Support NeoGAF

[Aiii]

It's CLIENT SIDE.

What we need is every WiFi device to get patched ie phones, laptops, servers, tablets, iot, pos systems... basically fuckin anything and everything

Client = your device ie your phone (not your router)

Yeah, this is incorrect. As per Engadget:

The problem should be relatively easy to fix. A firmware change can force routers to require a dedicated certificate for each handshake, instead of relying on the one already generated. And, as the security researchers who discovered it say, "implementations can be patched in a backwards-compatible manner."

That means if you patch your Android device and not your router, you can still communicate and be safe, and vice-versa. Nevertheless, they also advise to patch all your devices as soon as security updates are available. For more details about the hack, check this very detailed FAQ from Aruba Networks.

 

[Apt101]

Client side only? Welp, good thing I don't use my wifi devices for anything other than bullshit. Thanks to working in healthcare IT any work-related stuff is secured, and of course all my financial stuff is encrypted.

 

[SuperBanana]

Would my phone be safe if I use data rather than wifi in public areas? They'd have to virtually be outside my house to get within range at home.

 

[Vanillalite]

How are you gonna deal with all these outdated Android devices, OEM manufacturers offer at most 2 year of updates for flagships and fuck all for anything else, oh boy.

From the white paper...

Our key reinstallation attack against the 4-way handshake uncovered special behavior in wpa_supplicant. First, version 2.3 andblower are vulnerable to our attacks without unexpected side-effects. However, we found that version 2.4 and 2.5 install an all-zero encryption key (TK) when receiving a retransmitted message 3. This vulnerability appears to be caused by a remark in the 802.11 standard that indirectly suggests to clear the TK from memory once it has been installed [1, §12.7.6.6]. Version 2.6 fixed this bug by only installing the TK when receiving message 3 for the first time [50]. However, when patching this bug, only a benign scenario was con-sidered where message 3 got retransmitted because message 4 was lost due to background noise. They did not consider that an active attacker can abuse this bug to force the installation of an all-zero key. As a result, the patch was not treated as security critical, and was not backported to older versions. Independent of this bug, all versions of wpa_supplicant reinstall the group key when receiv-
ing a retransmitted message 3, and are also vulnerable to the group key attack of Section 4.

Because Android internally uses a slightly modified version of wpa_supplicant, it is also affected by these attacks. In particular, we inspected the official source code repository of Android’s wpa_supplicant [32, 34], and found that all Android 6.0 releases contain the all-zero encryption key vulnerability. Android Wear 2.0 also is vulnerable to this attack. Though third party manufacturers might use a different wpa_supplicant version in their Android builds, this is a strong indication that most Android 6.0 releases are vulnerable. In other words, 31.2% of Android smartphones are likely vulnerable to the all-zero encryption key vulnerability [33]. ulnerabilityalso empirically confirmed that Chromium is vulnerable to the all-zero encryption key vulnerability [68].

 

[Aiii]

Client side only?

Again, no.

If your router is updated to always require a new encryption key during the authentication process, you will be safe. Yes, even if the client is not updated.

Just make sure you don't connect to unsafe networks, or when you do, that you do not transmit any sensitive data. But this should be common practice regardless on if you have patched your device or not.

 

[Dr.Phibes]

Thank god I live in Germany. Public WiFi is basically non-existent.

 

[paperboywriter]

Biggest breach ever?!

 

[sixteen-bit]

scary stuff

 

[Kill Your Masters]

How are you gonna deal with all these outdated Android devices, OEM manufacturers offer at most 2 year of updates for flagships and fuck all for anything else, oh boy.

Android devices are fucked either way. In 2 years, some new exploit comes out, and todays phones become vulnerable.

I assume OEMs don't care. Heck, the researchers and hackers are doing them a huge favor of seeling new devices through a fear that the old ones become vulnerable.

 

[Vanillalite]

Yeah, this is incorrect. As per Engadget:

Yes it's also a router issue, but people need to understand they need to update their individual devices and not just their router.

In hindsight I'll admit my post was flawed. I just didn't want people to think they are good without client patches too.

 

[Chittagong]

between this and Uber having access to your iPhone frame buffer at all times, privacy is dead

 

[Mindwipe]

Biggest breach ever?!

In terms of affected devices for a serious vulnerability maybe. Heartbleed would be pretty close. WEP was completely busted, but also declining in use by the time it became so.

 

[Aiii]

Yes it's also a router issue, but people need to understand they need to update their individual devices and not just their router.

In hindsight I'll admit my post was flawed. I just didn't want people to think they are good without client patches too.

Updating your router will make your network 100% safe.

