The Nearest Neighbor Attack (opens in new tab)

(volexity.com)

230 pointsthrowaway992101y ago69 comments

69 comments

34 comments · 9 top-level

kmeisthax1y ago· 16 in thread

So, as I understand it, you 0wn a machine in one organization, then use it to tunnel over to Wi-Fi in the building next door, 0wn another machine there, rinse and repeat until you've created the world's least consensual mesh network?

_nalply1y ago

They are exploiting that Wifi didn't have 2fa, because they couldn't overcome 2fa. A company accross the street had a machine that both was accessible by ethernet and wifi and they used that as a bridge.

Conclusions:

1. Anything that doesn't have 2fa is leaking like a sieve.

2. The targeted company needs to implement 2fa for their Wifi as well.

Not mentioned, but I assume that their 2fa is using specialised hardware gadgets like Yubikey and not texts or totp, because else they could target the cell phones, and like everything else they are leaking, or they are attacking the cell phone base stations.

Final conclusion:

A network is as strong as the weakest link. In that case Wifi was not protected by strong 2fa and could be used to breach.

cortesoft1y ago

My conclusion is that being on the corporate Wi-Fi should not give you access to anything. There should not have been any advantage to getting on the Wi-Fi, it should be treated like the public internet.

A separate VPN, with MFA, should be required to access anything.

5 more replies

Sesse__1y ago

> Final conclusion: A network is as strong as the weakest link.

Final conclusion: Do not trust a device just because it happens to be on your local network.

1 more reply

akaiser1y ago

Eludes me why they didn't have device-certificate-based auth for their Enterprise WiFi in addition to the username+password. Basically comes for free with AD and NPS.

1 more reply

eru1y ago

> A network is as strong as the weakest link.

Depends on how you look at it. We have end-to-end security with things like https, so we don't need to worry about the links in the middle.

1 more reply

Aloisius1y ago

Being able to validate credentials via the public facing website without MFA was a considerable problem as well. Also not locking down accounts after failed attempted logins.

Wifi with 802.1X and certs would have been fine here without MFA.

ninalanyon1y ago

Devices that are authorized to be on the corporate network should not need usernames and passwords to connect to the wifi. That should be controlled by certificates managed by the IT department.

zelon881y ago

The goal here was to circumvent 2FA on devices located inside the Org A office.

On-prem systems prompt for 2FA. So the attacker knew a user/password combo, but couldn't leverage it directly because they would have triggered 2FA.

But the 802.1x didn't have 2FA enabled. So using the user/password combo they already had, they just needed to approach the target network over WiFi in order to bypass the 2FA requirement.

mandevil1y ago

From thousands of kilometers away, to make attribution/legal issues even more complex.

thrdbndndn1y ago

why do you type 0wn (zero) instead of own?

duxup1y ago

I think it nicely demonstrates the difference between "own" (legally and appropriately) and "0wn" taking control by hacking but exerting as much control as "own".

0xEF1y ago

Putting the "hacker" back in Hacker News, I guess

2 more replies

EvanAnderson1y ago

They were reaching for the "p" key and hit "0" by mistake.

Terr_1y ago

Adding a serious response in case [0] it's a serious question: "0wn" is a kind of in-joke among hacker/security communities. [1] In particular, it differs from "own" in that it connotes "forcibly taking control of", rather than formal legal ownership. Another version is "pwn" which is a marginally newer and more-associated with online gaming.

[0] https://xkcd.com/1053/

[1] https://en.wikipedia.org/wiki/Leet

1 more reply

RGamma1y ago

Cuz it's k00l

TacticalCoder1y ago

The best is to never get pwned.

skulk1y ago· 2 in thread

Darknet Diaries #151 has an Australian dude explaining a form of this type of attack and how he stole money out of a middle eastern bank for a wealthy client. Maybe it's not exactly the same but it struck me as similar because he uses weak WiFi security as part of the exploit chain as well as hopping between compromised residential networks to obfuscate the origin.

sleepybrett1y ago

This is a little different. What he was doing is essentially setting up proxies all over the world.

