• State
  • Locked Locked
  • Replies 17 replies
  • Subscribers 40 subscribers
  • Views 1275 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

WL1807MOD: Shielding De-Auth Attack

Anuj Tomar
Prodigy 10 points
Part Number: WL1807MOD


Hi People,
We have a device which uses WL1807 wifi module for connectivity in both AP mode (2.4GHz) and Client mode ( 2.4 & 5GHz ),
Is this module capable of shielding against De-Authentication attack, if so, can someone provide any leads,
In case it not capable what would be the impact of this vulnerability?

Our device has Linux Kernel version: 6.1.45

  • 0
    TI__Mastermind 32510 points

    Hi Anuj,

    The best protection against deauth attacks is to enable 802.11w (Protected Management Frames [PMF]). The feature is supported on WL18xx devices and can be enabled from hostapd and wpa_supplicant. In the hostapd.conf and wpa_supplicant.conf, see sections on 802.11W and/or PMF to enable it. 

  • 0
    Prodigy 10 points


    We aren't using hostapd but using Network manager to initialize the interface below is the conf file
    cat /etc/NetworkManager/system-connections/wifi_ap.conf

    [connection]
id=REDACTED
uuid=26638c65-ff0e-434c-a900-30a9c1404130
type=wifi
interface-name=ap0
autoconnect=false

[wifi]
band=bg
channel=auto
mode=ap
ssid=REDACTED

[wifi-security]
wpa=3
key-mgmt=sae
psk=REDACTED

[ipv4]
address1=192.168.10.1/28
method=shared

[ipv6]
addr-gen-mode=stable-privacy
method=auto

[proxy]


    Whenever we run
    nmcli con up <connection_name>

    we receive "Error: Connection activation failed: 802.1X supplicant failed"

    Already tried:
    --> wpa=2 and adding ieee80211w=2 in [wifi-security] with key_mgmt=wpa-psk
    --> Separate section
    [802-11-wireless]
    ieee80211w=2

  • 0 in reply to Anuj Tomar
    TI__Mastermind 32510 points

    Hi Anuj,

    Have you used networkmanager to start an AP role before? I don't believe this is possible. 

    hostapd is necessary because it has the wireless stack to control AP mode. NetworkManager is a wrapper for a supplicant, which I don't believe that is what you want. So you should likely use hostapd. 

  • 0 in reply to Sabeeh Khan1
    Prodigy 10 points

    Hi ,

    We've been using Network manager for almost 2yrs for AP, so yes NM can be used for AP.

    Can you give an example hostapd.conf file which works with 1807 and has "ieee80211w=2" enable with wpa=2
    below is what I've tried already and didn't succeed:
    interface=ap0
    driver=nl80211
    ssid=ap_hotspot
    hw_mode=g
    channel=6
    wmm_enabled=0
    macaddr_acl=0
    auth_algs=1
    ignore_broadcast_ssid=0
    ieee80211w=2
    wpa=2
    wpa_passphrase=Abcd@1234
    wpa_key_mgmt=WPA-PSK
    wpa_pairwise=CCMP
    rsn_pairwise=CCMP

    Along with ieee80211w=2 we have tried following key_mgmt values:
    WPA-PSK, WPA-PSK-SHA256, SAE, FT-PSK

    they result in following below errors:

    Error-1:
    nl80211: kernel reports: key setting validation failed
    Interface initialization failed
    ap0: interface state UNINITIALIZED->DISABLED
    ap0: AP-DISABLED
    ap0: Unable to setup interface.
    ap0: interface state DISABLED->DISABLED
    ap0: AP-DISABLED
    ap0: CTRL-EVENT-TERMINATING
    hostapd_free_hapd_data: Interface ap0 wasn't started
    nl80211: deinit ifname=ap0 disabled_11b_rates=0


    Error-2:
    Could not generate WPA IE.
    WPA initialization failed.
    Interface initialization failed
    ap0: interface state UNINITIALIZED->DISABLED
    ap0: AP-DISABLED
    ap0: Unable to setup interface.
    ap0: interface state DISABLED->DISABLED
    ap0: AP-DISABLED
    ap0: CTRL-EVENT-TERMINATING
    hostapd_free_hapd_data: Interface ap0 wasn't started
    nl80211: deinit ifname=ap0 disabled_11b_rates=0

    Can you let me know of your earliest available time so we can schedule a meeting,
    you can reply to meeting invite forwarded to you by Saurabh Kapoor.

  • 0 in reply to Anuj Tomar
    TI__Mastermind 32510 points

    Hi Anuj, Which hostapd version are you using? Can you ensure you are using 2.10?

  • 0 in reply to Sabeeh Khan1
    Prodigy 10 points



    Yes we have v2.10 of hostapd.

