Showing posts with label router. Show all posts
Showing posts with label router. Show all posts

With Nest WiFi, internet routers will double as Google Assistant smart speakers


With the promise of speedy internet for every room, Google's new mesh Wi-Fi system wants to give Google Assistant a bigger footprint in our homes.google-nest-wifi-routers
Available in your choice of three colors, Nest Wifi Points extend the range of Nest Wifi setups -- and they double as Google Assistant smart speakers, too.
Juan Garzon/CNET

Google on Tuesday announced the launch of the Nest Wifi, a refreshed version of the company's popular mesh router system, Google Wifi. Available for pre-order today and set to arrive November 4, the system is comprised of a Nest Wifi Router that plugs into your modem and separate Nest Wifi Points that wirelessly extend the reach of its signal -- and which themselves double as Google Assistant smart speakers.
A two-piece setup with the Nest Wifi Router and one Nest Wifi Point will cost $269. A three-piece setup with the Nest Wifi Router and two Nest Wifi Points will cost $349, and promises to cover homes of up to 3,800 square feet. That's enough coverage for 85% of homes in the US, Google says.

Mesh, meet Google Assistant

Beyond spreading a speedy internet signal throughout your home, the Nest Wifi promises to spread the voice-activated intelligence of Google Assistant around your house, too. That's because each of those Nest Points now doubles as a fully functional Google Assistant smart speaker, complete with always-listening microphones and touch controls on the top of the device.
The goal, Google says, is to get users to keep these things out in the open as opposed to hiding them out of sight, where they won't relay their signals as well. To that end, the new Nest Wifi Points also come in your choice of three colors (snow, sand or mist), and you can buy one on its own for $149. The Nest Router only comes in white, and costs $169 on its own.


google-home-nest-wifi-points-1670Enlarge Image
You'll see an ambient glow from the light ring around the base of the Nest Point whenever it's sending audio to Google's cloud to come up with a response. When the mics are muted, the ring will glow orange.
James Martin/CNET

"We realized that performance for the Wifi Point would double if it was off the floor, not hidden in a closet," said Ben Brown, Google product lead for the Nest Wifi. "Having a great design, having something you actually want to interact with, and having the Assistant on the device makes it actually so it's a much better Wi-Fi system."
You can use a Nest Wifi Point just like you'd use one of Google's other smart speakers, like the Nest Mini, which also made its debut today. You get its attention by saying "OK Google," and then you give it a question or a command, including new Wi-Fi-specific commands like asking for a speed test or to pause Wi-Fi to specific devices or groups of devices. A ring of white light around the base of the device will glow whenever it hears you, and to let you know that it's connecting with Google's cloud to come up with a response. If you want to turn the mics off, just flip the mute switch in the back.
We haven't had a whole lot of time to give it a close listen for ourselves, but Google says that the sound quality in each Nest Point is stronger than you might expect. That's because the need for extra space inside the device for the antennas and for heat dispersion means that there's also plenty of room to push sound around via the downward firing speaker, Brown says.
As for the touch controls on the top face of each marshmallowy device, you can tap the center to pause or resume playback, or tap the sides to turn the volume up and down. Like with the new Nest Mini, a set of indicator lights will glow when your hand draws near to show you where to aim for those volume controls.


Now playing: Nest Wifi puts Google Assistant into your router
 3:25

Faster than before -- but where's Wi-Fi 6?

That new Nest Router is an AC2200 model, which means that it supports current-gen Wi-Fi 5 connections with a maximum combined speed of about 2,200 Mbps across all bands -- up from about 1,200 Mbps last time around. Your actual speed will be a lot lower, since you can only connect to one band at a time, but like Google Wifi before, Nest Wifi will automatically "steer" you from band to band as you move about your house in order to keep your connection as swift and steady as possible.
Another upgrade: Nest Wifi now boasts four antennas for up to four simultaneous wireless connections (4x4). If you're using a client device like a MacBook Pro that can take advantage of those multiple antennas, then you'll be able to combine the speed of those simultaneous streams for a faster Wi-Fi experience.


google-home-nest-wifi-points-1603Enlarge Image
You can spread Nest Wifi Points around your home to triangulate a better internet connection in every room. The previous version of the system is our top-rated mesh setup.
James Martin/CNET