Unsafe networks, public networks, are never safe. Patch or no. Regardless of sniffers, you should not be using them to do your internet banking or transmitting your cc data.

 

[Kill Your Masters]

Yes it's also a router issue, but people need to understand they need to update their individual devices and not just their router.

In hindsight I'll admit my post was flawed. I just didn't want people to think they are good without client patches too.

True.

Because your Wifi may be secure after updating but you basically never know if your friends/parents/whatever wifi is.

 

[LiK]

I update everything all the time. So I'll be checking tonight to see if anything needs ot be updated. But I'm not too worried about my own devices being hacked at this point. Don't use Android or Linux either and my PC and consoles are all wired.

 

[JettDash]

From the white paper...

Wait so are Android 7.0 devices vulnerable?

 

[reKon]

Cellular data is encrypted by CMEA, which is already extremely vulnerable.

God damn it.

Should I use cellular data + VPN?

 

[KarneeKarnay]

is my porn safe?

It was never safe.

 

[emag]

Yeah, this is incorrect. As per Engadget:

Updating your router will make your network 100% safe.

Unsafe networks, public networks, are never safe. Patch or no. Regardless of sniffers, you should not be using them to do your internet banking or transmitting your cc data.

Engadget doesn't know what they're talking about. Given that the attacker is targeting the client by replaying/spoofing messages, the vulnerability cannot be mitigated by any router-only patches.

Wait so are Android 7.0 devices vulnerable?

Yes, most likely any devices not patched after August 28 (apart from OpenBSD devices after July 15-ish) are vulnerable.

 

[Santiako]

Well, shit.

 

[Tal Shiar Agent]

I actually just wired my home for ethernet so the only wireless devices in my home are our smartphones.

 

[Stone Ocean]

Client side only? Welp, good thing I don't use my wifi devices for anything other than bullshit. Thanks to working in healthcare IT any work-related stuff is secured, and of course all my financial stuff is encrypted.

Same here, I only do important shit on my PC so I should hopefully be safe.

 

[MarkMclovin]

Why is android mentioned but not iOS devices?

This affects all WiFi devices that use WPA2 isn't it?

 

[panzone]

Thank god I live in Germany. Public WiFi is basically non-existent.

Doesn't matter. Your Wi-Fi signal doesn't stop immediately outside your office/house.

Why is android mentioned but not iOS devices?

This affects all WiFi devices that use WPA2 isn't it?

The idea behind the attack yes, it affect every WPA2 device. iOS however doesn't present the entire problem (you can only get the group keys) because its implementation doesn't respect correctly the standard. It's bad and it should be patched as soon as possible, but it's not as bad as android (like really? They don't check if they are using a zero-key? Really?)

 

[Berordn]

Why is android mentioned but not iOS devices?

This affects all WiFi devices that use WPA2 isn't it?

The OP explains it. The commonly used wpa_supplicant client which most Linux distros and Android devices use is particularly bad about storing private keys and can be broken much faster than the others.

iOS may or may not be just as bad, but being proprietary it can't be determined as easily.

 

[mattx5]

So if I have an old router that probably won't get an update, and I'm using a Macbook, installing the inevitable patch/update on my laptop won't be enough, I'll either need to hope for a router update or buy a new router?

edit: wait, so this is Linux/Android only for now?

 

[faint.]

Why is android mentioned but not iOS devices?

This affects all WiFi devices that use WPA2 isn't it?

iOS devices are at risk too, but Linux devices (which Android is based on) commonly use a certain method of encryption that put them at risk more so than other devices. You can read the Android section of the OP for more info.

 

[turmoil]

tfw both an android and linux user

I expect the desktop stack to be patched in no time

My 3 years old android though........

 

[reKon]

Engadget doesn't know what they're talking about. Given that the attacker is targeting the client by replaying/spoofing messages, the vulnerability cannot be mitigated by any router-only patches.



Yes, most likely any devices not patched after August 28 (apart from OpenBSD devices after July 15-ish) are vulnerable.

Why August 28th?

And damn, my Android security patch is as of August 1st.

This really fucks people who use older cheap Android devices like tablets. I hope Amazon and Lenovo are going to be patching their shit.

Also, I don't have Ethernet running to my desktop (running Windows 10) due to router location. Does using VPN help me out at all here? I'm good with doing any sort of transaction or banking as long as it's through https, correct?

 

[JettDash]

Yes, most likely any devices not patched after August 28 (apart from OpenBSD devices after July 15-ish) are vulnerable.

Thanks. My phone my says the last security update was August 1st.

 

[giga]

Why is android mentioned but not iOS devices?

