Re: [STDS-802-Privacy] FW: [802SEC] Marriott agrees to $600k payment to resolve FCC investigation into Wi-Fi blocking
> > employees sent
> > de-authentication packets to the targeted access points, which would
> > dissociate consumers’ devices
> I agree that ciphering/signing the state message would overcome the problem,
> and there are other wireless technologies that provide this feature.
I'm mildly confused by this discussion. First, I would agree with those
saying this is a security issue, not a privacy issue. Second, 802.11
already has a mechanism to defeat this, namely management frame protection.
Mark
--
Mark RISON, Standards Architect, WLAN English/Esperanto/Français
Samsung Cambridge Solution Centre Tel: +44 1223 434600
Innovation Park, Cambridge CB4 0DS Fax: +44 1223 434601
ROYAUME UNI WWW: http://www.samsung.com/uk
> -----Original Message-----
> From: Zuniga, Juan Carlos [mailto:JuanCarlos.Zuniga@xxxxxxxxxxxxxxxx]
> Sent: 3 October 2014 21:00
> To: STDS-802-PRIVACY@xxxxxxxxxxxxxxxxx
> Subject: Re: [STDS-802-Privacy] FW: [802SEC] Marriott agrees to $600k payment to resolve
> FCC investigation into Wi-Fi blocking
>
> The attack was performed using 802.11 de-authentication messages. These were unicast
> messages sent from the (fake) STA to the AP. An AP would ignore this message unless it
> comes from a previously associated STA, and the way to identify the STA is with the MAC
> address. The way to perform this attack is by "stealing" the source MAC address of an
> authenticated/associated STA (i.e. user) and send it to the target AP.
>
> Both source and destination MAC addresses are relevant, as otherwise the message would be
> ignored.
>
> I agree that ciphering/signing the state message would overcome the problem, and there are
> other wireless technologies that provide this feature.
>
> Juan Carlos
>
> > -----Original Message-----
> > From: Christian Huitema [mailto:huitema@xxxxxxxxxxxxx]
> > Sent: Friday, October 03, 2014 3:06 PM
> > To: STDS-802-PRIVACY@xxxxxxxxxxxxxxxxx
> > Subject: Re: [STDS-802-Privacy] FW: [802SEC] Marriott agrees to $600k
> > payment to resolve FCC investigation into Wi-Fi blocking
> >
> > Agree. And no, Juan Carlos, I do not agree that "this is an issue that is in
> > scope for our SG and should be considered when making the threat
> > analysis." In that case, the attack was analyzing the content of messages to
> > find out access points, and the particular MAC used by these access points
> > was irrelevant.
> >
> > There is a slightly related attack using the OUI in the MAC to derive device
> > type, and then selectively do something bad to a class of devices. That would
> > be in scope, I believe.
> >
> > -----Original Message-----
> > From: James Lepp [mailto:jlepp@xxxxxxxx]
> > Sent: Friday, October 3, 2014 11:58 AM
> > To: STDS-802-PRIVACY@xxxxxxxxxxxxxxxxx
> > Subject: Re: [STDS-802-Privacy] FW: [802SEC] Marriott agrees to $600k
> > payment to resolve FCC investigation into Wi-Fi blocking
> >
> > Hi,
> >
> > I am in agreement with Phillip. While this particular regulatory/legal domain
> > settlement is interesting on its own, I don't see how this particular "de-
> > authentication frame attack" would be different if the system used short-
> > lived identifiers as opposed to long-lived identifiers. It is a security issue as
> > opposed to a privacy issue. And in this case layer 8 of the stack is doing the
> > enforcement instead of our technical protocols.
> >
> > Regards,
> > -James
> >
> > On Fri, Oct 3, 2014 at 2:33 PM, Phillip Barber
> > <pbarber@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
> > > It is a common problem in wireless networks that permit
> > > non-authenticated state change messaging (for stateful technologies).
> > > Most modern wireless networking technologies overcome this problem by
> > > requiring either ciphering of state change messaging or at the very
> > > least authenticated signatures on state change messaging (hash of CMAC
> > or HMAC digest, for instance).
> > >
> > >
> > >
> > > I would consider this more of a security issue than a privacy issue.
