Zoom on iPhone SE triggers de-authentication flood warnings on Fingbox V2

SRP
SRP LAMember Posts: 117
100 Comments 25 Agrees 25 Likes 5 Awesomes
✭✭✭
edited July 29, 2021 in Devices & Security #1
Anyone else experienced this? It seems to occur fairly reliably on Zoom sessions with specific work colleagues with known dodgy internet connections. I’ve turned on flood protection on my APs but perhaps the tolerances there are more lenient than those used by the Fingbox.

Any way to alter de-auth warning tolerances/thresholds on the Fingbox? Any idea what these are even?

Cheers,

S.

Answers

  • Robin_from_Fing
    Robin_from_Fing Administrator, Fing Team Posts: 4,725
    250 Answers 2500 Comments 500 Likes 100 Awesomes
    admin
    Hi,

    For minimizing de-auth alerts, You need to make sure all access points are added to your Fingbox network. If the device try to pass the minimum threshold then the Fingbox is able to provide you with an alert. For this, performing deauth attacks at high speed against the BSSID that is monitored by Fingbox. 

    In order to avoid false alarms, there are minimum thresholds to raise an alarm: 
    - the minimum duration of attack: 10 seconds 
    - minimum deauth packets per second: 30/sec 

    Robin (Admin at Fing)
    Getting Started? Please refer to Community guidelines & Community User Guides. HAPPY POSTING!!!
  • SRP
    SRP LAMember Posts: 117
    100 Comments 25 Agrees 25 Likes 5 Awesomes
    ✭✭✭
    edited July 30, 2021 #3

    Thanks @Robin for the quick reply.

    All my APs and associated BSSIDs are definitely monitored by the Fingbox and the BSSID attacked is in the list under the Network>Access Points section of the Fing App. I do, however, notice that the Network>Wi-Fi protection number of APs for each of my Fingboxes is occasionally less than the number of BSSIDs in their Network>Access Points. In this instance 12 versus 14. Any idea why this is or if this could be related? I've always associated the former number with BSSIDs on which there has bee actual packet traffic recentky that's been monitored. Is that correct?

    So, having checked the AP firmware flood protection options once more there isn't one for de-auth attacks, so Zoom on the iPhone is regularly exceeding the Fingbox tolerances.

    At the end of the day, Zoom functions so the alerts are more of an annoyance than anything else - however, there's a security conscious part of me that wants to know exactly what is going on.

    Cheers,

    S.

  • Robin_from_Fing
    Robin_from_Fing Administrator, Fing Team Posts: 4,725
    250 Answers 2500 Comments 500 Likes 100 Awesomes
    admin
    @SRP
    If you quit Zoom or uninstall Zoom, does the issue persists? You may want to write to Zoom for these alerts as well.
    Robin (Admin at Fing)
    Getting Started? Please refer to Community guidelines & Community User Guides. HAPPY POSTING!!!
  • SRP
    SRP LAMember Posts: 117
    100 Comments 25 Agrees 25 Likes 5 Awesomes
    ✭✭✭

    Yes. If I quit Zoom on iPhone they cease. Moreover, if I join the same conference call from Zoom on my MacBook and then cease the iPhone connection the alerts stop too while the call continues. I'd sort of come to the conclusion the issue lies with the iPhone/Zoom in some fashion. I'm going to try the Zoom App on other iOS and iPadOS devices as a next step in narrowing things down & will then do a WireShark capture of the actual network traffic and ping Zoom.

    Thanks for the help and advice regardless.

    Cheers,

    S.