This affects all WiFi devices that use WPA2 isn't it?

https://www.krackattacks.com/#details-android

 

[Kthulhu]

Frankly I'm just glad this was found by someone who made it public knowledge instead of the NSA or some hacker group.

Wait so are Android 7.0 devices vulnerable?

Looks like it.

 

[esmith08734]

Weird, so on Saturday, my router was blinking and Internet was down for maybe 15 minutes. I wonder if that was an auto-update. It's solid light when operational.

Best course is to just keep checking for security updates on devices connected to routers?

 

[TurboButts]

i don't think any of my neighbors are within range of my router.

am i good?

 

[panzone]

Also, I don't have Ethernet running to my desktop (running Windows 10) due to router location. Does using VPN help me out at all here? I'm good with doing any sort of transaction or banking as long as it's through https, correct?

Ideally yes, but not necessarily. There are several examples where you can bypass HTTPS.

 

[JettDash]

Would it be a good idea for me to turn down the power on my router. I currently have it set on max thinking that would get me the best coverage.

 

[Madn]

If i turn off Wi-Fi on all my routers and devices until a patch comes out am i fine?

 

[emag]

Why August 28th?

And damn, my Android security patch is as of August 1st.

This really fucks people who use older cheap Android devices like tablets. I hope Amazon and Lenovo are going to be patching their shit.

Also, I don't have Ethernet running to my desktop (running Windows 10) due to router location. Does using VPN help me out at all here? I'm good with doing any sort of transaction or banking as long as it's through https, correct?

August 28th is when vendors/manufacturers were notified of the vulnerability (OpenBSD was notified early and broke the patch embargo).

HTTPS (and possibly VPNs, depending on their specific implementation) is vulnerable to a man-in-the-middle attack in combination with this WPA2 exploit, but it would have to be specifically targeted (which is unlikely, as criminals focus on easier or higher-profile targets).

So if I have an old router that probably won't get an update, and I'm using a Macbook, installing the inevitable patch/update on my laptop won't be enough, I'll either need to hope for a router update or buy a new router?

edit: wait, so this is Linux/Android only for now?

The router update doesn't matter nearly as much as the client update, unless you're using the router as a repeater or the like (where it's itself a client for another network).

The vulnerability is even easier/worse on Linux/Android, but it affects MacOS/iOS/etc. as well. It's possible that the vulnerability has been patched in recent versions of iOS (11.x.x) and MacOS (10.13.x), but I'm not aware of anyone stating it definitively at this time.

 

[torontoml]

So my pixel that was updated on October 5th is secure? Anything that has had an update after Aug 28th is good?

 

[esmith08734]

And having macOS High Sierra and iOS 11 is good, correct?

 

[Vanillalite]

An Official list of when companies were told and when they pushed out a fix

http://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=228519&SearchOrder=4


PS: Someone add this to the OP

 

[mclem]

"Note that currently 41% of Android devices are vulnerable to this exceptionally devastating variant of our attack."

So... are the other 59% on a certain version or beyond, or what? Something instead of the common wpa_supplicant?

 

[aspiegamer]

Can we have some kind of thread title that doesn't make it sounds like the devices literally don't function? Also, 41% of Android devices also doesn't sound like "all" (unless that's just one aspect of this, sorry).

 

[emag]

"Note that currently 41% of Android devices are vulnerable to this exceptionally devastating variant of our attack."

So... are the other 59% on a certain version or beyond, or what?

Android devices pre-6.0 are vulnerable, but not to the exceptionally devastating variant. 6.0+ are more vulnerable.

 

[magawolaz]

Can't find an update button on my router settings webpage.

Official website support page only shows firmware 1.00 dating back to 17/12/2015.

what do. I literally bought this router two months ago ;_;

 

[giga]

Can we have some kind of thread title that doesn't make it sounds like the devices literally don't function? Also, 41% of Android devices also doesn't sound like "all" (unless that's just one aspect of this, sorry).

*all* android devices are vulnerable. it's just 41% are particularly vulnerable to an even easier exploit.

 

[Zaraki_Kenpachi]

Thank god I live in Germany. Public WiFi is basically non-existent.

This sounds like it affects more than public WiFi?

 

[Transistor]

So my pixel that was updated on October 5th is secure? Anything that has had an update after Aug 28th is good?

That's what I'm wondering, too. I have the September security patch, so I should be good.

 

[Media]

As an android user, basically I just need to wait for an update to push?

Edit : okay nevermind Samsung already pushed an update. Whew.

 

[aspiegamer]

*all* android devices are vulnerable. it's just 41% are particularly vulnerable to an even easier exploit.

Thanks! Well, no, this is actually awful, but you know what I'm saying.