Ukuba sengozini kwe- "FragAttacks" kwe-Wi-Fi kuthinta izigidi zamadivayisi

Darkcrizt

Imizuzu ye-4

Kusanda kukhishwa izindaba ezimayelana nokuba sengozini okuningi esanda kutholakala kuwo wonke amadivayisi anikwe amandla we-Wi-Fi ukuthi ukuphola eminyakeni engaphezu kwengu-20 futhi ukuvumela umhlaseli ukuthi entshontshe idatha uma kutholakala.

Lolu chungechunge lobuthakathaka lutholwe ngumcwaningi wezokuphepha uMathy Vanhoef, ubuthakathaka babizwa ngokuhlanganyela ngokuthi "FragAttacks".

"Ubungozi obuthathu obutholakele amaphutha wedizayini esezingeni le-WiFi ngakho-ke kuthinta iningi lamadivayisi," kusho uMathy Vanhoef, umphenyi wezokuphepha waseBelgium kanye nomcwaningi wezifundo owathola iFrag Attacks.

Okunye ukuhlukunyezwa okudalwe "amaphutha wohlelo asabalele [ekusetshenzisweni kwezinga le-WiFi] kwimikhiqizo ye-WiFi," kusho uVanhoef.

"Ukuhlolwa kukhombisa ukuthi yonke imikhiqizo ye-WiFi ithinteka okungenani ukuba sengozini okukodwa nokuthi iningi lemikhiqizo lithinteka ukukhubazeka okuningi," kusho uVanhoef, naye okulindeleke ukuthi enze inkulumo ejulile ngokutholakele kwakhe ngasekupheleni kukaJuni. Kulo nyaka ngo-Agasti ku-USENIX. '21 inkomfa yezokuphepha.

Njengoba kushiwo ubungozi obuthathu amaphutha wedizayini esezingeni le-Wi-Fi futhi athinta amadivayisi amaningi, ngenkathi ukukhubazeka okusele kungumphumela wamaphutha wokuhlela kumikhiqizo ye-Wi-Fi.

Ukusetshenziswa kobungozi ingavumela umhlaseli ngaphakathi kwebanga lomsakazo ukuthi akhombe amadivayisi ngezindlela ezahlukahlukene. Kwesinye isibonelo, umhlaseli angafaka ozimele bombhalo osobala kunoma iyiphi inethiwekhi ye-Wi-Fi ephephile. Kwesinye isibonelo, umhlaseli angabamba ithrafikhi ngokwazisa isisulu ukuthi sisebenzise iseva ye-DNS ethelelekile.

UVanhoef uphawula ukuthi ukuhlolwa kukhombisa ukuthi okungenani ukuba sengozini okukodwa kungatholakala kuwo wonke umkhiqizo we-Wi-Fi nokuthi imikhiqizo eminingi ithinteka ukukhubazeka okuningi, njengoba evivinya amadivayisi anezinhlobonhlobo zamadivayisi we-Wi-Fi, kufaka phakathi ama-smartphones adumile, njenge-Google. , I-Apple, i-Samsung ne-Huawei, kanye namakhompiyutha avela kwa-Micro-Start International, Dell ne-Apple, amadivayisi we-IoT avela ku-Canon ne-Xiaomi, phakathi kwabanye.

Abukho ubufakazi bokuthi ukuba sengozini kuxhashaziwe ngesikhathi esithile nalapho kukhulunywa ngalo mbiko, Abakwa-Wi-Fi Alliance bathi ukuba sengozini kuncishiswa ngezibuyekezo yamadivayisi ajwayelekile avumela ukutholwa kokuthunyelwa okusolisayo noma ukuthuthukisa ukuhambisana nokusetshenziswa okuhle kwezindlela zokuphepha.

"I-FragAttacks iyisibonelo sakudala sokuthi isoftware ingaba nobuthakathaka bobabili bokuklama kanye nobungozi bokwenza," 

"Ngaphambi kokuthi othile aqale umhleli wamakhodi, isigaba sokwakhiwa kufanele sifake imigomo ephephile yokuklama eqhutshwa yimodeli yokwesabisa… Ngesikhathi sokusatshalaliswa nokuhlolwa, amathuluzi wokuhlola okuzenzakalelayo ezokuphepha asiza ukuthola ukuba sengozini kwezokuphepha. Ukuphepha ukuze kulungiswe ngaphambi kokwethulwa."

Ukuba sengozini kuhlelwe kanje:

Amaphutha we-WiFi ejwayelekile

  • I-CVE-2020-24588 - Ukuhlaselwa kokuhlangana (kwamukela ozimele be-A-MSDU okungezona i-SPP).
  • I-CVE-2020-24587: ukuhlaselwa kokhiye oxubekile (ukuphinda kuhlanganiswe izingcezu ezibethelwe ngaphansi kwezikhiye ezahlukahlukene).
  • I-CVE-2020-24586 - Ukuhlaselwa kwe-Chunk cache (Ukwehluleka ukusula ama-chunks kwimemori lapho (kabusha) ixhuma kunethiwekhi).

Ukuqalisa kokusebenza kwamazinga we-WiFi

  • I-CVE-2020-26145: Ukwamukela ama-Chunks we-Plain Text Streaming njengama-Full Frames (kunethiwekhi ebethelwe).
  • I-CVE-2020-26144: Ukwamukelwa kombhalo osobala we-A-MSDU ozimele oqala ngesihloko se-RFC1042 nge-EtherType EAPOL (kunethiwekhi ebethelwe).
  • I-CVE-2020-26140: Ukwamukelwa Kwamafreyimu Wedatha Yombhalo Ocacile Kunethiwekhi Evikelwe.
  • I-CVE-2020-26143: Ukwamukelwa Kwamafreyimu Wedatha Yemibhalo Ehlukanisiwe Engaxhunywanga Kunethiwekhi Evikelwe.

Okunye ukwehluleka kokuqalisa

  • I-CVE-2020-26139: Ukudluliswa kozimele kwe-EAPOL noma umthumeli engakaqinisekiswa (kufanele kuthinte ama-APs kuphela).
  • I-CVE-2020-26146: Ukuhlanganiswa kabusha kwezingcezu ezibethelwe ngezinombolo zepakethe ezingalandelani.
  • I-CVE-2020-26147: Ukuhlelwa kabusha kwama-Encrypted / Plain Text Mixed Chunks.
  • I-CVE-2020-26142: Icubungula ozimele abahlukanisiwe njengamafreyimu agcwele.
  • I-CVE-2020-26141: Amafreyimu ahlukanisiwe i-MIC TKIP ayiqinisekisiwe.

Okokugcina uma unesifiso sokwazi okwengeziwe ngakho, ungabonisana isixhumanisi esilandelayo.


Shiya umbono wakho

Ikheli lakho le ngeke ishicilelwe. Ezidingekayo ibhalwe nge *

*

*

  1. Unomthwalo wemfanelo ngedatha: AB Internet Networks 2008 SL
  2. Inhloso yedatha: Lawula Ugaxekile, ukuphathwa kwamazwana.
  3. Ukusemthethweni: Imvume yakho
  4. Ukuxhumana kwemininingwane: Imininingwane ngeke idluliselwe kubantu besithathu ngaphandle kwesibopho esisemthethweni.
  5. Isitoreji sedatha: Idatabase ebanjwe yi-Occentus Networks (EU)
  6. Amalungelo: Nganoma yisiphi isikhathi ungakhawulela, uthole futhi ususe imininingwane yakho.