Mathy Vanhoef @vanhoefm Twitter profile

Pinned Tweet

Mathy Vanhoef

3 years

I found some design and implementation flaws in Wi-Fi again. All Wi-Fi devices are affected. It was a long ~9 months embargo, over this time a lot of info has been collected and that info now available at

37

1K

3K

Last Seen Profiles

@sisazas

@sada23990

@Bugadi5

@revofevxd

@stw_pdg

@jandakembangstw

@industriaccooma

@konu_mabel

@ajani22121

@gkeagles

@PowherNY

@mzhariann

@HeshamHRH

@sygssk99499

@iamObaino_

@PerfumesMap

@MJ_assessoriaof

@ropkeandre

@MaritimeTartan

@thetr3watson

@cerpow

@Ganna_cosplay

@Vocalo_Ani

@DrTurleyTalks

@VestiOfficial

@Dollect_net

@ark_network9

@chagurock

@TheTwatRises

@_E_FARAZI_

@andrehaykaljr

@ChartUpdate

@DennisTired

@Princessmich123

@tysignprimary

@melbidur

Mathy Vanhoef

@vanhoefm

7 years

Key Reinstallation Attacks: Breaking WPA2 by forcing nonce reuse and see the paper at

49

1K

Mathy Vanhoef

@vanhoefm

7 years

My paper Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 is now online!

17

967

1K

Mathy Vanhoef

@vanhoefm

6 years

Finally, WPA3!! It will include a more secure handshake: "WPA3 will deliver robust protections even when users choose passwords that fall short of typical complexity recommendations"

10

587

755

Mathy Vanhoef

@vanhoefm

5 years

Me and @eyalr0 discovered several flaws in WPA3. Read more about it at Or you can read our paper! #Dragonblood

16

283

435

Mathy Vanhoef

@vanhoefm

7 years

Script to test APs for KRACK attack against FT handshake (802.11r - CVE-2017-13082) is online

4

324

385

Mathy Vanhoef

@vanhoefm

10 months

New #TunnelCrack flaw can break a large majority of VPNs: we can trick a VPN into leaking traffic outside the protected VPN tunnel. Our tests indicate that this is a widespread design issue. For a demo, more details, and the USENIX Security paper, see

10

177

372

Mathy Vanhoef

@vanhoefm

7 years

Scripts to test if clients are affected by the WPA2 #KRACK attack are now available at Do a new git clone!

GitHub - vanhoefm/krackattacks-scripts

Contribute to vanhoefm/krackattacks-scripts development by creating an account on GitHub.

github.com

1

245

364

Mathy Vanhoef

@vanhoefm

7 years

Honored to have received the real-world impact award :)

19

24

331

Mathy Vanhoef

@vanhoefm

5 years

Me and @eyalr0 found new flaws in the WPA3 security guidelines that were *privately* created after our 1st disclosure. More details at and in our just accepted S&P paper. Wi-Fi standard is now being updated with proper defenses, which might lead to WPA3.1

4

181

278

Mathy Vanhoef

@vanhoefm

6 years

My presentation at Black Hat Europe about the #KRACK attack against WPA2 is now on YouTube! #blackhat

3

133

277

Mathy Vanhoef

@vanhoefm

6 years

Some IoT devices are initialized through smartphone apps that encode the SSID and password of the Wi-Fi network in the length of broadcasted packets. Attacker can capture this and extract the password. See #wisec

3

149

254

Mathy Vanhoef

@vanhoefm

3 years

Also check out It's test tool with 45+ test cases, a live USB image, can test both APs and clients, both home and enterprise networks, supports multiple network cards, and contains references to slides and other overview info :)

GitHub - vanhoefm/fragattacks

Contribute to vanhoefm/fragattacks development by creating an account on GitHub.

github.com

3

65

235

Mathy Vanhoef

@vanhoefm

3 years

With that news out of the way: later this year I'll be starting as a professor at @KU_Leuven Exciting times ahead!

