Protected Management Frames

[PeterLiljedahl]

Hello forum.
Does anybody know if PMF is a concern in general since most devices does not seem to work with it?.
Of the somewhat newer devices in my household, my old HP Probook 5330m with an
Intel(R) Centrino(R) Advanced-N 6205 wifi adapter seemed to support it, but another equally old HP laptop
8530w with an intel 5300 agn wifi adapter didnt support it - strange really.
I am not sure when PMF was introduced but given how old my laptop is, it has to be 10 years ago.
Wikipedia states that: It uses the existing security mechanisms rather than creating new security scheme or new management frame format.
This must mean its fairly simple to implement on devices missing it.
Why has manufacturers omitted this function throughout the years given the various exploits that exists such as rouge APs?.
Thanks.

 

[drinkingbird]

Hello forum.
Does anybody know if PMF is a concern in general since most devices does not seem to work with it?.
Of the somewhat newer devices in my household, my old HP Probook 5330m with an
Intel(R) Centrino(R) Advanced-N 6205 wifi adapter seemed to support it, but another equally old HP laptop
8530w with an intel 5300 agn wifi adapter didnt support it - strange really.
I am not sure when PMF was introduced but given how old my laptop is, it has to be 10 years ago.
Wikipedia states that: It uses the existing security mechanisms rather than creating new security scheme or new management frame format.
This must mean its fairly simple to implement on devices missing it.
Why has manufacturers omitted this function throughout the years given the various exploits that exists such as rouge APs?.
Thanks.

I've never bothered with it, support has been quite varied with cards and drivers over the years and the attacks it prevents are likely not going to be an issue in the home environment. If you're in a corporate environment it is more worth looking into and ensuring the devices you buy support it.

However to move to WPA3 you will have to use it, it is required, at that point hopefully things will get more consistent. But there will be years of "transition mode" where you'll have clients that don't support WPA3/PMF mixed in.

 

[Tech9]

Not needed - not used.

 

[PeterLiljedahl]

Thanks for the answers, I will contact a couple manufacturers and point to various exploits in the wild and
ask them what the reasoning is to omit such a simple fix in the light of upcoming wpa3 - generally one would think
that PMF is something already built-in in the development software.
Is PMF a function the chip manufaturers incorporate in the bundled driver or does the IOT manufacturer
have to write this code dicretely themselves?

 

[Tech9]

I'm positive it's the Wi-Fi chip/driver. For IoT usually is used whatever was the cheapest possible.

 

[PeterLiljedahl]

Yea and development time is money so not a chance an esp32 for example will have this feature implemented.
I dont consider myself an important person such that someone would throw a small esp32 with a battery over my yard and pretend to be an access point.
So if I have understood it correctly - this device is hidden and has the same ssid and mac as the real AP.
User comes home and phone tries to connect but asks for password and user thinks phone has forgotten password
and inputs it and forged AP now has password.

 

[Tech9]

Not that simple. Rogue APs are many types, but data modifying/recording AP requires much more work.