Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Bowdon]

https://www.ispreview.co.uk/index.php/2017/10/krack-attack-internet-panics-big-wi-fi-flaws-wpa2-security.html

Security researchers have revealed bad news for WiFi wireless networks everywhere. Several key management vulnerabilities in the 4-way handshake of the WPA2 security protocol, which helps to keep modern Wireless Local Area Networks (WLAN) secure via encryption, have been found.

Hopefully by now everybody has ensured that their home wireless network and devices are all connected using the latest Wi-Fi Protected Access II (WPA2) method of encryption, which has so far served us all well. The bad news is that a string of new vulnerabilities have been discovered that could result in WPA2 secured networks being decrypted, hijacked and generally abused (it works against both WPA1 and WPA2 – personal and enterprise networks – and against any cipher suite being used like WPA-TKIP, AES-CCMP and GCMP).

As the US Computer Emergency Readiness Team (US-CERT) states, “The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected.”

The details of all this are due to be published shortly via several vulnerability announcements (CVE-2017-13077, 13078, 13079, 13080, 13081, 13082, 13084, 13086, 13087, 13088) and the collection of flaws are being referred to as KRACK (aka – Key Reinstallation Attacks). A dedicated website has even been setup by the researchers to provide information on the incoming problem – https://www.krackattacks.com.

Apparently this is more focused towards Android and the advice is to update the software. Though the problem with androids are the updates dont get rolled out to everyone. I've not had an update in ages on my phone.

[sevenlayermuddle]

This does sound like a pretty big issue.   

But..  From the Beeb’s version, it’s unclear why Android and Linux are in the spotlight.  It’s a defect in the standards, so would affect all implementations.

http://www.bbc.co.uk/news/technology-41635516

I can only imagine,  maybe Chinese whispers, and a desire to create a good headline...

“It affects routers.”
“What’s a Router, is it a Microsoft thing?”
“No, most are Linux based.”
“What, like Android?  So this one affects Linux and Android.  Let’s go to print... “

That said, I am confident that Apple will fix iOS and Mac OS if they are affected, but I’ll wait with interest to see how long it will take for Billion to fix my Linux router, Panasonic to fix my Linux TV, etc etc...

[Chrysalis]

They will put a fix in a new model so you have to buy the fix, if I could have then I would have move my access point to pfsense but sadly still reliant on propriety kit.

[sevenlayermuddle]

I might buy be persuaded a new router, as mine’s about 4 years old.  If I were an Android phone user I might be persuaded to buy a new one because they are not that expensive, and ‘new’ always has benefit of new toys.

But I’m not about to replace the big TV that’s screwed to my wall, I regard that as Pananonic’s problem, and one that they should fix, if appropriate.

I’m  no lawyer but I strongly suspect, this being an error in the WiFi standards, it would automatically be accepted as a fault that was present when the TV sold, hence subject to the six year coverage of Sale of Goods Act...

Reference to Panasonic is purely as example of course.   I have no particular reason to assume their products are affected by this issue other than assumption (they are Linux based) and same issue may affect other consumer goods too, Linux or not.   

[Chrysalis]

my android phone cost more than my tv

[watcher]

Netgear have issued an advisory https://kb.netgear.com/000049498/Security-Advisory-for-WPA-2-Vulnerabilities-PSV-2017-2826-PSV-2017-2836-PSV-2017-2837

According to Netgear:

"...Your devices are only vulnerable if an attacker is in physical proximity to and within wireless range of your network.

Routers and gateways are only affected when in bridge mode (which is not enabled by default and not used by most customers). A WPA-2 handshake is initiated by a router in bridge mode only when connecting or reconnecting to a router.

Extenders, Arlo cameras, and satellites are affected during a WPA-2 handshake that is initiated only when connecting or reconnecting to a router.  

Mobile hotspots are only affected while using WiFi data offloading, which is not enabled by default...."

[sevenlayermuddle]

The Netgear advice, and list of ‘conditions’ is open to interpretation.

Are they describing how the vulnerability affects all equipment, or just how it applies to equipment manufactured by Netgear?   My interpretation is the latter, they are describing just their own products.   If correct, that would suggest other manufacturers’ products therefor may or may not be vulnerable, in the same or different configurations, as listed by Netgear.