21

4

224

Mathy Vanhoef

@vanhoefm

7 years

Slides of my presentation at #CCS17 on the #KRACK attack: key reinstallation attacks against WPA2

2

163

220

Mathy Vanhoef

@vanhoefm

3 years

Finally updated my WPA2 KRACK scripts to Python3. They should now be more reliable and usable on recent Linux distributions. Use them to see if WPA2 devices are (still) vulnerable to the KRACK attack!

GitHub - vanhoefm/krackattacks-scripts

Contribute to vanhoefm/krackattacks-scripts development by creating an account on GitHub.

github.com

2

82

223

Mathy Vanhoef

@vanhoefm

3 years

The findings consist of three design flaws and several widespread implementations flaws. Some of the flaws have been part of Wi-Fi since 1997! Full details are in my paper:

1

55

216

Mathy Vanhoef

@vanhoefm

8 months

👀 Looks like nearly all setuid programs on Linux can be easily exploited. Local user can gain root privileges. I confirmed the resulting crash on my own installation.. And apparently "this buffer overflow is easily exploitable (by transforming it into a data-only attack)"

hackerfantastic.x

@hackerfantastic

8 months

Amazing, a trivial to exploit buffer overflow in glibc allows for local root privilege escalation using binaries such as "su"

9

203

475

3

58

210

Mathy Vanhoef

@vanhoefm

7 years

Note that the patches for Linux's hostapd and wpa_supplicant are now also public:

6

210

200

Mathy Vanhoef

@vanhoefm

5 years

New version of ModWifi has been released. Provides modified drivers/firmware to perform low-layer Wi-Fi attacks. Now supports Linux kernel 5.3 and below (tested with 4.9.0 and 5.2.9).

GitHub - vanhoefm/modwifi

Contribute to vanhoefm/modwifi development by creating an account on GitHub.

github.com

1

78

197

Mathy Vanhoef

@vanhoefm

7 years

I found a MitM attack against OpenBSD: A logical vulnerability in the WPA1/WPA2 protocol implementation.

nixCraft 🐧

@nixcraft

7 years

A man-in-the-middle vulnerability has been found in OpenBSD's wireless stack #unix #infosec #security

1

70

67

9

149

186

Mathy Vanhoef

@vanhoefm

2 years

Several vulnerabilities discovered by Sönke Huster in Linux's Wi-Fi stack: heap overflow, use-after-free, infinite loop. PoC were tested in a simulated environment. But Sönke says the vulnerabilities are driver-independent (and I agree with that concern).

3

67

194

Mathy Vanhoef

@vanhoefm

7 years

T minus ~24 hours 😱

Mathy Vanhoef

@vanhoefm

7 years

Let the countdown begin! T minus 49 days.

0

9

25

8

62

180

Mathy Vanhoef

@vanhoefm

6 years

Slides for my presentation "Rooting Routers Using Symbolic Execution" at #HITB2018DXB is now online at Great conference so far, and an excellent organization!

4

82

182

Mathy Vanhoef

@vanhoefm

4 years

Implementation bug in certain Wi-Fi chipsets: after being disconnected by the AP, the client sets the session key to all-zeros. Because of a bug it then sends all pending frames in the transmission buffer encrypted using an all-zero key.

7

75

182

Mathy Vanhoef

@vanhoefm

4 years

Scripts to detect whether WPA2 clients are vulnerable to KRACK have been updated to work properly on the latest Kali release (which uses a new scapy version).

GitHub - vanhoefm/krackattacks-scripts

Contribute to vanhoefm/krackattacks-scripts development by creating an account on GitHub.

github.com

1

57

173

Mathy Vanhoef

@vanhoefm

7 years

Getting flooded with mails and questions. is your first source! Send questions by mail (might be added to Q&A).

17

94

169

Mathy Vanhoef

@vanhoefm

7 years

Someone did a copyright claim on vid so they can monetize it with ads. Received no notification about this. Wow.

15

70

164

Mathy Vanhoef

@vanhoefm

7 years

Hiding SSIDs means your smartphone will send probe requests that contain the name of your SSID wherever you go. Don't do this.

BlackRoomSec

@blackroomsec

7 years

STOP HIDING YOUR SSIDS. It doesn't keep me out. Aicrack-Ng. 30 secs. You aren't securing anything and will make us MORE curious.

58

316

900

7

119

165

Mathy Vanhoef

@vanhoefm

6 years

New bruteforce attack on pre-shared WPA2 passwords. Abuses the PMKID to test if a password is correct. Cool technique :) Only works against networks with roaming enabled, so I suspect most personal networks aren't affected. Does not affect enterprise networks.

hashcat

@hashcat

6 years

We've developed a new attack on WPA/WPA2. There's no more complete 4-way handshake recording required. Here's all details and tools you need:

45

2K

3K

6

80

146

Mathy Vanhoef

@vanhoefm

2 years

Good post about exploiting the Wi-Fi stack in a Tesla Model S (2020). First exploits the Wi-Fi firmware, then the host. Firmware vulnerability is the 802.11e (WMM) functionality when handling ADDTS and TSPEC frames, host vulnerability in the driver.

Exploiting Wi-Fi Stack on Tesla Model S

In the past two years, Keen Security Lab did in-depth research on the security of Tesla Cars and presented our research results on Black Hat 2017 and Black Hat 2018. Our research involves many in-veh

keenlab.tencent.com

1

55

144

Mathy Vanhoef

@vanhoefm

9 years

New RC4 attack can decrypt cookies in only 75 hours: http://t.co/VNQ5RjdHfp And the corresponding paper http://t.co/kHCQ0c1ACU

4

204

142

Mathy Vanhoef

@vanhoefm

6 years

WPA3: A Missed Opportunity tl;dr: only mandatory part of WPA3 is a new handshake that prevents dictionary attacks. That's surprising: they promised more features in their press release earlier this year.

5

71

128

Mathy Vanhoef

@vanhoefm

7 years

Updated the scripts to test if an AP is affected by KRACK. Now fewer false positives

5

69

132

Mathy Vanhoef

@vanhoefm

2 years

Abusing Wi-Fi to localize someone's devices. Attacker spoofs beacons to pretend there's buffered traffic. Clients request this traffic & reveal their MAC address. Fake frames are sent to the victim & time-of-flight of the response is used for localization

Non-cooperative wi-fi localization & its privacy implications | Proceedings of the 28th Annual...

dl.acm.org

4

45

134

Mathy Vanhoef

@vanhoefm

7 years

I didn't expect that many reactions already. I'll reply to questions and mails after the embargo ends - it's there for a reason.

13

50

122

Mathy Vanhoef

@vanhoefm

24 days

We discovered that the Wi-Fi network name isn't properly verified when connecting. Clients can be tricked to connect to a wrong network. E.g., can downgrade clients to the less secure 2.4 GHz. To be presented at WiSec'24. Simon of @top10vpn wrote about it

SSID Confusion Attack WiFi Vulnerability (CVE-2023-52424)

This vulnerability exploits a design flaw in the WiFi standard, allowing attackers to trick WiFi clients on any operating system into connecting to a untrusted network.

www.top10vpn.com

4

50

123

Mathy Vanhoef

@vanhoefm

4 years

Slides of the #Dragonblood attack against WPA3 and EAP-pwd, given at #realworldcrypto together with @eyalr0

0

66

120

Mathy Vanhoef

@vanhoefm

6 years

"We thank the researchers for following responsible disclosure, it really helped us a lot"

3

78

111

Mathy Vanhoef

@vanhoefm

6 years

Some technical details and discussions of the new WPA3 standard Overall WPA3 increases security! Though there is still room for more improvements.