All of the new hardware is also backwards compatible with first-gen Google Wifi setups, so you'll be able to add the new Nest Point extenders with their built-in speakers to your system if you've already bought in. And, if you decide to upgrade to the new Nest Router, your old Google WiFi access points will be able to connect to it and extend its signal, too.
As for the lack of support for next-gen Wi-Fi 6 features, Google suggests that it's still too early for the emerging standard in people's homes.
"It's really only 2022 by which point you're going to have a critical mass of [Wi-Fi 6] devices in the home, at which point Wi-Fi 6 will make sense in the home," said Sanjay Noronha, product lead for Nest Wifi. "And so, our philosophy is how do we make these products useful today?"
Google likely wants to keep its routers affordable, too. For reference, the Wi-Fi 6-ready version of Netgear Orbi, due out later this month, is slated to cost $700 for a two-pack with the router and a single satellite extender. Prices like that are out of reach for too many potential users, Noronha said.
Meanwhile, the newest Wi-Fi 5 version of Netgear Orbi costs $149 for a two-pack, and it supports built-in smart speaker functionality if you add in the $300 Orbi Voice extender with Alexa. Another competitor worth keeping an eye on: Amazon-owned Eero, which just released a new version of its Wi-Fi 5 mesh system as a $249 three-pack. That price is half the cost of the original, and an excellent indication that competition is heating up in the mesh category.
"We recognize that there's going to continue to be an evolution of technology, and we will continue to work on those evolutions," Brown said, "but we also want to make sure that we're delivering the best possible experience for everyone. And I think that we are very confident that this is what [Nest Wifi] represents today. And for the next, you know, five years, honestly."

Wi-Jacking: Accessing your neighbour’s WiFi without cracking

UPDATE (5th September 2018). Since we published our original report, Google has now resolved the underlying vulnerability. The latest update of Chrome (tested against version 69.0.3497.81) addresses the issue we highlighted in this blog, where credentials are auto-filled on unencrypted HTTP pages. This makes the attack require significantly more user interaction, in the same way that Firefox, Edge Internet Explorer and Safari do.  This makes the exploit much closer to a phishing attack and much less likely to succeed.
It is important to note that the latest version of Opera is still vulnerable as of 2018-09-05, but will hopefully also be quickly patched. This is a positive response from Google and is great to see following our original report to them in March 2018.
As per our originally-proposed solution, it would also be great to see Microsoft adjust captive portals in Windows to behave in a similar way to those in MacOS (separate browser) and for router manufacturers to enforce HTTPS management by defaults on their devices. These changes would further limit this vector of attack.

Original Article:

During a recent engagement we found an interesting interaction of browser behaviour and an accepted weakness in almost every home router that could be used to gain access a huge amount of WiFi networks.
The browser behaviour relates to saved credentials. When credentials are saved within a browser, they are tied to a URL and automatically inserted into the same fields when they are seen again. The accepted home router weakness is simply the use of unencrypted HTTP connections to the management interfaces.
By combining these two components it was possible to gain access to various networks without cracking a single handshake, which is the currently most-used method of gaining access to a WPA/WPA2 network but requires a weak passphrase. The attack should work on most networks, but there are a few pre-requisites that need to be met for the attack to succeed:
  • There MUST be an active client device on the target network
  • Client device MUST have previously connected to any other open network and allowed automatic reconnection
  • Client device SHOULD* be using a Chromium-based browser such as Chrome or Opera
  • Client device SHOULD** have the router admin interface credentials remembered by the browser
  • Target network’s router admin interface MUST be configured over unencrypted HTTP
auto-connect to open wifiremember router admin password
Without those five pre-requisites, the attack is not possible. However, those are all somewhat likely occurrences given that most browsers prompt users to save credentials automatically. The main pre-requisites that lower the likelihood are Chromium usage and saved router credentials, but this will still affect a huge number of people.
*Firefox, IE/Edge and Safari require significant user interaction, so attack does work, but is more of a social engineering based. With Chrome it is significantly more seamless.
**If the router’s admin interface credentials are not saved, it is still possible to attempt to guess default values
It is also important to note that the attack has been demonstrated against home routers by extracting the WiFi key directly from the web interface. However, other devices can be targeted if they have a semi-predictable URL that is exposed over unencrypted HTTP. Many IoT devices fit into this category but none were specifically tested here.
Before getting to the meat of the attack, we are assuming that you are already familiar with the Karma/Jassager attack. Karma is used in part of the workflow and if you are not familiar with it, consider reading the following article:

Now for the actual walkthrough


Step 1. Bring the client device onto a network we control:

The first step is to start sending deauthentication requests with aireplay-ng and with the Karma attack using ‘hostapd-wpe’, both with an Alfa AWUS036NHA.
connected to home wifi
deauth attack
connected to open network

Step 2. Trigger the browser to load our URL:

We did this with ‘dnsmasq’ and a Python script. When we see a HTTP request, we create a response redirecting to our URL and serve our own page.
The URL and served page are different depending on the router we’re targeting. We can detect which URL/Page pair to send based on BSSID and ESSID or just take a guess, the range of options is limited anyway.
There are some extra options for redirection too. By default, we allow HTTPS through untouched and wait for an HTTP request. But if this is taking too long, triggering captive portal detection on Windows will automatically launch the default browser at a URL we specify. However, there are limitations to triggering a captive portal, primarily against MacOS, which launches a separate browser specific to dealing with captive portals, preventing us from accessing stored credentials.
portal flask app
wifi credential capturing page

Step 3. Steal the autocomplete credentials:

This is where things get interesting. When our page loads, the browser makes two initial checks.
  1. Does our URL origin match the router’s admin interface origin (protocol & IP address/hostname)
  2. Do the input fields on the page match what the browser remembers of the router’s interface
If these two checks pass, then the browser automatically populates our page with the saved credentials. In this case, the router’s admin details. Naturally these input fields are completely hidden from the target.
If the target is using Chrome, there is one more step: The Chromium feature “PasswordValueGatekeeper” requires a user to interact with the page in some way. A click anywhere on the page is fine, and after the click we can harvest the credentials.
If the target is using Firefox, Internet Explorer, Safari or Edge, then we can’t have the input fields hidden. The attack would still work, but only if the target clicks on our form field and select their credentials from the drop-down instead. At this point the attack is mostly social engineering.
But let’s not stop here, these credentials are almost useless right now. There’s even a good chance we might have guessed them before we even started the attack (for example, admin:password) but we can’t use them from our current position on the outside of the network.

Step 4. Send the target to their home WiFi

Once we have the credentials, we want the target to keep our page open just a little longer. At this point we stop our Karma attack, releasing the target back to their own network.
connected to home wifi
Once the target device is successfully connected back to their original network, our page is sitting on the router admin interface’s origin with the admin credentials loaded into JavaScript. We then login using an XMLHttpRequest and grab the PSK or make whatever changes we need. In most WiFi routers that we tested, we could extract the WPA2 PSK directly from the web interface in plaintext, negating the entire need to capture a handshake to the network. But if a router hides the key, we could enable WPS with a known key, create a new access point or anything else we can do from within the router’s interface.
We wouldn’t even need to know the HTML structure of the router’s interface. We could just grab the entire page DOM, send it home and extract anything useful by hand. Using BeEF Project it would also be possible to proxy through to the page, granting the attacker access to the router interface as if they were logged in directly.
credentials captured

Solution

Fundamentally this is just a flaw in the way origins are shared and trusted between networks. In the case of home routers, they are predictable enough to be a viable target.
The easiest solution would be for browsers to avoid automatically populating input fields on unsecured HTTP pages. It is understandable that this would lower usability, but it would greatly increase the barrier to credential theft.
The most complete solution would be to implement HTTPS with trusted keys and certificates on these devices. But this requires support for custom HTTPS certificates as well as your own certificate management infrastructure, in an enterprise this is commonplace but for home users this is extremely unlikely. Vendors might consider implementing HTTPS on their devices by default, but those keys could simply be stolen by anyone with one of the devices by reverse-engineering the firmware.
Microsoft could also make the process more difficult to exploit by using a separate captive portal browser instead of simply launching the default browser similar to how MacOS behaves.

