What's new

I don't understand why some people are still using WOL?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

follower

Very Senior Member
It's convenient for them? Throwing away security?
I remember that I mentioned WOL security risk at Snbforums years ago(7 or 8 years maybe?). I didn't talk about What I saw and knew at that time. Because when I talked about WOL is not safe, a lot of snbfoums users said it's safe including someone. Why am I talking about this now? I've seen someone who my friend knows got hacked by WOL recently. That's why. Do not use WOL. If you are still believing that WOL is safe keep using it.
But you may lose everything. You don't even know you've got hacked. I can say more, but this is enough I think. ;)
 
Last edited:
By any chance did the friend of a friend have port forward enabled to the computer that got hacked? If so, it is their fault. Not WoL's fault!
 
I think if someone is going to tell us a feature such as WOL is unsafe then I think that person needs to say more! So far as my understanding goes, WOL just wakes up a device, so unless I'm missing something, having a device use WOL should be no less secure than having the same device just sit there waiting for a connection without having its network connection sleep.
@follower if I'm wrong, please tell me why!
 
I think if someone is going to tell us a feature such as WOL is unsafe then I think that person needs to say more! So far as my understanding goes, WOL just wakes up a device, so unless I'm missing something, having a device use WOL should be no less secure than having the same device just sit there waiting for a connection without having its network connection sleep.
@follower if I'm wrong, please tell me why!
It's not only waking up the device but also more. I don't think a lot of users know about this 3 or 4 years old incident.
This is just an example of 'Why is WOL risky?'. This is why some Network device companies remove or don't use WOL function.
It has a long story. It's still evolving. It's not only for Ransomware but also Hacking.
Vulnerability>Owning the network device or PC>Using this attack> :eek:

[2019 to 2020 incident]
I can tell you that there are many dedicated hacking tools for this, paid and free.

What is it?

How does it work?

How to do it?
 
Last edited:
It's an attack that wakes up a machine if it's sleeping to exploit a vulnerability that if it exists would also have been there when the machine was already awake. I'm either being incredibly stupid (wouldn't be the first time) or WOL would seem to be incidental to the problem!
 
Well - WOL is a "trusted" interface from a LAN side perspective...

As an interface, it's also an open port to rx packets - packet of any kind

Ryuk is a clever exploit of that fact...
 
It's an attack that wakes up a machine if it's sleeping to exploit a vulnerability that if it exists would also have been there when the machine was already awake. I'm either being incredibly stupid (wouldn't be the first time) or WOL would seem to be incidental to the problem!
WOL is the key point and the loophole.

holy.gif
 
Last edited:
Well - WOL is a "trusted" interface from a LAN side perspective...

As an interface, it's also an open port to rx packets - packet of any kind

Ryuk is a clever exploit of that fact...
I would assume somebody would have to be running the hacking software on your network to be attacked using WOL? Maybe in the same network? Or is it routable across local networks?
I don't think my firewall will let it in.

I don't want to read it all. I thought you could enlighten me.
 
I would assume somebody would have to be running the hacking software on your network to be attacked using WOL? Maybe in the same network? Or is it routable across local networks?
I don't think my firewall will let it in.

I don't want to read it all. I thought you could enlighten me.

WOL is a concern as it's UDP on ports 7 (echo) or 9 (discard) - and UDP doesn't have the same kernel constraints as Raw Sockets... and since the WOL client is always listening outside of the OS the host is running, it's an interesting attack vector...

Challenge with WOL packets is that they are intercepted by the NIC at the network layer - before it hits the OS firewalls if any...
 
The fact that WOL is typically embedded in a UDP packet is of no real relevance because as you say, the packets are intercepted by the NIC and never reach the OS.

Ryuk is not doing anything clever. It's not "hacking" WOL in any way whatsoever. It's merely using WOL to try and wake up machines it's found in the ARP cache. Any user on the LAN could do the same thing. Once Ryuk has woken up any machines (and pinged others) it then crudely attempts to encrypt any insecure administrative shares that it's found.

So as @Crimliar noted the fact that it's using WOL is almost incidental. The main problem is the fact that a) your LAN has already been compromised for this malware to be running, and b) PCs/servers on your LAN have insecure administrative shares.
 
The fact that WOL is typically embedded in a UDP packet is of no real relevance because as you say, the packets are intercepted by the NIC and never reach the OS.

Ryuk is not doing anything clever. It's not "hacking" WOL in any way whatsoever. It's merely using WOL to try and wake up machines it's found in the ARP cache. Any user on the LAN could do the same thing. Once Ryuk has woken up any machines (and pinged others) it then crudely attempts to encrypt any insecure administrative shares that it's found.

So as @Crimliar noted the fact that it's using WOL is almost incidental. The main problem is the fact that a) your LAN has already been compromised for this malware to be running, and b) PCs/servers on your LAN have insecure administrative shares.
Thats what I kind of figured.
 
All of labs and hackers say WOL is main. But some Snbforums users say it's not.🤔

1. Ryuk is a variant of Hermes ransomware(2018). It's a well known ransomware and nothing new.
2. But Attackers have added WOL attack technique> Ryuk.
3. This attack is not a random attack but a targeted attack. What does meaning of Targeted?
4. Targeted means the attackers know all the vulnerabilities about victim's devices.
5. This kind of attack can overwrite your BIOS and Firmware(PC, Router, Switch, IoT and more) to hacked BIOS. Yes, this happens in the real world.
Does firewall work? Maybe yes. Maybe not. The problem is not only Ryuk but also Hacking.
 
Last edited:
All of labs and hackers say WOL is main. But some Snbforums users say it's not.

Well - I'm not one of those members that says - "don't worry about it..."

Rather - it's one of many things one can do to keep your LAN and Devices Secure... Depends on the NIC and BIOS/UEFI in use - easy enough to turn off, however defaults are to have it on...

At the risk of going off-thread - There are a lot of threats out there - and it's really about a few things...

1) remain current with your chosen OS provider
2) on device firewalls are a good thing - Mac and Windows are decent about this - I would say a 7 score out of 10
3) watch what services you expose on clients and the router/gateway
4) some spatial awareness around things - Apple/Google/Microsoft/Facebook/Amazon are going to contact you only in certain ways - and there, don't click the darn link - log in directly to the service provider...

It's really about practicing "Safe HEX" - and it's ok to refer to operational security like this - it's gets attention...
 
All of labs and hackers say WOL is main. But some Snbforums users say it's not.🤔

1. Ryuk is a variant of Hermes ransomware(2018). It's a well known ransomware and nothing new.
2. But Attackers have added WOL attack technique> Ryuk.
3. This attack is not a random attack but a targeted attack. What does meaning of Targeted?
4. Targeted means the attackers know all the vulnerabilities about victim's devices.
5. This kind of attack can overwrite your BIOS and Firmware(PC, Router, Switch, IoT and more) to hacked BIOS. Yes, this happens in the real world.
Does firewall work? Maybe yes. Maybe not. The problem is not only Ryuk but also Hacking.
Dell has been pretty good about updating BIOS even in their older PCs. It is one of the reasons I don't build PCs using random motherboards anymore. I am now using all UEFI no BIOS.

The attack is still going to have to happen inside your home network. I think the IOT is how it is going to happen. Isolate them.
 
Similar threads

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top