after years of dealing with it, there is not a good implementation or even good theoretical rationale aside from "users dumb. Bad at passwords. Let them use one account for all things". Outside of things like Windows Auth and Kerberos for internal users... For external users, like end customers, it's a no win from every angle.

Hence, I hate SSO.
 
2022-05-25 4:14:37 PM  

Yankees Team Gynecologist: ELI5: if someone nearby sets up an SSID with the same name as mine, no security, and a stronger signal, what (if anything) prevents my device from connecting to theirs the next time I reboot?

Google results are surprisingly weak here. If anything they seem to suggest that nothing prevents this, and say stupid things like "check if you see two same names in your Wi-Fi list." But if true, that seems like it would be a huge security hole in the world, no?


Your device stores the authentication method and password.

It would fail unless the other device also had the same auth method and password. And if they did, then there's no point in the ruse.

Your device, however, may continually try to connect and never succeed.

I don't know whether it uses the auth data to persistently encrypt/decrypt the data, and if it does then there's no way around it. But if it does token assignment, then I guess it could be possible to hack the router software and have it just say "Yes, that is correct, here is your token", then your thing MIGHT be possible.
 
2022-05-25 7:58:50 PM  
dyhchong: Your device, however, may continually try to connect and never succeed.

All the while just giving my wifi password to the attacking router when trying to log into it?
 
2022-05-25 8:10:06 PM  

Yankees Team Gynecologist: dyhchong: Your device, however, may continually try to connect and never succeed.

All the while just giving my wifi password to the attacking router when trying to log into it?


Maybe, maybe not.

There's no real reason why it can't hash it first, but I don't know if they do.

As I think about it, though, the Auth type probably corresponds to a hashing algorithm used for authentication.

So the router will probably just get a hash.

AKA a password of "good password" will get sent as "adk3jhdakj44shasjh35gd5jaisd" which will match the "adk3jhdakj44shasjh35gd5jaisd" on record on the router, but if you submitted "adk3jhdakj44shasjh35gd5jaisd" it would get hashed to "i6ojashdu34iyagduyqw465hci".

Making the hash "effectively" irreversible. But if you have a stupid password like "password" then they'll be able to match it against a rainbow table.
 
2022-05-25 8:21:42 PM  
So the device will store "abc123" but hash it using the algorithm and send "jhasgdjiuyasgd2dch298".

If the router password is "abc123" then it will know that it should expect "jhasgdjiuyasgd2dch298" since it would have hashed it using the same algorithm.

But if a router receives "jhasgdjiuyasgd2dch298" it can't calculate that back to "abc123".

This is how password security works on websites, and why a website should never be able to supply you your website with the "forgot password" function. Because the moment it gets the user password, it should hash it then immediately toss the real password in the bin and only ever use the hash from then on.

https://plaintextoffenders.com/

To break a hash you can only work forwards, not backwards. So you can take "a" and hash it to "ijsahdi", then save that. And you know from then on that "a" corresponds to "ijsahdi" so if you ever see "ijsahdi" with the same algorithm then you know the password is "a".

That's why it's bad to use basic passwords like "password".

And you can't work backwards because hashing algorithms will do stuff like truncate. So you can hash "abc" something to "iajshdiashdsa" then if you cut it down to "iajshdiash" and save that. There's a infinitesimally small chance another password will hash to the same value, but there's no chance that someone can get "abc" from "iajshdiash" because it's missing data. They could only derive an infinitely large list of possibilities, all which hash to "iajshdiash", one of those being "abc". But if the origin password was "3cfha&^hadd" then they'd never really guess that was the one you used without trying them all.
 
2022-05-26 4:21:52 AM  

dyhchong: So the device will store "abc123" but hash it using the algorithm and send "jhasgdjiuyasgd2dch298".

If the router password is "abc123" then it will know that it should expect "jhasgdjiuyasgd2dch298" since it would have hashed it using the same algorithm.

But if a router receives "jhasgdjiuyasgd2dch298" it can't calculate that back to "abc123".

This is how password security works on websites, and why a website should never be able to supply you your website with the "forgot password" function. Because the moment it gets the user password, it should hash it then immediately toss the real password in the bin and only ever use the hash from then on.

https://plaintextoffenders.com/

To break a hash you can only work forwards, not backwards. So you can take "a" and hash it to "ijsahdi", then save that. And you know from then on that "a" corresponds to "ijsahdi" so if you ever see "ijsahdi" with the same algorithm then you know the password is "a".

That's why it's bad to use basic passwords like "password".

And you can't work backwards because hashing algorithms will do stuff like truncate. So you can hash "abc" something to "iajshdiashdsa" then if you cut it down to "iajshdiash" and save that. There's a infinitesimally small chance another password will hash to the same value, but there's no chance that someone can get "abc" from "iajshdiash" because it's missing data. They could only derive an infinitely large list of possibilities, all which hash to "iajshdiash", one of those being "abc". But if the origin password was "3cfha&^hadd" then they'd never really guess that was the one you used without trying them all.


This is a good explanation and I appreciate your write up, I just hope it's how wifi routers actually work!
 
Displayed 12 of 12 comments

View Voting Results: Smartest and Funniest

This thread is closed to new comments.

Continue Farking




On Twitter


  1. Links are submitted by members of the Fark community.

  2. When community members submit a link, they also write a custom headline for the story.

  3. Other Farkers comment on the links. This is the number of comments. Click here to read them.

  4. Click here to submit a link.