  • 0 in reply to Anuj Tomar
    Prodigy 10 points

    Fullscreen Hostapd_defconfig.txt Download 
    # See https://w1.fi/cgit/hostap/plain/hostapd/defconfig
#
# Here only SAE and ACS are in addition compared to default defconfig
#
CONFIG_DRIVER_HOSTAP=y
CONFIG_DRIVER_NL80211=y
CONFIG_LIBNL32=y
CONFIG_RSN_PREAUTH=y
CONFIG_EAP=y
CONFIG_ERP=y
CONFIG_EAP_MD5=y
CONFIG_EAP_TLS=y
CONFIG_EAP_MSCHAPV2=y
CONFIG_EAP_PEAP=y
CONFIG_EAP_GTC=y
CONFIG_EAP_TTLS=y
CONFIG_PKCS12=y
CONFIG_IPV6=y
CONFIG_IEEE80211AC=y
CONFIG_SAE=y
CONFIG_SAE_PK=y
CONFIG_ACS=y
CONFIG_DPP=y
CONFIG_DPP2=y


    8182.Kernel_Config.txt

  • 0 in reply to Anuj Tomar
    TI__Mastermind 32510 points

    Hi Anuj,

    I have a hostapd.conf file where I was able to get 80211w enabled and working. Please let me know if you experienced any errors using this file. https://e2e.ti.com/cfs-file/__key/communityserver-discussions-components-files/968/hostapd.conf

  • 0 in reply to Sabeeh Khan1
    Prodigy 10 points

    Initially we ran 
    root@am335x-saturn-proto2:/etc# hostapd /etc/custom_hostapd.conf
    Line 925: unknown configuration item 'wps_state'
    Line 929: unknown configuration item 'ap_setup_locked'
    Line 934: unknown configuration item 'uuid'
    Line 950: unknown configuration item 'device_name'
    Line 953: unknown configuration item 'manufacturer'
    Line 956: unknown configuration item 'model_name'
    Line 959: unknown configuration item 'model_number'
    Line 962: unknown configuration item 'serial_number'
    Line 974: unknown configuration item 'device_type'
    Line 984: unknown configuration item 'config_methods'
    10 errors found in configuration file '/etc/custom_hostapd.conf'
    Failed to set up interface with /etc/custom_hostapd.conf
    Failed to initialize interface
    root@am335x-saturn-proto2:/etc#

    after commenting all above:
    root@am335x-saturn-proto2:/etc# hostapd /etc/custom_hostapd.conf
    ap0: interface state UNINITIALIZED->COUNTRY_UPDATE
    nl80211: kernel reports: key setting validation failed
    Interface initialization failed
    ap0: interface state COUNTRY_UPDATE->DISABLED
    ap0: AP-DISABLED
    ap0: interface state DISABLED->DISABLED
    ap0: AP-DISABLED
    ap0: CTRL-EVENT-TERMINATING
    hostapd_free_hapd_data: Interface ap0 wasn't started
    nl80211: deinit ifname=ap0 disabled_11b_rates=0
    root@am335x-saturn-proto2:/etc#

    current file has wpa_key_mgmt=WPA-PSK
    also tried with wpa_key_mgmt=WPA-PSK-SHA256

  • 0 in reply to Anuj Tomar
    TI__Mastermind 32510 points

    Hi Anuj,

    I found the print 'key setting validation failed' in the kernel, it is net/wireless/nl80211.c. It seems function "cfg80211_validate_key_settings" is failing. Let me debug further to understand why the kernel is reporting this. I am assuming there is a crypto module missing from your kernel defconfig. 

  • 0 in reply to Sabeeh Khan1
    TI__Mastermind 32510 points

    Hi Anuj,

    I'm now seeing the same issue you are describing. Can you inform me which firmware version you are using?

  • 0 in reply to Sabeeh Khan1
    Prodigy 10 points

    wl8xx-fw 8.9.1.0.0-r0
    Wlconf - 8.8-r0 

    Wlconf - git://git.ti.com/wilink8-wlan/18xx-ti-utils.git,  Commit id - 7325bf0b7b2d462e334437d2c7f9198d0ac55ce2
    wl8xx-fw - git://git.ti.com/wilink8-wlan/wl18xx_fw.git  , Commit id - d2588c16809ecca8e0dc7ea011fc6180c7b08a92

  • 0 in reply to Anuj Tomar
    TI__Mastermind 32510 points

    Hi Anuj,

    I can't comment about the upstream patches, but as we discussed, I will work on forward porting our patches from k4.19 to k6.1 with our latest firmware to resolve the issue. 

  • 0 in reply to Sabeeh Khan1
    TI__Mastermind 32510 points

    Could you also share the link and commit tag to your kernel if possible?