1、#BHUSA BlackHatEventsFallen Tower of Babel:Rooting Wireless Mesh NetworksFallen Tower of Babel:Rooting Wireless Mesh Networksby Abusing Heterogeneous Control Protocolsby Abusing Heterogeneous Control ProtocolsSpeakers:Xinan Zhou and Zhiyun QianContributors:Juefei Pu,Qing Deng,Srikanth Krishnamurthy,
2、Keyu Man8/7/2024#BHUSA BlackHatEventsTeam/Contributors at Xinan ZhouQing DengJuefei PuKeyu ManZhiyun QianSrikanth Krishnamurthy#BHUSA BlackHatEventsAgendaBackground on home wireless mesh networksTwo types of security flawsExploitationDefenses#BHUSA BlackHatEventsBackground:Home Wireless Mesh Network
3、s1.An emerging type of Wi-Fi network.2.Single gateway node+multiple extender nodesImages:TP-Link#BHUSA BlackHatEventsWireless Mesh Networksare increasingly popular!Images:Netgear,TP-Link,Linksys,ASUSNetgear OrbiTP-Link DecoLinksysASUS#BHUSA BlackHatEventsWireless Mesh Networksare increasingly popula
4、r!#BHUSA BlackHatEventsExtending Connectivity in Home Networks with WMNsInter-access-point backhaul links carry both user traffic and configurations.Fronthaul LinksBackhaul Links#BHUSA BlackHatEventsA Motivating Question:How to Change Wi-Fi Passwords?Network Access Policy Synchronization(NAPS)helps
5、access pointsSynchronize the Wi-Fi passwordSwitch the SSIDUpdate firewall rules,DNS settings,Web UI passwordA novel attack surface!#BHUSA BlackHatEventsHow is NAPS implemented?Channels:over backhaul linksProtocols:ad-hoc crypto protocols and Wi-Fi EasyMeshWe call them Network Access Policy Synchroni
6、zation(NAPS)protocols#BHUSA BlackHatEventsThreat ModelA wireless client(attacker)has a fronthaul link credential.Can use ARP poisoning to perform MITM attacks.Goal 1:To obtain root shell to access pointsGoal 2:To steal WPA2/3 passphrases of backhaul/fronthaul linksImages:Dan Boneh#BHUSA BlackHatEven