Taking Hold of Your Signal - Critical Flaw Discovered in WPA2 Wi-Fi Security

[transpondster]

What does "client side" mean here?
I have an antenna/AP/something on the roof I get internet from. Should I be worried it will get hacked by this?

probably yes, sounds like WiFi client.

Similarly, should I disable wifi on all the routers in the house?

you must remove clients (pc/phone/printer/whatever) from WiFi network that are not updated. Basically change WiFi password and add only clients that are updated. BTW why you have routers in house?

 

[zlobby]

The WiFi encryption is independent of HTTPS going through it. The amount of critical webpages even allowing non encrypted traffic is becoming ridiculously small, so that trick to force it to downgrade back to normal HTTP is super unlikely. So, realistic chances for someone "hacking" you this way efficiently are incredibly small. It would require a very targeted attack for which home computers are frankly not worth it.

This again proves AES 256 is still very much secure, it's the handshake that was intercepted in this case. Technically, if they fix the handshake thingie, the problem is solved until someone else figures out other method.

Many other protocols running wild in the home network has no built-in security. They rely on the security of the underlying layers like WiFi, which in this case is compromised.

 

[moproblems99]

Great job showing all the details of the hack, so making it so popular that even an average Joe can now hack WPA2 Networks....

Actually, this was reviewed and disclosed back in May.

 

[zlobby]

Actually, this was reviewed and disclosed back in May.

And I was sleeping so much better before, knowing only l33t hax0rz could pen my networks. Now, everyone can!
Can they?

 

[trparky]

Good luck getting patches for Android phones, even the discontinued Windows Phone may get speedier patches

And that's the reason why I dumped that steaming pile of crap that is Android and went with the Apple iPhone instead. Guaranteed software updates for at least four years no matter where you are in the world or what carrier you have. You get the same iOS updates the same day everyone across the world gets it.

Thank goodness for unlocked bootloaders and LineageOS.

Yeah, if you're lucky your device has an unlocked bootloader like most Google branded devices have but if you have either a Samsung, LG, or HTC device... um, that's not the case.

 

[Prima.Vera]

Does this apply to WPA-2 Enterprise which uses certificates?

 

[trparky]

Does this apply to WPA-2 Enterprise which uses certificates?

From what I read, yes.

 

[Chaitanya]

AP don't need upgrades, it's client side bug

Better explanation and yep looks like its clients that need updating.

 

[lexluthermiester]

Don't think most consumer devices will get update for this flaw. Mostly enterprise grade wifi AP will updated in next few weeks.

Not all consumer/enterprise devices have the flaw as this vulnerability requires that the serving device be forced to accept an older, previously used key. Not all wifi serving devices[routers and AP's] do this and not all client devices[PC's, tablet's and phones] do it either. While this flaw exists in the WPA/WPA2 protocol, each device can be configured independently to use, or not use, individual features of the protocol. What is and is not vulnerable is going greatly depend on how each device is configured to implement the key renewal procedure. Additionally, because there are different ways to renew a key based on how it was issued, exploiting a device is doing to require that the attacker know what they are doing. "Script-kiddies" and amateurs are not going to be able to pull it off.

But why the AP? Every WiFi enabled device does the handshake and should be vulnerable, if I understood what this flaw does.

As stated above, it depends on how a device handles the key renewal. Handshaking is only one part of a very complex procedure.

And here's our answer: https://arstechnica.com/information...ck-attack-destroys-nearly-all-wi-fi-security/

That article is misunderstanding and misinterpreting the known facts and thus comes to a conclusion that is as flawed as the protocol they are discussing. Again, how the WPA protocol is implemented will define what device is and is not vulnerable. Not all devices can be exploited and as such not all devices need updating.

Good luck getting patches for Android phones, even the discontinued Windows Phone may get speedier patches

Most Windows phones, ironically, are already patched due to the discovery of a related vulnerability. Additionally Android phones with 4.4.4 or earlier are NOT vulnerable. 5.0 is. 5.1 is not. 6.0.x is. 7.0.x is. 7.1.x is not. Some Linux distro's are already patched as well. Hell, even Windows Xp is ok.

The devil is in the details and while this is serious problem not everyone should panic. Wifi serving devices[routers and AP's] are going to be the most important type of devices to patch. Once that group is patched the flaw will be mitigated because the serving device controls the key exchange and renewal. While a client device can still be exploited, once patched a serving device will reject key streams from a tampered device, thus forcing a disconnection and reinitialization which forces a complete key reset. The effected device will then try to reconnect and the serving device will create a new key that is unknown to the attacker.

It should be noted that this vulnerability is completely unrelated to the known problems with router password capturing due to packet sniffing and MAC address spoofing vulnerabilities inherent within the WPA/WPA2 protocols. However, those can only be used to gain access to a wifi connection and steal internet. They can not be used to view the data traffic coming in and out of the network itself. That is what makes "KRACK" so scary.