Important though, to get it all in perspective.   As far as I know it is a snooping vulnerability.   As long as the traffic is end-end encrypted, snooping is nothing to worry about, all they’ll see is the encrypted traffic.   But I really don’t know whether the likes of home security cameras have their own encryption or just rely on WiFis?

[smf22]

Important though, to get it all in perspective.   As far as I know it is a snooping vulnerability.   As long as the traffic is end-end encrypted, snooping is nothing to worry about, all they’ll see is the encrypted traffic.   But I really don’t know whether the likes of home security cameras have their own encryption or just rely on WiFis?

I have to say I'm taking a very similar view on this. For anything that's important e.g., financial transactions, I use systems that have a web browser that's updated regularly and that provides end-to-end security (authentication and encryption).... and on a wired PC.

Worrying about WPA2 being vulnerable is like considering your safety on the walk to your car, but then not giving a hoot about your own or others safety once you start driving it. We need to be conscious of our actions and safety throughout the entire journey.

[displaced]

But..  From the Beeb’s version, it’s unclear why Android and Linux are in the spotlight.  It’s a defect in the standards, so would affect all implementations.

Apparently there's an additional bug in Android/Linux's wpa_supplicant software, over and beyond the standards issue.

It's a really nasty one.  The KRACK attack method when applied to that software can actually reset the encryption key to all-zeros, immediately making all communications clear.

The author has a Q&A here: https://www.krackattacks.com/#faq

Apparently the fix can be made in a backwards-compatible way, so broken devices can interoperate with 'fixed' devices.

iOS and Win10 are vulnerable to only the most difficult attack and apparently a beta of iOS that's already in use by public testers provides a complete fix. 

There's a table of devices/OSs which the researchers tested against in this article:
https://arstechnica.co.uk/information-technology/2017/10/how-the-krack-attack-destroys-nearly-all-wi-fi-security/

Personally, all my devices which leave the house with me are reasonably safe and will be completely safe (from this attack, anyway) after the next update. 

There are devices at home that concern me though.  Smart TVs, games consoles, Harmony Hubs, Nest Thermostats, Raspberry Pis -- all that stuff.  It appears that even if a router is fixed, the client can still be exploited to gain access to the WLAN.  That's the scary bit.

As for this being mitigated by encryption being used at a higher layer (e.g. https), that's true to an extent.  But there needs to be a new focus on ensuring every LAN service is also encrypted.  For example, are you sure the SMB/CIFS implementation USB Flash-Drive equipped WiFi network printer doesn't suffer from any of the multitude of SMB/CIFS bugs?  How about the DLNA protocol service on your TV, AV Receiver, Sky box?  Or every Chromecast-capable receiver?  And speaking of printers, do you type in a password every time you print to your wireless printer?

Of course, the chances of you personally needing to worry about this depends on your circumstances.  But I expect a lot of porn to suddenly start spewing from printers in apartment buildings, flats and uni dorms.

[jelv]

I thought I saw something yesterday that said Microsoft quietly issued a fix for this in the October patch Tuesday updates.

Edit: Not what I read but found this: https://www.windowscentral.com/microsoft-releases-statement-krack-wi-fi-vulnerability

[petef]

I thought I saw something yesterday that said Microsoft quietly issued a fix for this in the October patch Tuesday updates.

A quiet fix is the best approach. When a security vulnerability is discovered it ought to be reported privately to the affected parties. They should then have a fix deployed before the exploit is made public. If that is not done then it becomes zero-day.

[Browni]

A quiet fix is the best approach. When a security vulnerability is discovered it ought to be reported privately to the affected parties. They should then have a fix deployed before the exploit is made public. If that is not done then it becomes zero-day.

Indeed.

It appears that is what happened with most manufacturers quietly installing the requisite fix.

[burakkucat]

Red Hat have issued advisories and security updates of the "wpa_supplicant" binaries for its RHEL6 and RHEL7 products.

[WWWombat]

Same within Fedora, for versions 25, 26 and 27.

There's also a general tracker with a variety of vendor responses.

[broadstairs]

openSUSE have fixes in test and will probably be released later today.

Stuart