10 Wi-Fi terms that you should know

Have you ever taken a look at the Wi-Fi logs generated by your router?

Or if you are on a Mac computer, have you seen the details of the Wi-Fi connection by pressing and holding the Option key while you click on the Wi-Fi icon?

Do you wonder about what do those terms that you see in those places mean? In this article, we will look at 10 Wi-Fi terms that you may come across.

1. HT

HT is short for High Throughput and is the alternative name for 802.11n (Wi-Fi 4). The reason behind the name was due to the speeds improvements, which can range from anywhere between 72mbps to 600mbps, thus making it a lot faster than 802.11g (Wi-Fi 3).

The new technologies introduced with Wi-Fi 4 enable support for more antennas which in turn enable higher data rates, adding 40 MHz channel width, 5GHz band and standardising Multiple Input and Multiple Output (MIMO).

2. VHT

VHT or Very High Throughput is the alternative name for 802.11ac (Wi-Fi 5). It is designed to be the successor to HT. With Wi-Fi 5, wireless communication over the 5GHz band is improved with new technologies, enabling speeds ranging from anywhere between 433mbps to 6933mbps.

Some of the new technologies for Wi-Fi 5 include support for optional 160 MHz channel width and mandatory 80 MHz channel width, increasing the number of MIMO streams from 4 to 8 and 256-QAM support.

3. HE

HE is short for High Efficiency and is the alternative name for 802.11ax. The reason behind this name stemmed from new technologies that improve efficiency and performance. Some of these new technologies include OFDMA and MU-MIMO. For more information about Wi-Fi 6, check out this explainer.

4. MCS Index

MCS Index or Modulation and Coding Scheme Index is a unique reference value that identifies the combination of the following:

  1. Number of Spatial Stream
  2. Modulation Type
  3. Coding Rate

When this value is combined with the Wi-Fi channel width, it allows you to quickly calculate the likely data rate of a given connection. Naturally, the larger the MCS index value, the better as it indicates a faster Wi-Fi connection.

5. NSS

NSS or Number of Spatial Stream refers to the independently and separately coded data signals that are transmitted from multiple antennas of an Access Point (AP). MIMO wireless communication use this technique to increase the throughput of a communication channel by sending and receiving multiple data signals simultaneously.

6. RSSI

RSSI or Received Signal Strength Indication in the Wi-Fi context refers to the relative received signal strength in some arbitrary units. It is calculated from the perspective of the receiving radio. Generally, the greater the value, the stronger the signal. Therefore, it is common to see them represented in a negative form since the closer the value is to zero, the stronger the signal strength.

7. Tx Rate

Tx Rate or Transmission Rate refers to the transmission speed of the wireless communication channel from the perspective of the client device. Naturally, the higher the value, the faster the connection since more data can be sent from the client.

8. Rx Rate

Rx Rate or Receive Rate refers to the receiving speed of the wireless communication channel from the perspective of the client device. Naturally, the higher the value, the faster the connection since more data can be received by the client.

9. DFS

DFS or Dynamic Frequency Selection allows a wireless network to use 5GHz frequencies that are reserved for use by radar stations. Without this feature, ApPs are limited to the following 20 MHz channels:

  1. Channel 36
  2. Channel 40
  3. Channel 44
  4. Channel 48
  5. Channel 149
  6. Channel 153
  7. Channel 157
  8. Channel 161
  9. Channel 165

In environments such as an apartment building where multiple APs can be deployed, this can slow down network performance due to the increased wait time brought on by congestion.

With DFS, the issue of congestion is mostly resolved as APs can use 16 additional channels on the 5 GHz band, thus leading to improved performance. These 16 channels are known as DFS channels.

However, if there is a radar station nearby using any of the DFS channels, the AP will detect that and switch to one of the non-DFS channel. When that happens, client devices will temporarily lose internet connection while they re-establish connection.

10. MUBF

MUBF or Multi-User Beam-Forming is an extension of beam-forming to support multiple receiver devices.

And what is beam-forming then?

