CCS24Mesh

EasyMesh Attack

Intro

In this write-up, we use Wyze Wi-Fi 6E Mesh Router Pro, firmware version 1.0.1.109 as an illustration example.

Wyze mesh networks implement Wi-Fi EasyMesh. However, this standard is flawed by design, having no “real” authentication.

Attack Step 1: Run the attack script and monitor EasyMesh traffic with Wireshark

To perform the Wi-Fi passphrase stealing attack through the EasyMesh protocol, we use this script

You might want to change dst='7c:78:b2:ea:12:e5' to your own gateway’s MAC address. Change src=b'\x5c\xe9\x1e\x8b\x3b\x2c' to your own laptop’s MAC address. Change iface="en0" to your own laptop’s wireless interface name.

Run Wireshark before you launch this script. Then, you will be able to see the gateway returning something interesting:

Attack Step 2: Decrypt EasyMesh responses to read Wi-Fi passphrases.

We provide another script.

Populate ENonce, RNonce, Encrypted_Settings, PK_R, EnrolleeMAC with the content of the first WSC in the traffic capture

Run decrypt_M2.py with python2 (not python3).

You can see Wi-Fi fronthaul/backhaul passphrases there: