-
Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.
All your WiFi devices are broken, Android/Linux devices particularly devastated
- Thread starter emag
- Start date
Guess I need to wait for a patch then. Have the R7800 and their latest patch falls into the affected category. Oh well.
What do you mean by plugins?
Mainly Flash and Javascript.
Familienoberhauptvogel
Banned
I can't help thinking "all your wifi devices are belong to us" reading the title.
rockinreelin
Member
I switched to lineageOS a week ago. I came to realize that OnePlus ain't ever gonna touch the original OPO again lol.
RoadHazard
Gold Member
1. Stop using Flash
2. JavaScript isn't a plug-in
3. This has nothing to do with either of those
No, not at all. This is for operating systems and device firmware. For your computer, updating Windows is enough. For your phone, updating iOS (when 11.1 comes out) or Android (uhhh, whenever an update might come out for your device). And so on. Plugins like Flash (Javascript isn't a plugin) don't have anything to do with WiFi.
Your router would only need to be patched if you use it as an extender.
Your network card works through Windows, so you just have to update Windows.
The operating systems and firmwares of your phones, tablets, computers, game systems, IoT/smart home devices, and whatever else that connects to WiFi need to be updated when patches are made available.
Certain affected devices, particularly older ones that are vulnerable, may never see a patch. Some probably don't need a patch because you might not be transmitting anything valuable with them. But your phone, tablet, and computer at the bare minimum should be patched as soon as the patches are available.
EDIT: Sorry, I misspoke. Your router should also be patched ideally to patch the vulnerability for the Fast BSS Transition handshake if your AP supports 802.11r.
Since it came up, they've already fixed the issues and builds after today should be safe.
Well, yes and no. Yes in that to actually protect yourself from the possibilities of all the attacks, you will need to update.
No in that this vulnerability is unlikely to affect most people and you are at least protected from the 4-way handshake attack because funnily enough iOS does not properly implement the 802.11 standard (but you are still vulnerable to the group key attack and the 802.11r FT handshake attack).
Up to you. It's possible that Apple will release a security update for devices stuck on iOS 10 but it's likely that Apple would only do this for 32-bit devices that cannot update to iOS 11.
Maybe lucky for you, iOS 11.1 beta 3 sounds like it's been pretty good, though it's been less than a day of people using it.
What's an extender? If my router is just a normal router that connects to the modem and broadcasts wifi, I don't need to update it right?
For my phone, if I just use data when logging into financial sites instead of wifi, that would be fine?
Diprosalic
Banned
No you got it right. It's all about vicinity except that all wifi devices are at risk including your phone and notebook but if you turn wifi off you are fine.
So this will be fixed on the November Android security patch, and my Nexus 9 tablet reached end of life for security patches... this month. Such bullshit.
Wifi is a worldwide thing...
...?
Wifi is a worldwide thing...
NekoFever
Member
Can't speak for the existence of the team but they were updated last December. I remember being surprised because I have the original Time Capsule from like 2008.
The current iOS 11 isn't patched for this. The fix will be coming to the public in iOS 11.1, which is by all accounts more polished.
Blue Ninja
Member
I should probably look into switching OS' as well.
Ivellios
Member
Yeah that was a stupid question alright. So if i have a iPhone 4S that goes as far as IOS 9 im basically screwed?
And by saying to update the laptops do you mean updating Windows?
As I understand it: both, but for different reasons, and the client device (Phone, Windows) is the more important one.
* If you update your client device, that can connect to any router - even an outdated one - safely.
* If you update your router, any device that connects to it will do so safely, even if it is outdated.
So for any given connection, if *one* of the two devices is updated, it should be safe. Given the nature of Wifi, though, and the tendency to use it on-the-go, the client is probably the higher priority, because you can't do a security check on what AP you're connecting to.
Search here for the vendor to see any official responses. The link in the MS page has information on what you need to install.
close to the edge
Member
If there's a green lock icon in your browser to the left of the address bar, you're fine. However, when HSTS is not enabled on the server's side (which is something you can't influence as a user of a website), an attacker in a man-in-the-middle position can use sslstrip to downgrade the connection to HTTP, which is unencrypted (shown in the video by the researcher). Browses already warn you if you fill out forms on websites that use plain HTTP. For example, in ingocnito mode, Chrome shows a big "Not secure" badge next to the address bar when you're on a HTTP page with forms on it.
Thanks so much for this post, can we have it in the OP?
I skimmed everything but didn't see any direct imperatives for what I actually needed to do.
Think I'm safe. But would using a VPN add some security in the meantime? I've got one here.
You should have stopped using that thing the moment it stopped getting security updates last year. Its already vulnerable to a load of other exploits.
Hmm... I fail to see how a normal user would encounter any problems though.
RoninChaos
Member
God damnit. I don't want to upgrade to iOS 11. Now I have to.
The attack is against the client devices, not against the router. Patching the router is pointless (unless it's used in bridge mode). You need to patch every device that uses wifi, phone, tablet, computer, laptop, tv, smart fridge, whatever.
So if I'm using windows, I should be good no matter what the router is right?