These guys hacked into a machine connected by ethernet with an idle wifi adapter, then used that idle wifi adapter to connect to the wifi of a company nearby.

cesarb1y ago

> These guys hacked into a machine connected by ethernet with an idle wifi adapter

And having an idle wifi adapter like that is common nowadays. For some reason, many desktop PCs intended to stay in a single fixed place come from factory with a built-in wifi card and built-in antennas. You'd think that would make these PCs more expensive, but apparently wifi cards are cheap nowadays?

2 more replies

alasdair_1y ago· 2 in thread

It seems it would be far easier to just mail the company a raspberry pi, a battery and a GSM module. Address it to someone nonexistant so it doesn't get opened for a few days.

The real news is that the wifi didn't use 2FA like the rest of the system.

CGamesPlay1y ago

This wouldn’t make it through building security. My last large corp x-rayed all packages and would notice a nonexistent recipient immediately.

ninalanyon1y ago

What proportion of companies do that?

_hl_1y ago· 2 in thread

What’s wrong with the tried-and-tested technique of flying a guy or girl over there to drop a small gadget in WiFi proximity?

voidUpdate1y ago

Russia is quite far away to send a plane small enough to fly low over the building and drop a device onto the roof, and I don't think you're allowed to throw things out of an airliner window anyway

_hl_1y ago

I mean a normal passenger on a normal plane making a normal trip to an office building and finding a hidden location where to tape a small box with an arduino in it. Maybe even on the outside so you can use solar power? Though it only needs to last long enough to compromise a machine inside the network.

This would be nothing new, I remember ages ago in the days of WEP that you could buy a small box that would collect enough handshakes to let you crack the WEP password.

4 more replies

meandmycode1y ago· 1 in thread

Anybody else get a feeling it was Volexity that did all this research? Interesting story none the less

mfro1y ago

77 instances of 'Volexity' on that page. LOL

leoqa1y ago· 1 in thread

Kind of wild they didn’t rotate all the creds after the first, second hacks.

duxup1y ago

I suspect every organization is as secure as its least secure/capable decision maker.

It's a scary thing as all you have to do is add one decision, one ignorant person and it's bad news.

I've worked in orgs where we made big leaps in security, very proud of our work. Then one ignorant person who had the authority made a decision with no valid benefit to anyone, completely compromised everything.

Seen it time and again.

Not sure if that was the case as far as the credentials went in this situation, but it always seems to be the human element as far as curious choices goes.

Rygian1y ago· 1 in thread

> Volexity now determined the attacker was connecting to the network via wireless credentials they had brute-forced from an Internet-facing service. However, it was not clear where the attacker was physically that allowed them to connect to the Enterprise Wi-Fi to begin with. Further analysis of data available from Organization A’s wireless controller showed which specific wireless access points the attacker was connecting to and overlayed them on a map that had a layout of the building and specific floors.

This is the kind of hackery I'd enjoy seeing in a blockbuster movie.

0_____01y ago

I think Ubiquiti have that built into their AP/network management software. You can define a floorplan and drop your APs into it to understand dead zones etc, and you have granular data on which clients are connected to which APs

__MatrixMan__1y ago

I'm reminded of this defcon talk: https://m.youtube.com/watch?v=qLCE8spVX9Q (What the Fax?) where the nearest neighbor was a multifunction fax/printer and the initial attack was faxing it some updated firmware and telling it to print to memory instead of paper.

fsflover1y ago

Related discussion: https://news.ycombinator.com/item?id=42213178

j / k navigate · click thread line to collapse

69 comments

34 comments · 9 top-level

kmeisthax1y ago· 16 in thread

_nalply1y ago

Conclusions:

1. Anything that doesn't have 2fa is leaking like a sieve.

2. The targeted company needs to implement 2fa for their Wifi as well.

Final conclusion:

A network is as strong as the weakest link. In that case Wifi was not protected by strong 2fa and could be used to breach.

cortesoft1y ago

A separate VPN, with MFA, should be required to access anything.

5 more replies

Sesse__1y ago

> Final conclusion: A network is as strong as the weakest link.

Final conclusion: Do not trust a device just because it happens to be on your local network.