 

[bug]

Thanks for your input. In the end, it is a client problem, but luckily not every client is automatically vulnerable. That is actually a big relief.

 

[Megan]

As much as I have read, the only fix is to patch and the providers or companies need to release the patch for all the vulnerable devices but this post suggests that using a VPN can also help if the provider whose device you own has not yet released the patch or ain't releasing it. Does it makes sense?

 

[bug]

As much as I have read, the only fix is to patch and the providers or companies need to release the patch for all the vulnerable devices but this post suggests that using a VPN can also help if the provider whose device you own has not yet released the patch or ain't releasing it. Does it makes sense?

If you absolutely need to get something done and you're not sure of your equipment, a VPN will help. But VPNs are slow, nobody wants to run through a VPN 24/7.

 

[arbiter]

If you absolutely need to get something done and you're not sure of your equipment, a VPN will help. But VPNs are slow, nobody wants to run through a VPN 24/7.

Depends on the VPN provider you get a decent one they will be just as fast as if you are not using it.

 

[kn00tcn]

Yeah, if you're lucky your device has an unlocked bootloader like most Google branded devices have but if you have either a Samsung, LG, or HTC device... um, that's not the case.

why are you false?

https://wiki.lineageos.org/devices/ so much samsung, lg, htc...

https://stats.lineageos.org/ so much non-google used, the first to appear is TENTH place

Most Windows phones, ironically, are already patched due to the discovery of a related vulnerability. Additionally Android phones with 4.4.4 or earlier are NOT vulnerable. 5.0 is. 5.1 is not. 6.0.x is. 7.0.x is. 7.1.x is not. Some Linux distro's are already patched as well.

https://review.lineageos.org/#/q/topic:krack-n+(status:merged) but there are multiple, if 7.1 is not affected, why did lineage put the fixes into 7.1? fedora didnt patch until the day of or day after

 

[lexluthermiester]

https://review.lineageos.org/#/q/topic:krack-n+(status:merged) but there are multiple, if 7.1 is not affected, why did lineage put the fixes into 7.1? fedora didnt patch until the day of or day after

That lineageOS link doesn't open, however, and I couldn't find a reference in their current posts. Not saying that it's not there, just didn't find it myself. However, they may have proactively patched existing code with known fixes just in case. As for Fedora, as I stated, some Linux distro's are already patched. This directly implied that not all have been and that, obviously, some will need patching. Fedora seems to have needed it and did so. How does that confuse you?

 

[kn00tcn]

That lineageOS link doesn't open, however, and I couldn't find a reference in their current posts. Not saying that it's not there, just didn't find it myself. However, they may have proactively patched existing code with known fixes just in case. As for Fedora, as I stated, some Linux distro's are already patched. This directly implied that not all have been and that, obviously, some will need patching. Fedora seems to have needed it and did so. How does that confuse you?

link still works, or you could try an individual patch https://review.lineageos.org/#/c/193406/ then click the 'krak-n' topic

what i meant by fedora was that a distro known for being decently updated & secure didnt get the patch until after the huge disclosure

official google roms for pixel/nexus also didnt get it until november according to news articles, apple didnt until a similar delay with 11.1 instead of 11.0.3 or something

just seems odd for MS to have a fix months in advance, while at the same time the issue is a complex series of bugs left open after disclosure & only openbsd patched early

 

[lexluthermiester]

link still works, or you could try an individual patch https://review.lineageos.org/#/c/193406/ then click the 'krak-n' topic

what i meant by fedora was that a distro known for being decently updated & secure didnt get the patch until after the huge disclosure

official google roms for pixel/nexus also didnt get it until november according to news articles, apple didnt until a similar delay with 11.1 instead of 11.0.3 or something

just seems odd for MS to have a fix months in advance, while at the same time the issue is a complex series of bugs left open after disclosure & only openbsd patched early

I see what your saying now. And agreed, that seems a bit weird, even a tad iffy. Here at my home we just shut off the wifi until verified patches are available. It's made things a little interesting. After telling most of my neighbors about all of this, many of them have done the same.

 

[kn00tcn]

I see what your saying now. And agreed, that seems a bit weird, even a tad iffy. Here at my home we just shut off the wifi until verified patches are available. It's made things a little interesting. After telling most of my neighbors about all of this, many of them have done the same.

https was supposedly fine, so it's as if you used open wifi or some restaurant with a shared key

boy it could have been much worse if it was a major protocol issue like WEP or if clients couldnt fix it

 

[micropage7]

I bet the NSA was sitting on this for a while, who knows what exploits they still have.

maybe, and theres no system that 100% safe or bug free