4

78

117

Mathy Vanhoef

@vanhoefm

6 years

All VW-3 car keys used the same cryptographic key 😑

2

62

114

Mathy Vanhoef

@vanhoefm

7 years

Update: most #KRACK attacks against vulnerable clients can be prevented by modifying the router/access point

2

84

112

Mathy Vanhoef

@vanhoefm

5 years

History repeats. In the proposed fix to our Dragonblood WPA3 attacks, they're applying HKDF on the password, and our advice to use PBKDFs instead is ignored (this would make dictionary attacks in the face of implementation vulnerabilities more costly).

3

48

104

Mathy Vanhoef

@vanhoefm

6 years

In our USENIX #WOOT18 paper, we found a decryption oracle in Android's and Linux's Wi-Fi client called wpa_supplicant. Only exploitable when using TKIP on a WPA2 network (the default in 20% of networks). See section 5.4 of

2

52

102

Mathy Vanhoef

@vanhoefm

7 years

If you find spelling mistakes, send a pull request :) It's been a long weekend

GitHub - vanhoefm/krackattacks

Contribute to vanhoefm/krackattacks development by creating an account on GitHub.

github.com

3

46

99

Mathy Vanhoef

@vanhoefm

3 years

Heap overflow discovered in sudo! Researchers demonstrated exploits on Ubuntu 20.04, Debian 10, and Fedora 33 to obtain root privileges. Vulnerability has been present for over 10 years. Tracked as CVE-2021-3156. Read the details at

2

74

101

Mathy Vanhoef

@vanhoefm

7 years

Slides of my #33c3 talk "Predicting and Abusing WPA2/802.11 Group Keys" PDF slides at

Predicting and Abusing WPA2/802.11 Group Keys

Predicting and Abusing WPA2/802.11 Group Keys - Download as a PDF or view online for free

www.slideshare.net

3

73

97

Mathy Vanhoef

@vanhoefm

6 years

Slides of my presentation "Improved KRACK Attacks Against WPA2 Implementations" at #opcde2018

4

44

92

Mathy Vanhoef

@vanhoefm

7 years

YouTube removed the #KRACK video because it contains "Harmful or dangerous content"

12

45

91

Mathy Vanhoef

@vanhoefm

3 years

Intel patched these vulnerabilities in the Management Engine as well. It's still crazy to me how there's a whole OS that's hidden in the lower layers of your CPU... and that this OS supports Wi-Fi.

Mathy Vanhoef

@vanhoefm

3 years

I found some design and implementation flaws in Wi-Fi again. All Wi-Fi devices are affected. It was a long ~9 months embargo, over this time a lot of info has been collected and that info now available at

37

1K

3K

1

23

92

Mathy Vanhoef

@vanhoefm

6 years

Blogpost about some new KRACK attack results, and our extension to the WiFi standard to prevent multi-channel man-in-the-middle attacks My #HITBGSEC talk will be about this too, but contains more results, so vote for it :)

1

54

89

Mathy Vanhoef

@vanhoefm

6 years

That means dictionary attacks no longer work. The handshake they're referring to is likely Simultaneous Authentication of Equals (SAE). Which is also called Dragonfly. See

5

43

87

Mathy Vanhoef

@vanhoefm

6 years

Slides for my #nullcon presentation on the #krack WPA2 attack it's quite similar to my presentation at 34c3, see video here

KRACKing WPA2 by Forcing Nonce Reuse

We introduce key reinstallation attacks (KRACKs). These attacks abuse features of a protocol to reinstall an already in-use key, thereby ...

media.ccc.de

0

53

86

Mathy Vanhoef

@vanhoefm

3 years

I'd like to thank everyone who was involved in this coordinated disclosure! It was a long process and I'm glad this work is now over :)

1

83

Mathy Vanhoef

@vanhoefm

3 years

One design flaw can be used to inject packets towards clients. Makes it possible to force victim to use malicious DNS server. Some implementation flaws can be abused to inject packets towards an AP. Can be abused to punch a hole in the router's NAT and attack local devices.