Disclosure Timeline

Chromium:
  • SureCloud: Disclosed March 2nd
  • Chromium: Response Received March 2nd (“working as designed”)
Microsoft
  • SureCloud: Disclosed March 27th
  • SureCloud: Chase Sent April 13th
  • [Microsoft’s messages were all being flagged as spam]
  • Microsoft: Response Received May 25th (Clarification requested)
  • SureCloud: Clarification Sent June 4th
  • Microsoft: Case opened June 5th
  • Microsoft: Requested disclosure details June 6th
  • SureCloud: Clarification sent June 6th
  • Microsoft: Flagged for consideration, but no immediate action June 21st
Asus
  • SureCloud: Disclosed March 21st
  • Asus: Responded March 22nd (Discussing with engineers)
  • SureCloud: Discussing solutions April 4th
  • SureCloud: Sent notice to publish May 25th
  • Asus: Discussing solutions June 11th
  • SureCloud: Discussing solutions and notice to publish July 11th
Following the discussions with ASUS, it’s became clear we’d exhausted all options for ethical disclosure with this Proof of Concept.

References

While this was only discovered after disclosing to Chromium, someone named Chris had beaten us to the underlying idea. We have however taken it much further and demonstrated a real-world attack.
Our submission (merged into original): https://bugs.chromium.org/p/chromium/issues/detail?id=818156

Tools

All the tools used to perform the attack are standard components of Kali except for router specific payloads themselves and the selection script.
A copy of the scripts we’ve used can be found here:
These are Proof of Concept only and the community will no doubt take this attack much further. The long-term goal is to build a module for the WiFi Pineapple to automate the attack, with this is expected in the coming months.

Video

Mitigations


As highlighted we are exploiting ‘by design’ features, which will hopefully change with public release of this article. However, in the meantime there are a few key steps that can be taken to help protect yourself:
  • Only login to your router using a separate browser or incognito session
  • Clear your browser’s saved passwords and don’t save credentials for unsecure HTTP pages
  • Delete saved open networks and don’t allow automatic reconnection
  • As it is nearby impossible to tell if this attack has already happened against your network, change your pre-shared keys and router admin credentials ASAP. Again, use a separate/private browser for the configuration and choose a strong key.



via surecloud

The FBI wants you to factory reset your router. Here's how to do it

The VPNFilter malware problem is getting worse. Here's how to safeguard your home network, and a list of the affected models.
d-link-dir-867-6
The list of routers affected by VPNFilter has grown considerably.
Chris Monroe/CNET
Good news, everyone! Remember that FBI reboot-your-router warning in response to Russian malware VPNFilter? Turns out it's worse than originally thought, and a lot more people are going to need to do a lot more than just reboot their routers.
According to a new report from security firm Cisco Talos, the VPNFilter malware is "targeting more makes and models of devices than initially thought, and has additional capabilities, including the ability to deliver exploits to endpoints."
That means if you own one of the affected routers -- and that list has expanded to include models from Asus, D-LinkHuawei, Ubiquiti, Upvel and ZTE -- it's strongly recommended that you perform two key steps: upgrade the firmware and then factory-reset the router.
Ugh. This is going to suck. But we can get through it.

Step 1: Upgrade your router's firmware

In some ways this is the easier step, as it can often be done within the confines of your router's dashboard. Firmware is just the core software that operates the router, and updating it usually involves little more than a download and a few automated router restarts.
Of course, if you've never so much as looked at that dashboard, well, it may be time for a trip to the owner's manual -- or the router manufacturer's online help pages.
Because the firmware-update process varies from one make and model to another, here's a quick, generalized overview -- one that's based on upgrading an Asus WRT router.
Step i: Visit the Asus support site and download the most current firmware for your specific model.
Step ii: Open a browser window, type in 192.168.1.1 and press Enter. This will take you to the router's dashboard page -- but you may need a username and password to gain access. If you never changed the defaults, you should be able to find them in the instruction manual. (Often, the defaults are "admin" and "password," respectively.)
asus-firmware-upgrade-dialog
Updating your router's firmware may involve a screen like this.
Asus
Step iii: Click the Administration button (again, this is just for Asus routers; on other models it might be Configuration or Firmware or the like), then the Firmware Upgrade tab.
Step iv: Click Choose File and locate the firmware file you downloaded in Step 1. Then click Upload to perform the update.
This may take a few minutes, and your router will likely restart at least once during the process. Needless to say, you'll lose all internet connectivity while this is happening.
And, again, this is just one example of the firmware-update process. It's a common one, but the steps may be different for your model. 
Watch this: Russian hackers targeting your router: Here's what to...
1:23 