If it's up to date, yes
Audioboxer
Member
Signing into my R7000 since the update and I get this popup
The fuck Netgear? This isn't a F2P router.
First time I've ever seen this, so maybe "advertisements" are a new feature along with the exploit patch? :/
The fuck Netgear? This isn't a F2P router.
First time I've ever seen this, so maybe "advertisements" are a new feature along with the exploit patch? :/
velociraptor
Junior Member
I have a Dell Inspiron 15-7559 Laptop
How do I figure out what my Wi-Fi chipset is and what drivers to download?
How do I figure out what my Wi-Fi chipset is and what drivers to download?
Only the first ARP request, or on really, really old networks.Like early 80s networks.
I'm keeping my ipad on ios 10 and I'm not really too worried about this. The 4-way handshake vulnerability (the big one) doesn't seem to work on any version of ios and the group key vulnerability would be almost impossible to use maliciously as far as I can tell. Hackers tend to go after the low hanging fruit and in this case that means Linux and Android 6.0 and later which are easily compromised.
You only need to update Windows.
I think that's the date the site has been updated.
TP-Link was listed as unknown and doesn't even show a date of being notified.
I have a C9 V1 so I want an update ASAP also.
Ivellios
Member
Doesnt matter if things are broadcast or not if the device is in listen mode (that is all WiFi frames are effectively broadcast when it comes to security, same for Ethernet fwiw). Thats how all WiFi hacking starts after all.
Dr. Zoidberg
Member
I wonder if the 3DS or Wii will ever be patched? Wii almost certainly not.
PS3? Vita? I'm guessing the 360 has more of a chance of being patched than the other legacy systems.
PS3? Vita? I'm guessing the 360 has more of a chance of being patched than the other legacy systems.
eot
Banned
I'm actually on iOS 9 something because I heard enough bad things about iOS 10 (annoying unlock feature specifically)
Lucky me though, the stone walls in our house block pretty much all WiFi signals anyway
RandomSeed
Member
I have an old ass TP-Link router that is past the point of firmware updates, but I did upgrade to the latest dd-wrt beta w/fix and it didn't brick my router, so that's good.
Last week (patched in October 10's Patch Tuesday).
Oh, ok that's good to know. Now I just have to worry about my phone.
I did update what you're replying to, in that all routers should ideally be patched because of the Fast BSS Transition handshake if the router supports 802.11r.
But using it as an extender or bridge means that you're using the router to "extend" the WiFi range, say in a large home where one router might not be able to cover everywhere.
Probably not. The danger of this vulnerability is very low for most people because it is difficult to pull off, requires the attacker to be in physical range of your devices, and requires specific implementations to do the most damage (forge data). You will still want to patch any device that you may take out of the home though, like a phone, tablet, or Switch (or well, you'll want the latest security patches for all your devices, period).
As of right now, yes you are screwed on an iPhone 4S. Important data SHOULD be fine as stuff like banking apps and all SHOULD be encrypted. And this attack is complicated and convoluted to pull off such that most people wouldn't ever actually fall victim to it (well, now that the exploit is known, maybe that is a different story). At some point you should move to a new device - not just because of these exploits, but the tons of other security updates that iOS brings.
Update Windows, yes. If you are on Windows 7 SP1 or the latest versions of Windows 8.1 or 10, you should be good assuming you don't have any outstanding updates available.
I don't think this is true. Patches for client devices and patches for access points are fixing different attack points. I may be wrong, but I don't think vendors can patch APs to compensate for the attack on the 4-way handshake.
Note that I did update my reply to your post.
Right now, what should you do? Update what you can. Keep an eye on security updates from the manufacturers of every WiFi-enabled device you own, including your routers. Be mindful about the devices you take around outside the home. Use HTTPS whenever possible. But I wouldn't say it's likely that someone in your area will take advantage of this and even more specifically take advantage of this against you.
A VPN would definitely help, but just make sure you have an actual good VPN, since so many, especially free ones, are complete shit in actual security and privacy.
If you have a single Netgear router in the home that's connected to a modem (or an ONT or whatever), then yeah you're fine against the main vulnerability because you're probably not using it in bridge mode, but your client devices still need to be patched.
If you use a mesh solution, like Netgear's Orbi system, I would assume those need to be patched as well because of 802.11r.
Worth patching the router for FT as well.
In specific scenarios, I think mostly if GCMP is used, "the AP as a gateway to inject packets towards any device connected to the network" but otherwise, no. This doesn't give you complete, unhindered access to all traffic across the network. (someone correct me if I'm wrong)
Just update Windows.
I could see the 3DS being patched because Nintendo actively updates it and they're still putting out games for it. The Wii? Nope. Does it even support WPA?
Considering Sony still does stuff for PS3 (in that PSN is available and PS+ still has PS3 games)... maybe? Their last update was just under a year ago in November 2016.
I'm actually on iOS 9 something because I heard enough bad things about iOS 10 (annoying unlock feature specifically)
Lucky me though, the stone walls in our house block pretty much all WiFi signals anyway
Well if you don't use WiFi anywhere else with your iPhone, then I guess you're good