1

9

83

Mathy Vanhoef

@vanhoefm

6 years

Updated my WPA3 blogpost with some more notes about the replacement of WPS (called DPP), and the increased key sizes in WPA3

1

69

85

Mathy Vanhoef

@vanhoefm

3 years

YouTube deleted my demo video about WPA3 research. It was a minor video that was purely technical. Showing something in the fairly rarely used Linux IWD client. But apparently enough to get a strike on my account.

6

18

85

Mathy Vanhoef

@vanhoefm

6 years

Slides of my presentation about the #KRACK attack against WPA2 at #bluehatil < It contains some new thoughts and remarks on multi-party vulnerability coordination!

1

45

83

Mathy Vanhoef

@vanhoefm

5 years

We won a Pwnies Award for our Dragonblood attack against WPA3! #bhusa

7

15

85

Mathy Vanhoef

@vanhoefm

6 years

We have some follow-up work on the WPA2 KRACK attack. Check it out at tl;dr: some updates were flawed & Wi-Fi’s official defense could be bypassed, so selected attacks were still possible. No need for panic, most affected vendors already provided updates.

1

39

83

Mathy Vanhoef

@vanhoefm

6 years

The #KRACK attack against WPA2 got nominated for Best Cryptographic Attack :)

Pwnie Awards

@PwnieAwards

6 years

The 2018 Pwnie Awards nominees are up!

6

133

159

3

11

82

Mathy Vanhoef

@vanhoefm

6 years

How to use an ESP8266 Beacon Spammer to Track Smartphone Users

How to Use an ESP8266 Beacon Spammer to Track Smartphone Users

Smartphones and laptops are constantly sending Wi-Fi radio signals, and many of these signals can be used to track us. In this guide, we'll program a cheap IoT device in Arduino to create hundreds ...

null-byte.wonderhowto.com

1

27

79

Mathy Vanhoef

@vanhoefm

5 years

@pwnheadcom Was this inspired by a Black Mirror episode? You're assigning a "social score" to researchers... The academic world tried this with several type of metrics and it's a bad idea.

2

5

81

Mathy Vanhoef

@vanhoefm

7 months

@evacide @hackerfantastic Privately scanning for Wi-Fi networks was properly implemented all the time. Apple was the first vendor to introduce this. The flaw only leaks your MAC address when *connected* to a Wi-Fi network. While a valid issue, it sounds worse than it actually is.

Mathy Vanhoef

@vanhoefm

7 months

This new iPhone flaw is about tracking users *while connected* to a Wi-Fi network. Even with the CVE fixed, that's IMO hard to fully prevent. Usage of random MAC addresses while *scanning* for Wi-Fi networks seems to have properly worked all the time.

2

19

39

5

15

80

Mathy Vanhoef

@vanhoefm

4 years

Glad to see that beacon protection for Wi-Fi, which we standardized in collaboration with Broadcom, Intel, and others, is being implemented in Linux. Initial commits available at and

3

27

78

Mathy Vanhoef

@vanhoefm

23 days

@IanColdwater Assumes two SSIDs share the same passwords/credentials. It's an interesting attack, but to be honest also not something to worry about too much, the threat model is fairly unique.

4

5

79

Mathy Vanhoef

@vanhoefm

8 years

The NSA can geolocate (and spy on) Wi-Fi devices using *SATELLITES*.

6

92

72

Mathy Vanhoef

@vanhoefm

4 years

Currently making a new Wi-Fi tool. More details soon =) Want to make sure your device is supported? Then reply with the current wireless card that is in your laptop! (On Linux check with `lspci | grep -i net`).

17

13

76

Mathy Vanhoef

@vanhoefm

4 years

Interesting case where a Wi-Fi network caused interference for a weather radar that was 47 miles (!) away. They explain how the offending Wi-Fi network was tracked down.

Sam Clements

@samuel_clements

4 years

The FCC helped this weather station shut down offending Wi-Fi ~50 miles away. Excellent read and a nice whitepaper at the end.

5

20

78

1

31

75

Mathy Vanhoef

@vanhoefm

3 years

As always though: update your devices, we never know when attacks will improve. Check with your vendor to know the current practical impact for your device.