> > > The attacker may have no interest in the specific identity of a true
> > > user, only the need to sniff traffic out of the air and be able to
> > > identify a consistent identity of the true user such that the attacker
> > > can create a bogus state change message. I am not sure that privacy
> > > could or should attempt to address this problem. Security, certainly.
> > >
> > >
> > >
> > > Thanks,
> > > Phillip Barber
> > >
> > >
> > >
> > > From: Dan Harkins [mailto:dharkins@xxxxxxxxxxxxxxxxx]
> > > Sent: Friday, October 03, 2014 1:05 PM
> > > To: STDS-802-PRIVACY@xxxxxxxxxxxxxxxxx
> > > Subject: Re: [STDS-802-Privacy] FW: [802SEC] Marriott agrees to $600k
> > > payment to resolve FCC investigation into Wi-Fi blocking
> > >
> > >
> > >
> > >
> > >
> > > I used to work at a wireless mesh company that was putting up a free
> > > mesh network
> > >
> > > in Mountain View, CA. We received complaints about trouble getting on
> > > the network
> > >
> > > when people were in a certain public park. After much investigation it
> > > turned out that a
> > >
> > > company across the street from the park did not want their employees
> > > to connect to
> > >
> > > the free mesh network and set their APs to disassociate anyone that
> > > tried to associate
> > >
> > > to it— it was the "attack rogue AP" option. They apparently thought
> > > this would only
> > >
> > > affect people in their building but it actually affected a large
> > > portion of the park itself.
> > >
> > >
> > >
> > > Sounds like what Marriott was doing. And I'm sure Marriott thought
> > > it was a feature.
> > >
> > >
> > >
> > > Dan.
> > >
> > >
> > >
> > > On 10/3/14 10:35 AM, "Zuniga, Juan Carlos"
> > > <JuanCarlos.Zuniga@xxxxxxxxxxxxxxxx> wrote:
> > >
> > >
> > >
> > > FYI, another misuse of long-lived identifiers. In this case, the
> > > Privacy Threat is the use of MAC addresses to impersonate users and
> > > send the wrong packets to the network:
> > >
> > >
> > >
> > > “After conducting an investigation, the Enforcement Bureau found that
> > > employees of Marriott, which has managed the day-to-day operations of
> > > the Gaylord Opryland since 2012, had used features of a Wi-Fi
> > > monitoring system at the Gaylord Opryland to contain and/or
> > > de-authenticate guest-created Wi-Fi hotspot access points in the
> > > conference facilities. In some cases, employees sent
> > > de-authentication packets to the targeted access points, which would
> > > dissociate consumers’ devices from their own Wi-Fi hotspot access
> > > points and, thus, disrupt consumers’ current Wi-Fi transmissions and
> > prevent future transmissions”
> > >
> > >
> > >
> > > Regards,
> > >
> > >
> > >
> > > Juan Carlos
> > >
> > >
> > >
> > > From: owner-stds-802-sec@xxxxxxxx [mailto:owner-stds-802-
> > sec@xxxxxxxx]
> > > On Behalf Of John H Notor
> > > Sent: Friday, October 03, 2014 12:09 PM
> > > To: 802_EC; RR-TAG; REG_SC
> > > Subject: [802SEC] Marriott agrees to $600k payment to resolve FCC
> > > investigation into Wi-Fi blocking
> > >
> > >
> > >
> > > FYI,
> > >
> > >
> > >
> > > MARRIOTT TO PAY $600,000 TO RESOLVE WIFI-BLOCKING INVESTIGATION.
> > Hotel
> > > Operator Admits Employees Improperly Used Wi-Fi Monitoring System to
> > > Block Mobile Hotspots; Agrees to Three-Year Compliance Plan. News
> > Release.
> > > Adopted: 10/03/2014. News Media Contact: Neil Grace at (202)
> > > 418-0506, email:Neil.Grace@xxxxxxx EB
> > > https://apps.fcc.gov/edocs_public/attachmatch/DOC-329743A1.docx
> > >
> > > https://apps.fcc.gov/edocs_public/attachmatch/DOC-329743A1.pdf
> > >
> > >
> > >
> > > John