1 more reply

akaiser1y ago

Eludes me why they didn't have device-certificate-based auth for their Enterprise WiFi in addition to the username+password. Basically comes for free with AD and NPS.

1 more reply

eru1y ago

> A network is as strong as the weakest link.

Depends on how you look at it. We have end-to-end security with things like https, so we don't need to worry about the links in the middle.

1 more reply

Aloisius1y ago

Being able to validate credentials via the public facing website without MFA was a considerable problem as well. Also not locking down accounts after failed attempted logins.

Wifi with 802.1X and certs would have been fine here without MFA.

ninalanyon1y ago

Devices that are authorized to be on the corporate network should not need usernames and passwords to connect to the wifi. That should be controlled by certificates managed by the IT department.

zelon881y ago

The goal here was to circumvent 2FA on devices located inside the Org A office.

On-prem systems prompt for 2FA. So the attacker knew a user/password combo, but couldn't leverage it directly because they would have triggered 2FA.

But the 802.1x didn't have 2FA enabled. So using the user/password combo they already had, they just needed to approach the target network over WiFi in order to bypass the 2FA requirement.

mandevil1y ago

From thousands of kilometers away, to make attribution/legal issues even more complex.

thrdbndndn1y ago

why do you type 0wn (zero) instead of own?

duxup1y ago

I think it nicely demonstrates the difference between "own" (legally and appropriately) and "0wn" taking control by hacking but exerting as much control as "own".

0xEF1y ago

Putting the "hacker" back in Hacker News, I guess

2 more replies

EvanAnderson1y ago

They were reaching for the "p" key and hit "0" by mistake.

Terr_1y ago

[0] https://xkcd.com/1053/

[1] https://en.wikipedia.org/wiki/Leet

1 more reply

RGamma1y ago

Cuz it's k00l

TacticalCoder1y ago

The best is to never get pwned.

skulk1y ago· 2 in thread

sleepybrett1y ago

This is a little different. What he was doing is essentially setting up proxies all over the world.

These guys hacked into a machine connected by ethernet with an idle wifi adapter, then used that idle wifi adapter to connect to the wifi of a company nearby.

cesarb1y ago

> These guys hacked into a machine connected by ethernet with an idle wifi adapter

2 more replies

alasdair_1y ago· 2 in thread

It seems it would be far easier to just mail the company a raspberry pi, a battery and a GSM module. Address it to someone nonexistant so it doesn't get opened for a few days.

The real news is that the wifi didn't use 2FA like the rest of the system.

CGamesPlay1y ago

This wouldn’t make it through building security. My last large corp x-rayed all packages and would notice a nonexistent recipient immediately.

ninalanyon1y ago

What proportion of companies do that?

_hl_1y ago· 2 in thread

What’s wrong with the tried-and-tested technique of flying a guy or girl over there to drop a small gadget in WiFi proximity?

voidUpdate1y ago

Russia is quite far away to send a plane small enough to fly low over the building and drop a device onto the roof, and I don't think you're allowed to throw things out of an airliner window anyway

_hl_1y ago

This would be nothing new, I remember ages ago in the days of WEP that you could buy a small box that would collect enough handshakes to let you crack the WEP password.

4 more replies

meandmycode1y ago· 1 in thread

Anybody else get a feeling it was Volexity that did all this research? Interesting story none the less

mfro1y ago

77 instances of 'Volexity' on that page. LOL

leoqa1y ago· 1 in thread

Kind of wild they didn’t rotate all the creds after the first, second hacks.

duxup1y ago

I suspect every organization is as secure as its least secure/capable decision maker.

It's a scary thing as all you have to do is add one decision, one ignorant person and it's bad news.

Seen it time and again.

Not sure if that was the case as far as the credentials went in this situation, but it always seems to be the human element as far as curious choices goes.

Rygian1y ago· 1 in thread

This is the kind of hackery I'd enjoy seeing in a blockbuster movie.

0_____01y ago

__MatrixMan__1y ago

fsflover1y ago

Related discussion: https://news.ycombinator.com/item?id=42213178

j / k navigate · click thread line to collapse