0

3

70

Mathy Vanhoef

@vanhoefm

4 years

Today I received an email with two identical attachments (an official letter). Why? So I can sign one and send it back, while keeping the other as a personal copy.

4

12

72

Mathy Vanhoef

@vanhoefm

7 years

And now my YouTube account is suspended. "After review we determined that activity in your account violated our Community Guidelines"

12

32

67

Mathy Vanhoef

@vanhoefm

4 years

The @WiFiAlliance published a draft standard that ties a public key to the password of a Wi-Fi network. This can prevent rogue AP attacks. This is a good opportunity for anyone to review its security!

1

47

70

Mathy Vanhoef

@vanhoefm

6 years

@hdmoore @jedimercer There's a good related paper on this: Decomposition of MAC address structure for granular device inference

2

21

68

Mathy Vanhoef

@vanhoefm

3 years

More evidence that WPA3 and its Dragonfly handshake is hard to implement securely: IWD was still vulnerable to side-channel leaks. Additionally, the patch for FreeRADIUS was not backported to their v3 branch. This confirms our warning that Dragonfly is hard to implement securely

3

29

67

Mathy Vanhoef

@vanhoefm

5 years

Microsoft released their crypto library the day after we disclosed Dragonblood. Looks like their WPA3 code includes the necessary defenses. I wonder what it looked like initially...

3

32

69

Mathy Vanhoef

@vanhoefm

7 years

@KirilsSolovjovs It's on vimeo now

KRACK Attacks: Bypassing WPA2 against Android and Linux

Based on the CCS 2017 paper Key Reinstallation Attacks Forcing Nonce Reuse in WPA2 . Note that other devices are harder to attack. Only Android and Linux re install…

vimeo.com

1

38

61

Mathy Vanhoef

@vanhoefm

6 years

Wow, the ACM will even try to make you pay for an RFC.

6

33

68

Mathy Vanhoef

@vanhoefm

5 years

Slides of the Dragonblood presentation at #bhusa are now online Important to mention is that WPA3 is better than WPA2, even with it's flaws. So when available, switch to WPA3!

2

42

67

Mathy Vanhoef

@vanhoefm

7 years

YouTube has now restored the #KRACK demo video :)

0

13

64

Mathy Vanhoef

@vanhoefm

6 years

I've collected quite some Wi-Fi and wireless tools over the years 😎 and this isn't even everything!

9

1

64

Mathy Vanhoef

@vanhoefm

4 years

Our presentation on Wi-Fi Beacon Protection is now online: You can read the corresponding WiSec'20 paper at

[WiSec] Protecting Wi-Fi Beacons from Outsider Forgeries

Pre-recorded presentation given at the WiSec'20 conference. See the corresponding research paper at https://papers.mathyvanhoef.com/wisec2020.pdfDisclaimer: ...

www.youtube.com

2

30

63

Mathy Vanhoef

@vanhoefm

3 years

The impact of the attacks really depends on the device. Sometimes the impact is very minor and there's nothing to worry about. Sometimes the impact is serious.

1

3

61

Mathy Vanhoef

@vanhoefm

15 days

Doing Wi-Fi research is always... an adventure. Sometimes things suddenly stop working. It feels like your past weeks of work were all useless. You wonder whether it's better to focus on other ideas. Then you realize you were simply sending frames on the wrong channel... oops

4

6

62

Mathy Vanhoef

@vanhoefm

4 months

Protocol state bugs remain tricky! We found that in an IWD Wi-FI AP we could skip Msg2 of the handshake to bypass authentication. And in wpa_supplicant the Phase2 authentication can be skipped when using PEAP. See and

2

30

60

Mathy Vanhoef

@vanhoefm

6 years

This thread is gold. They store plaintext passwords, and that's not a problem because their security is AMAZING! 😂

3

12

59

Mathy Vanhoef

@vanhoefm

7 years

Windows 10 Lock Screen: Abusing the Network UI for Backdoors (and how to disable it)

1

42

57

Mathy Vanhoef

@vanhoefm

7 years

Shame on whoever leaked the draft version

3

15

56

Mathy Vanhoef

@vanhoefm

7 years

Dispute filed, ads should be gone now? This is quite ridiculous.

