Support NeoGAF

[epmode]

So my pixel that was updated on October 5th is secure? Anything that has had an update after Aug 28th is good?

You shouldn't assume that a patch fixed anything until it's publicly confirmed.

Can't find an update button on my router settings webpage.

Official website support page only shows firmware 1.00 dating back to 17/12/2015.

what do. I literally bought this router two months ago ;_;

I don't think routers are the real problem (unless you're using them in an unusual manner). You need to patch most/all of your wifi devices once the security updates are available.

 

[Owzers]

I have a Comcast router/modem hybrid thing, what happens with those? An iPad 3 that doesn’t get ios 11?

 

[linkboy]

"Note that currently 41% of Android devices are vulnerable to this exceptionally devastating variant of our attack."

So... are the other 59% on a certain version or beyond, or what? Something instead of the common wpa_supplicant?

There's a lot of cheap Android phones (think straight talk as a prime example) that are still running lollipop and will never get an update.

 

[Vanillalite]

I love this guy. He ends his Q&A like a true GAFer...

So you expect to find other Wi-Fi vulnerabilities?

“I think we're just getting started.”  — Master Chief, Halo 1

 

[emag]

An iPad 3 that doesn’t get ios 11?

Don't use it for anything where you care about security.

So my pixel that was updated on October 5th is secure? Anything that has had an update after Aug 28th is good?

Anything that hasn't been updated since August 28th (outside of OpenBSD, July 15) is almost certainly vulnerable. Anything updated since then might be fixed, but there are few confirmations as of yet.

 

[mclem]

As an android user, basically I just need to wait for an update to push?

Edit : okay nevermind Samsung already pushed an update. Whew.

If you're referring to the page linked in this post:

An Official list of when companies were told and when they pushed out a fix

http://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=228519&SearchOrder=4


PS: Someone add this to the OP

... I *think* that's saying that the last Samsung update was on Oct 12th, but that did not fix this vulnerability. I might be misreading it, though, or you might be referring to a different source.

 

[Kinokou]

So, being on wifi and using a web browser people can now:

-see what thread I'm reading on GAF?
-see what I post to GAF?
-edit my post as it is being posted to GAF?
-edit my post as I type it?
-see my password when I log into GAF?
-see my password when browsing GAF?

 

[Dr.Acula]

As I understand it, this is a targeted vulnerability against wifi transmissions. Meaning someone has to be in wifi range and targeting you, specifically. Practically speaking, the average person shouldn't be worried about their banking info being swept up in a large, general attack like a computer virus.

 

[SirMossyBloke]

Plus even though Samsung had an update on Oct 12th, a lot of these still are delayed by the carrier. My phone hasn't been updated since August 1st.

 

[Vanillalite]

If you're referring to the page linked in this post:



... I *think* that's saying that the last Samsung update was on Oct 12th, but that did not fix this vulnerability. I might be misreading it, though, or you might be referring to a different source.

That's how I read it to.

I assume they'll change the left column from affected or unknown to fixed/patched when done.

 

[smisk]

Maybe this is naive of me, but with stuff like this (also the Equifax leack) it feels like the number of targets is so large that I'm unlikely to be exploited. I mean, how many WPA2 devices do you think there are? I'm betting a couple billion at least.

 

[reKon]

So much for people avoiding upgrading to iOS 11.

 

[torontoml]

Don't use it for anything where you care about security.



Anything that hasn't been updated since August 28th (outside of OpenBSD, July 15) is almost certainly vulnerable. Anything updated since then might be fixed, but there are few confirmations as of yet.

Ok, not like I'm going to really change anything, doesn't seem like there is anything I can do when it comes to phones, but was curious.

 

[JettDash]

Maybe this is naive of me, but with stuff like this (also the Equifax leack) it feels like the number of targets is so large that I'm unlikely to be exploited. I mean, how many WPA2 devices do you think there are? I'm betting a couple billion at least.

Personally I have like 12.

 

[ponpo]

Debian stable and Arch already patched wpa_supplicant. Thanks linux.

 

[friskykillface]

Look at my porn then

 

[cpp_is_king]

Problem is bad, but OP is going a little too far. Attacker still cannot see https encrypted data (which honestly in this day and age covers pretty much everything important

 

[emag]

So, being on wifi and using a web browser people can now:

-see what thread I'm reading on GAF?
-see what I post to GAF?
-edit my post as it is being posted to GAF?

-see my password when I log into GAF?

Yes, assuming that the attacker has a device within WiFi range of your browser device.

-see my password when browsing GAF?

No. Once you're logged in, GAF operates based on cookies. Someone could copy that cookie, of course, but it shouldn't contain your password.

-edit my post as I type it?

No.

AFAIK, nothing is being sent while you're typing (only when you hit submit/preview).

 

[Big_Al]

Well that's me fucked then, I'm still using a Note 2 which has been doing the job just fine. Guess I'll have to upgrade sooner rather than later then as I sure don't see me getting a patch.

