Question IoT devices in an Evil Twin Attack

[randye007]

Hi All,

I have a situation where someone in my neighbourhood is sending deauth packets to some of my IoT devices (camera, Google Home, External home decorative lights controller, Garage Door Opener) at random times (usually once every few days). My IoT devices go down for 15-20 minutes each time then reconnect to my AP. All these IoT devices use WPA2/WPA3 security and I have complex WiFi passwords configured.
My question/concern is what is happening while these IoT devices are disconnected. These IoT devices will try to reconnect to the AP. In an Evil Twin Attack, the attacker will spoof my AP and try to fool the IoT device to connect to it. Since the IoT device is automatically reconnecting to the AP point, what happens when it tries to connect to the fake AP if it has a stronger signal? Will it expose my WiFI password? Thx!

 

[bill001g]

I doubt they support it but use WPA3 that eliminates that ability to spoof the de authenticate messages.... I think been a bit since I read this stuff but they have improved the deauthenication issue but I forget exactly when.

Next it is mostly a denial of service attack. They can not get your password just by putting in AP with the same SSID. Now if your devices were stupid and accepted a open connection they could put in the the same SSID with no security and your devices would connect.

The password is never sent in the clear. To over simplify it the AP sends a value to the end client. The client encrypts this string using a 1 way encryption code with the pre shared key and send it back. The AP does a 1 way encryption on the value it send and sees if it matches.
Since it is a one way encryption cipher there is no way to get the shared key. There are a number of other steps done during this that allow the generation of a session key for that session that is different from the encryption keys used by all other uses using the same pre shared key.

WPA3 makes this process even more secure from brute force attacks but it is still not really possible unless you are the government to crack wpa2. or even wpa.

 

[randye007]

I doubt they support it but use WPA3 that eliminates that ability to spoof the de authenticate messages.... I think been a bit since I read this stuff but they have improved the deauthenication issue but I forget exactly when.

Next it is mostly a denial of service attack. They can not get your password just by putting in AP with the same SSID. Now if your devices were stupid and accepted a open connection they could put in the the same SSID with no security and your devices would connect.

The password is never sent in the clear. To over simplify it the AP sends a value to the end client. The client encrypts this string using a 1 way encryption code with the pre shared key and send it back. The AP does a 1 way encryption on the value it send and sees if it matches.
Since it is a one way encryption cipher there is no way to get the shared key. There are a number of other steps done during this that allow the generation of a session key for that session that is different from the encryption keys used by all other uses using the same pre shared key.

WPA3 makes this process even more secure from brute force attacks but it is still not really possible unless you are the government to crack wpa2. or even wpa.

Thanks for the comprehensive explanation @bill001g!

 

[Pistolpackin]

Hello!
What shows the deauth, wireshark? How do we know it's not an RSSI issue?

 

[bill001g]

Wireshark will show them if you can capture the data in the first place. First you must have a nic that will allow you to place the card into monitor/promiscuous mode. This is not real common. Then you can't use windows. Microsoft has decided that you are not allowed to use that feature even if the hardware supports it.
This type of hardware is even harder to find now days because there is little interest in wifi capture. The data in generally encrypted 2 times, first by the wifi encryption and then by things like HTTPS. In addition it is much hard to capture a clean signal with the use of things like mimo. Capturing and reconstructing overlapping signals is much more difficult especially if you can not be very close to the transmitters.