6

17

56

Mathy Vanhoef

@vanhoefm

2 years

Looks like beacon protection will likely become mandatory in Wi-Fi 7 (a.k.a. 802.11be)! 🤠 There's an update to the draft IEEE 802.11be standard that adds the line "An EHT AP shall have dot11BeaconProtectionEnabled set to 1". Source:

Mathy Vanhoef

@vanhoefm

4 years

Our presentation on Wi-Fi Beacon Protection is now online: You can read the corresponding WiSec'20 paper at

2

30

63

4

21

55

Mathy Vanhoef

@vanhoefm

7 years

Wi-Fi drivers and firmware used to be (and still are) quite vulnerable. New write-ups here < silly bugs, good finds

0

35

56

Mathy Vanhoef

@vanhoefm

7 years

Slides of by Black Hat EU talk on #KRACK : Key Reinstallation Attacks: Breaking the WPA2 Protocol

0

43

55

Mathy Vanhoef

@vanhoefm

3 years

Clever Wi-Fi attack against a locked Windows 10 screen in an enterprise setting. Several of us pointed out before that having a Wi-Fi network selection menu in the Lock Screen is bad... and this confirms that hunch using an impactful attack!

Matt Johnson

@breakfix

3 years

Check out my latest blog post detailing the "Airstrike Attack" allowing for FDE bypass and EoP on domain joined Windows workstations (CVE 2021-28316)

12

222

456

1

39

52

Mathy Vanhoef

@vanhoefm

6 years

"If builders built buildings the way programmers wrote programs, then the first woodpecker that came along would destroy civilization." - Weinberg

2

12

54

Mathy Vanhoef

@vanhoefm

7 years

Cool interactive illustration on how Wi-Fi works

0

20

52

Mathy Vanhoef

@vanhoefm

6 years

Finished implementation of Operating Channel Validation on top of Hostap. It prevents multi-channel MitM in Wi-Fi networks. Only 2762 lines of code (of which 975 are tests), but spread over 76 files (!!). Background:

2

22

49

Mathy Vanhoef

@vanhoefm

3 years

The website of a company doing corona tests in The Netherlands and Belgium was vulnerable to a trivial vulnerability. Data of all tests were leaked. On top of that, it was possible (and easy!) to insert fake test results in their database and get a valid QR code...

Daniël Verlaan

@danielverlaan

3 years

nieuws: Door een groot lek bij een testbedrijf kon iedereen kinderlijk eenvoudig valse reis- en toegangsbewijzen in de app CoronaCheck krijgen. Ook zijn de gegevens van 60.000 mensen die bij deze organisatie een coronatest hebben gedaan gelekt.

159

781

2K

1

25

50

Mathy Vanhoef

@vanhoefm

6 years

Slides of my USENIX WOOT presentation are available online at It's about symbolic execution of crypto protocol implementations. See the paper at

Mathy Vanhoef

@vanhoefm

6 years

In our USENIX #WOOT18 paper, we found a decryption oracle in Android's and Linux's Wi-Fi client called wpa_supplicant. Only exploitable when using TKIP on a WPA2 network (the default in 20% of networks). See section 5.4 of

2

52

102

0

26

49

Mathy Vanhoef

@vanhoefm

5 years

Operating Channel Validation has been merged to the development version of wpa_supplicant and hostapd! It prevents multi-channel MitM in Wi-Fi networks. For more background on this defense see our paper or our presentation

3

25

50

Mathy Vanhoef

@vanhoefm

6 years

Is your company implementing WPA3? Contact me if you want your implementation to be tested for free: I only need a device that supports WPA3. Details can always be discussed.

0

34

48