Step 2: Factory-reset your router

Now for the big hassle. You probably know that you can reboot or reset your router by pulling the power cord for a few seconds and then plugging it back in. But a factory reset is a little different. True to its name, it restores all the settings to their original, factory state, so once it's done, you get to have the fun of setting up your home network again.
Before you get started, make sure to write down the name and password of each Wi-Fi network currently configured on your router. You might have just one; I've seen houses that had five. You'll want to note these so you can recreate them verbatim after the factory reset.
Why is that important? Because if your current "SmithLAN" network becomes "Smith LAN" after the reset (just because you forgot and added a space this time), now you'll have to manually reconnect every device in your house to that "new" network. Hassle city.
The actual reset should be pretty easy. On some Linksys routers, for example, there's a small reset button on the unit itself. You press and hold it for 10 seconds and that's it. Alternately, you may be able to sign into the dashboard and execute the reset from there. In the aforementioned Asus example, in Step 3, you'd click the Restore/Save/Upload tab and then the Restore button.
Again, consult your router manual (or router's website) for the correct factory-reset steps for your model.
Here are links to the support directories for some of the affected routers (the complete list is in the next section): 
When it's done, you'll have to venture into the dashboard and recreate your networks. Thankfully, with your firmware upgraded and any trace of VPNFilter eradicated, you should be safeguarded from future attacks -- of this particular malware, anyway.

Which routers are affected?

Courtesy of Cisco Talos, here's a current list of the models that can be affected by VPNFilter. Those identified as new weren't included in the original report.
Asus
  • RT-AC66U (new)
  • RT-N10 (new)
  • RT-N10E (new)
  • RT-N10U (new)
  • RT-N56U (new)
  • RT-N66U (new)
D-Link
  • DES-1210-08P (new)
  • DIR-300 (new)
  • DIR-300A (new)
  • DSR-250N (new)
  • DSR-500N (new)
  • DSR-1000 (new)
  • DSR-1000N (new)
Huawei
  • HG8245 (new)
Linksys
  • E1200
  • E2500
  • E3000 (new)
  • E3200 (new)
  • E4200 (new)
  • RV082 (new)
  • WRVS4400N
Mikrotik
  • CCR1009 (new)
  • CCR1016
  • CCR1036
  • CCR1072
  • CRS109 (new)
  • CRS112 (new)
  • CRS125 (new)
  • RB411 (new)
  • RB450 (new)
  • RB750 (new)
  • RB911 (new)
  • RB921 (new)
  • RB941 (new)
  • RB951 (new)
  • RB952 (new)
  • RB960 (new)
  • RB962 (new)
  • RB1100 (new)
  • RB1200 (new)
  • RB2011 (new)
  • RB3011 (new)
  • RB Groove (new)
  • RB Omnitik (new)
  • STX5 (new)
Netgear
  • DG834 (new)
  • DGN1000 (new)
  • DGN2200
  • DGN3500 (new)
  • FVS318N (new)
  • MBRN3000 (new)
  • R6400
  • R7000
  • R8000
  • WNR1000
  • WNR2000
  • WNR2200 (new)
  • WNR4000 (new)
  • WNDR3700 (new)
  • WNDR4000 (new)
  • WNDR4300 (new)
  • WNDR4300-TN (new)
  • UTM50 (new)
Qnap
  • TS251
  • TS439 Pro
  • Other QNAP NAS devices running QTS software
TP-Link
  • R600VPN
  • TL-WR741ND (new)
  • TL-WR841N (new)
Ubiquiti
NSM2 (new)
  • PBE M5 (new)
  • Upvel
    • Unknown models (new)
    ZTE
    • ZXHN H108N (new)
via cnet
Subscribe to: Posts (Atom)

Microsoft

Microsoft

android

android

iOS

iOS

Download Spy on My Wifi

Copyrights @ spy on my wifi - spyonmywifi Designed by Templateism | Templatelib