What's new

IoT devices in an Evil Twin Attack

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

randye007

Occasional Visitor
Hi All,

I have a situation where someone in my neighbourhood is sending deauth packets to some of my IoT devices (camera, Google Home, External home decorative lights controller, Garage Door Opener) at random times (usually once every few days). My IoT devices go down for 15-20 minutes each time then reconnect to my AP. All these IoT devices use WPA2/WPA3 security and I have complex WiFi passwords configured.
My question/concern is what is happening while these IoT devices are disconnected. These IoT devices will try to reconnect to the AP. In an Evil Twin Attack, the attacker will spoof my AP and try to fool the IoT device to connect to it. Since the IoT device is automatically reconnecting to the AP point, what happens when it tries to connect to the fake AP if it has a stronger signal? Will it expose my WiFI password? Thx!
 
What leads you to think this is happening, as apposed to some other wireless issue?
That’s a good question. Originally, I thought it was the Wifi Control Channel being set to auto. I noticed the same IoT devices were being disconnected and reconnected nightly. So I thought the auto optimizing of Wi-Fi Control Channels was the issue. I further confirmed this thought when I changed the Wi-Fi Control Channel to be fixed. After I did this, the disconnects were occurring once every few days. But what’s been bugging me is why all devices on the AP are not disconnecting when the Wifi Control Channel is being optimized. That’s how it works.
In addition, I have a Fingbox notifying me of Wi-Fi attacks being detected. I’m not ruling out some other Wi-Fi issue causing this, but I’m interested to know the answers to my questions for that particular scenario.
I’m ramping up on wireshark and looking to monitor the wlan mgmt and control packets to get a better understanding of what’s actually going on.
 
All these IoT devices use WPA2/WPA3 security and I have complex WiFi passwords configured.

Turn on PMF (Protected Management Frames) and that problem goes away...

What makes you think you're being deuth'ed in the first place - that's a very specific approach that requires more than a bit of technical skill - unless you're "that guy" in the neighborhood, you're likely seeing a bug in one or more of your clients.
 
Turn on PMF (Protected Management Frames) and that problem goes away
Unfortunately, some of my devices are still on WPA2, so I’ve had to set PMF to Capable.
You’re right — I’m not positive it’s a deauth attack. I’m using wireshark to confirm.
 
Have you thought of something else? Many IoT devices are still on the 2.4GHz band. As a hobby, i also restore vintage Tamiya R/C cars, i had a situation where when i switched on my R/C controller, also operating on the 2.4GHz band, in our living room, the wifi dropped for as long as the controller was switched on :) Just saying.
 
Unfortunately, some of my devices are still on WPA2, so I’ve had to set PMF to Capable.
You’re right — I’m not positive it’s a deauth attack. I’m using wireshark to confirm.

Well, deauth is a management frame, and without PMF, it's in the clear - since it is a management frame, the client stations have to honor it. That being said, they should come right back, as they still have the SSID and Shared Secret Data stored, so they should scan and reattach right away.

There are a multitude of reasons why a device would leave a network - could be timeouts on the key rotation, dchp timeouts, etc...
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top