Beamforming is a technique that allows an AP to focus radio signals towards a receiver. The AP does this by transmitting multiple radio signals from its antenna array in a manner that results in both constructive and destructive radio interferences. The destructive radio interference will cancel the transmission in the directions that have no receiver while constructive radio interference will increase the power of the transmission towards the receiver, thus improving the transmission quality and range.

Billions of Wi-Fi devices are vulnerable to eavesdropping due to

At the RSA security conference, security researchers announced that there is a Wi-Fi vulnerability that affects billions of devices. This vulnerability allows nearby attackers to decrypt sensitive data that are sent over the air.

Eset, the security company that discovered vulnerability, named it Kr00k and it is tracked as CVE-2019-15126. Kr00k affects the Wi-Fi chips made by Cypress Semiconductor and Broadcom. FullMAC WLAN chips from both companies are especially affected according to Eset. These chips are used in billions of devices and some of the devices include the following:

  • iPhones
  • iPad
  • Apple Macs
  • Amazon Echos
  • Amazone Kindles
  • Android devices
  • Raspberry Pi 3
  • Wi-Fi routers from Asus and Huawei

Most of the affected devices have patches made available by manufacturers but it is not clear how many of them installed the patches. Routers have the biggest concern because they often go unpatched indefinitely.

How does the vulnerability work?

When a wireless device disassociate from a wireless access point, unsent data frames will be placed in a transmit buffer and then sent over the air. Kr00k exploits this weakness. If either the device or the wireless access point has the flaw, these data frames will be encrypted with a key consisting of all zeroes instead of the session key negotiated earlier by the wireless device and the wireless access point. The use of a key consisting of all zeroes to encrypt data is equivalent to having no key.

The following diagram from ArsTechnica shows what would happen when a device disassociate from a wireless access point if either one is vulnerable.

A disassociation typically happens when a client device roams from one Wi-Fi access point to another, encounters signal interference, or has its Wi-Fi turned off. Hackers within range of a vulnerable device or access point can easily trigger this vulnerability by sending disassociation frames since they are not authenticated. From there, hackers could then capture and decrypt the transmitted data. They could trigger multiple disassociation to improve their chance of obtaining useful data.

The following diagram from ArsTechnica shows how the attack would happen.

What are the devices affected?

Eset researchers identified a variety of mobile devices that are vulnerable, including:

  • Amazon Echo 2nd gen
  • Amazon Kindle 8th gen
  • Apple iPad mini 2
  • Apple iPhone 6, 6S, 8, XR
  • Apple MacBook Air Retina 13-inch 2018
  • Google Nexus 5
  • Google Nexus 6
  • Google Nexus 6S
  • Raspberry Pi 3
  • Samsung Galaxy S4 GT-I9505
  • Samsung Galaxy S8
  • Xiaomi Redmi 3S

In addition, the following routers are also vulnerable:

  • Asus RT-N12
  • Huawei B612S-25d
  • Huawei EchoLife HG8245H
  • Huawei E5577Cs-321

The researchers also tested Wi-Fi chips from other manufacturers, including Qualcomm, Realtek, Ralink, and Mediatek and did not find any evident of them being vulnerable. However, since it was impossible to test all devices, it is possible that other devices using Cypress and Broadcom chips are affected.

For Apple, the vulnerabilities were patched in October 2019 as part of macOS Catalina 10.15.1, Security Update 2019-001 for macOS Mojave, Security Update 2019-006 for macOS High Sierra, iOS 13.2 and iPadOS 13.2 More information on the patches could be found here for macOS and here for iOS and iPadOS.

Amazon also state that Amazon Echo and Kindle devices listed in the security research have received automatic security update over the internet in a separate statement to ArsTechnica.

Emotet now hacks nearby Wi-Fi network to spread like a worm

Emotet has evolved multiple times since its initial discovery in 2014 by security researchers. Recently, a sample of Emotet malware was found to have gained the ability to spread itself through insecure Wi-Fi networks that are near an infected device.

Once the malware gains access to the Wi-Fi networks, it will then attempt to infect all the connected devices. It is a tactic that can dramatically escalate Emotet’s spread.