 

[JettDash]

Problem is bad, but OP is going a little too far. Attacker still cannot see https encrypted data (which honestly in this day and age covers pretty much everything important

In that case, I'm not even worried.

 

[ISee]

Oh great.
It will take ages for all carriers and ISPs to patch all modems/routers and handheld devices.

 

[esmith08734]

Problem is bad, but OP is going a little too far. Attacker still cannot see https encrypted data (which honestly in this day and age covers pretty much everything important

So, if you use port 443 you're okay - i.e. typing in https instead of just www.?

 

[Kinokou]

Yes, assuming that the attacker has a device within WiFi range of your browser device.



No. Once you're logged in, GAF operates based on cookies. Someone could copy that cookie, of course, but it shouldn't contain your password.



No.

AFAIK, nothing is being sent while you're typing (only when you hit submit/preview).

Thank you for tacking the time for my juvenile examples, it's really helpful since I'm not that security savvy.

 

[cpp_is_king]

So, if you use port 443 you're okay - i.e. typing in https instead of just www.?

Not strictly true, but it’s true enough that you can think of it that way.

This does allow an attacker to see your https data, btw, they will just not be able to do anything with it unless your actual device is owned (will just look like random garbage). But then they didn’t even need this attack to begin with

 

[esmith08734]

Not strictly true, but it’s true enough that you can think of it that way.

This does allow an attacker to see your https data, btw, they will just not be able to do anything with it unless your actual device is owned (will just look like random garbage). But then they didn’t even need this attack to begin with

I see, thanks, cpp. You're always saving me, lol. I will just be sure to get in the habit of prefixing all of my browsing with https.

 

[mclem]

Thank you for tacking the time for my juvenile examples, it's really helpful since I'm not that security savvy.

I'd say that taking the time to ask questions and find out puts you well ahead of 95% of the population!

 

[dc89]

Well I guess this is it.
Time to bury all my devices in a time capsule and just forget about them.

 

[NekoFever]

Why is android mentioned but not iOS devices?

This affects all WiFi devices that use WPA2 isn't it?

Android devices can have their encryption keys reset to a known value. iOS ones don't do that.

iOS devices will also actually get updated.

 

[reKon]

I'm expecting that rebranded Asus router from T Mobile to get patched...

I hope some time soon?

 

[cpp_is_king]

I see, thanks, cpp. You're always saving me, lol. I will just be sure to get in the habit of prefixing all of my browsing with https.

You shouldn’t even need to. Just type www, sites that support https at all almost always default to it. There are some rare exceptions

 

[Khrae]

Even Phil Collins is helping to spread the word...

 

[close to the edge]

Legacy devices (and their users) are fucked. All of their data belongs to anyone within WiFi distance who bothers to take it. Turn off WiFi, delete your accounts, buy new devices, or pray that no one takes what's sitting out in the open.

All of your WiFi communications are public. Anyone can see everything going both ways.

This is false. If you communicate via a secured channel (e.g. HTTPS, SSH, VPN), it's still as secure as that protocol is. You're losing the secondary encryption from WPA2, but your communication is still encrypted.

 

[Star Orpheus]

Can this exploit only be done if your within range of someone's wifi?

I live in a semi crowded area but my wifi doesn't work to far from my house and the locals don't strike me as to computer savvy.

 

[close to the edge]

Can this exploit only be done if your within range of someone's wifi?

Yes.

 

[TheDanger]

any word on Windows update that will patch this?

 

[bobs...onGaf]

So I imagine this vulnerability is that if someone can see my wifi connection they can get onto it?

Is it a good safety measure at the moment to disable ssid broadcast to prevent others seeing my network?

Also I know there's a wireless admin option - if I disable that so someone has to be wired into my connection - does that save me at all?

 

[Shadax the wizard]

God damnit, I was using that!

 

[Condom]

No reason to become paranoid. WPA2 attacks are going to be rare for years.

 

[kami_sama]

So I imagine this vulnerability is that if someone can see my wifi connection they can get onto it?

Is it a good safety measure at the moment to disable ssid broadcast to prevent others seeing my network?

Also I know there's a wireless admin option - if I disable that so someone has to be wired into my connection - does that save me at all?

Disabling SSID broadcast does nothing at all. Might be even worse in some cases iirc.
This would be used to snoop on your communications, I don't think you would be able to conecto to the access point.

 

[Michael F. Assbender]

any word on Windows update that will patch this?

Don’t worry. If you’re on Windows 10, you’ll be notified of the update while you’re doing something important, and just before your computer decides to install it and reset on its own.

 

[Somnid]

So, being on wifi and using a web browser people can now:

-see what thread I'm reading on GAF?
-see what I post to GAF?
-edit my post as it is being posted to GAF?
-edit my post as I type it?
-see my password when I log into GAF?
-see my password when browsing GAF?

This was always possible because GAF lacks TLS encryption (https). And on that note WPA is more to protect from people getting into your network, it's not really content protection, that is usually handled by a higher level network protocol like TLS.

