Hello,

Welcome to the 3-week late June update for Supernetworks! Hope you all are enjoying your summer. We'd love to hear from you and what features we can improve

Router Bug Highlights from May & June

Endless Router Bugs (@router_bugs)

1. Checkpoint SSL VPN: CVE-2024-24919 🧨 This bug rivals April's GlobalProtect VPN RCE. The internet gateways for Checkpoint's VPN would disclose arbitrary files, like vpn authentication credentials, to remote attackers, letting them break into networks. Check point had to deploy a hot fix in addition to a software update
2. Nord VPN MITM. The popularly advertised Panama-based NordVPN product had clients that failed to verify TLS certificates. This meant that a malicious network adversary could intercept network traffic or even gain remote code execution when sending a malicious software update to a client. This was fairly bad. The research was presented at midnight sun in Stockholm: https://conf.midnightsunctf.com/speakers/aapo-oksman
3. Windows WiFI DoS/RCE: CVE-2024-30078. Windows patched a wifi driver kernel crash that is theoretically exploitable (but not known to be exploitable) in windows firmware drives with the handling of VLAN tagged ethernet frames.

Hardware Update

• Enclosures! These are SLS Nylon based 3D prints with high heat resistance. SLS Nylon feels quite solid. We'll be using heat insert based screws for combining the two halves and there are posts that hold up the PCB. We're combining this with internal Laird FlexMIMO antennas and the mediatek chips.

• Our mPCI assembly has been validated! We've been able to scale up production and have HATs being assembled right now and shipped. Existing preorders can expect delivery within the next 30 days

• We have a design for an m.2 HAT also that is being validated this week. These HATs will better support WiFi 7 chips which have moved on from the mPCI form factor.

Software Updates

• We have deployed a new installer for the Raspberry PIs which is much smoother and does not require rebooting. We'll be further streamling noble updates to make sure this works as well as possible.

• The new setup flow allows adding the first wifi device from the setup AP, which is now an Open Access point. We're looking for more testing and ideas here on how the ideal setup would go

• We've deployed MAC Randomization to BSSIDS

• The iOS app can now support TLS connections to SPR

• Our intern Jeremy has been spearheading our efforts for Rust-based wifi stack. The project was unlocked with the release of arm64 support for Rust in 6.9 as we expect to build an OOT Rust module to deploy onto Noble arm64 images. This will not be a short journey and may seem daunting but we are moving in on our first goal of shifting mediatek firmware to work as a softmac driver, where we don't rely on protocol parsing inside of firmware. Most security bugs emerge from coding errors in packet parsing and state machine transitions.

• We need to finish releases of the integrated plugins we started and didn't quite get over the fence. Namely, wireshark and mitmproxy.

Events

• This week (June 26-30th) Alex will be at Toorcamp at Doe Bay on Orcas Island. Reach out if you would like to meet up. He'll be doing a brief overview of WiFi Halow (802.11ah), a long range wifi specification running over 900mhz. There should be some pretty clear reception out there!

• We were at Midnight Sun in Stockholm in June helping with the CTF. For the qualifiers we had players attack a dragonfly timing sidechannel. This timing sidechannel was made obsolete by Hash To Element (h2e) in 6-e/wifi 7. Among other tasks, for finals we deployed a GoodBIOS challenge for beginners to learn a little bit more about wifi with a friendly but *awkward* wifi ghost. Players did not have access to the source, just a client, and so they explored and poked around to talk to the LLM ghost.

New Website Landing!

Philip has made a new website for us. Check it out and let us know what you think! https://www.supernetworks.org/

Need Help? Have A Feature Idea?

• We love your bug reports and feature requests, keep sending them in
• We've had several requests to run SPR on some RISCV gear and other hardware. If you'd like to help out get in touch