The Wi-Fi spreading binary was only discovered being delivered for the first time on 23 January 2020 by researchers but further analysis suggested that the executable file has a timestamp of 16 April 2018, which hints that the behaviour has been running unnoticed for almost two years.

This Wi-Fi spreading capability further raises the threat level of the already-prevalent Emotet.

Before this discovery, the malware was found to have gained new obfuscation and anti-virus detection capabilities in November 2019. These capabilities enable Emotet to better escape detection. Meanwhile, its authors have also changed their social engineering tactics to keep in line with current events, sending out malicious emails that claimed to be Edward Snowden’s new memoir or with Halloween-themed lures.

What is Emotet?

Emotet is a malware that begin life as a banking trojan in 2014. Its primary goal is to sneak into your computer in order to steal sensitive and private information.

It has gone through a few iterations. Early versions arrived as malicious Javascript files. Subsequently, it evolved to use macro-enabled documents that will retrieve the virus payload from command and control (C&C) servers run by the attackers.

A malware is mostly useless to the attackers if it is detected early or when security researchers can analyse it to determine how it works. In order to prevent that, Emotet comes with a few tricks up its sleeves.

Most notably, it knows if it is running inside a virtual machine (VM) and will lay dormant when that happens. This is because cybersecurity researchers use VMs to observe malware within a safe and controlled space. I

Emotet is also able to use Command and Control (C&C) servers to receive updates, much like the operating system (OS) updates on your PC and could happen seamlessly and without any outward signs. This way, attackers can install updated version of the malware or deliver and install additional malwares on the target. In addition, the C&C servers can also serve as a dumping ground for stolen information such as financial credentials, usernames and password, and email addresses.

How does Emotet spread?

Emotet spreads itself primarily through spam emails (malSpam). It will go through your contact lists and send itself to your friends, family, coworkers and clients. The emails look less like spam because they are coming from your hijacked account, which in turn make the recipients feel safe and more likely to click on the bad URLs in the emails and download infected files.

In order to increase the likelihood recipients click on the bad URLs or open the attachments, the emails may come with contents that contains familiar branding or tempting languages such as ‘Your invoice’ and ‘Payment Details’. In some cases, the content may be about an upcoming shipment from well-known delivery companies.

Furthermore, if there is a connected network present, Emotet attempts to spread through it and gained access to other connected system by using a list of common passwords and brute forcing its way.

For Emotet to spread via Wi-Fi, it first infects the initial system with a self-extracting RAR file containing two binaries (worm.exe and service.exe). Once the RAR file is extracted, worm.exe executes automatically.

The main purpose of worm.exe is to profile wireless networks. Then it would go through each Wi-Fi network to identify their SSID, signal, encryption and authentication methods. After which, the malware will begin to connect to each of the network by brute forcing the passwords.

Once the malware gains access into the network, it will make a request to its command and control (C2) server and establishes a connection to the Wi-Fi network. Next, it will attempt to brute-force the passwords for all users on the newly-infected network. If the brute force is successful and the malware gains access into the device, worm.exe will install the service.exe onto the device.

Finally, once service.exe is installed onto the infected device, it will communicate back to the C2 server and then begin dropping the embedded Emotet executable. The whole spreading and infection process will repeat again in an attempt to infect as many devices as possible.

How do you protect your devices from Emotet?

In order to prevent Emotet from using the Wi-Fi spreading capability and infect connected devices, it is recommended that wireless networks are secured using longer and more complex passwords.

Preventing infection by Emotet is only one part of the solution. Active monitoring of endpoints for new installation of services and subsequent investigation of suspicious services or processes running from temporary folders and application data folders within user profile is equally important. This way, Emotet and its associated malwares can be identify early and be eliminated before they cause any further damage to the rest of the systems.

Furthermore, computers and endpoints should be kept up-to-date with the latest software patches to eliminate as many vulnerabilities in the system as possible. This will prevent the other malwares associated with Emotet infection such as TrickBot from exploiting these said vulnerabilities.

Last but not least, it is important to be aware not to download or open any suspicious attachments or links respectively. This way, Emotet will not be able to gain any initial foothold in the system or network.