 

[M52B28]

Can this exploit only be done if your within range of someone's wifi?

I live in a semi crowded area but my wifi doesn't work to far from my house and the locals don't strike me as to computer savvy.

I was worried about my parents, but I realized they live in the hood and should be safe lol

Nobody is gonna go around hacking shit when they have to go to work by bus at 6am. This isn't Watchdogs, yet.

 

[Sapiens]

Apples really good on security updates for devices thank fuck.

 

[The Albatross]

So, being on wifi and using a web browser people can now:

-see what thread I'm reading on GAF?

Yep, probably

-see what I post to GAF?

Sort of, as it would work the same as the first one, mostly by watching your traffic.

-edit my post as it is being posted to GAF?

Probably not. It's not impossible, just more difficult to intercept your post request as it's being submitted and then resubmit with something else. Not impossible, but just the effort involved is a good deal higher.

-edit my post as I type it?

No

-see my password when I log into GAF?

On Gaf, maybe, because Gaf doesn't use https:// which it really should. The password submission is still encrypted and salted, but the encryption method is usually pretty dated on forum software like this, and if a hacker is going through the trouble to snoop your traffic on a site like neogaf they'd likely be able to get the encryption key, which they could then use to decrypt your password as it's submitted. But, if you've logged in someplace where you're using a more private wifi (say like, at your house where it's unlikely that someone is sitting in your driveway snooping your data), then you're probably using a cookie to stay logged in. A hacker could snoop this cookie as it's passed over to neogaf, but most websites that deal with anything require more than just the cookie to pretend to be someone else, and will require another login.

-see my password when browsing GAF?

No, the password is only passed once when you log in. For websites that use https:// this is even less likely, but of course, NeoGaf does not use https://

 

[UpDownLeftRight]

So my router is WPA2 it seems. This means I'm not affected because the company provided me a shitty device using and already fucked security type right?

 

[epmode]

This was always possible because GAF lacks TLS encryption (https).

Didn’t GAF use HTTPS for a few days? If I remember correctly, it went back to HTTP because it broke some stuff. Ads, maybe?

 

[close to the edge]

So I imagine this vulnerability is that if someone can see my wifi connection they can get onto it?

Is it a good safety measure at the moment to disable ssid broadcast to prevent others seeing my network?

Also I know there's a wireless admin option - if I disable that so someone has to be wired into my connection - does that save me at all?

1. I believe the security benefits of not broadcasting SSID are negligible. It's probably going to make it less likely for you to be attacked when there's lots of networks but a determined attacker isn't going to be deterred by that.
2. That's not gonna change anything. The only thing that would prevent is for the attacker to change your wifi password when he's gained access to your network (which wouldn't be a smart thing to do, since you can just reset your router and it'd alert you to their presence).

 

[Vanillalite]

Forbes

A Google spokesperson wrote in an email to Forbes: "We're aware of the issue, and we will be patching any affected devices in the coming weeks."

Microsoft confirmed it had rolled patches out already: "We have released a security update to address this issue. Customers who apply the update, or have automatic updates enabled, will be protected."

 

[The Albatross]

So my router is WPA2 it seems. This means I'm not affected because the company provided me a shitty device using and already fucked security type right?

The flaw is in WPA2, which is one of the more common types of WiFi security. If your router has WPA2 it doesn't mean it's shitty, most of the best routers available that cost several hundred dollars also pack WPA2.

Didn't GAF use HTTPS for a few days? If I remember correctly, it went back to HTTP because it broke some stuff. Ads, maybe?

Secure certs cost money, high traffic websites will cost more, and because of the extra levels of security, some things that would have previously worked might not. For instance, for users with strict security settings, any content loaded over http:// on an https:// website will be blocked. For most users, it's not blocked but your console throws a warning. So, if you have strict settings, many things like people posting images, gifs, etc., would be blocked unless their image host uses https:// for hosting, which again, many do (imgur does, but again, it's more expensive so not everything does). There's some content that will be blocked, like CSS, JS, and other external resources will be blocked by the browser, which could affect ad delivery networks if they don't take security seriously (an dreally, ad networks should take security seriously because it's the easiest way for a hacker to exploit tons of users).

That all said, for any semi-major website, there's no excuse for not using https:// anymore. Like, if you're worried about the cost, you're going to end up eating it one way or another at some point, either you're eating it for slightly higher cost now or you're eating it having to spend money fixing a hack later.

So, if you use port 443 you're okay - i.e. typing in https instead of just www.?

The website has to support https://
If you type https:// into a website that doesn't have TLS set up, it won't do anything. In most cases, your browser will give you warning that you've entered https:// but there is no secure certificate.

 

[Somnid]

Didn’t GAF use HTTPS for a few days? If I remember correctly, it went back to HTTP because it broke some stuff. Ads, maybe?

It did, but the ad network Evilore does business with had issues with it. Gotta pay the bills, but I wish he would dump them for someone else.