Thank you for taking the time to add answers. Today is a day I learn it seems
-
Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.
All your WiFi devices are broken, Android/Linux devices particularly devastated
- Thread starter emag
- Start date
Thank you for taking the time to add answers. Today is a day I learn it seems
UpDownLeftRight
Banned
Ah ok, for some reason I was getting WEP and WPA mixed up. Well damn, at least it's not an outdated type. Now to see if we're getting an update today. I'm almost tempted to call BT but getting the call escalated to the people that matter would take weeks anyway.
I'd like to know this as well, from my understanding it only exposes WPA-2 Personal, but I'd like some confirmation.
Euphoria14
Member
Quick question, I have an iPhone and i'm guessing it's vulnerable.
Now, while paying bills through my phone, is it safe to do so over my LTE?
Also, would it be advised that while billing from my laptop I connect it to the router with an ethernet cable?
Just looking for the safest routes at the moment.
Now, while paying bills through my phone, is it safe to do so over my LTE?
Also, would it be advised that while billing from my laptop I connect it to the router with an ethernet cable?
Just looking for the safest routes at the moment.
Vanillalite
Ask me about the GAF Notebook
close to the edge
Member
The attack affects the handshake part of the protocol, which means all variants of WPA are affected. Quote from https://www.krackattacks.com/
So to be clear, someone would basically have to connect to your router to creep on you? Would a program like this help to verify if a rogue device is on your network?
http://www.nirsoft.net/utils/wireless_network_watcher.html
I'm not that concerned, but might keep that ready on my tray, just to see if anyone's taking this opportunity to be a weirdo.
http://www.nirsoft.net/utils/wireless_network_watcher.html
I'm not that concerned, but might keep that ready on my tray, just to see if anyone's taking this opportunity to be a weirdo.
Doesn't matter. That is usually protected with TLS (https) which a secure connection between your computer and the server. It would still be safe even on an openly shared network.
Also, people on mobile data should worry more about companies simply selling their data:
https://techcrunch.com/2017/10/15/m...-your-number-and-location-to-anyone-who-pays/
From what I understand, they're even more fucked
Ouch. Hopefully pressure from enterprises gets this fix out faster.
This needs to front page news tbh. Internet safety and anti-hacking measures are something the vast majority of people don't know jack shit about, keeping this to tech websites with tech jargon (thanks for clarifying that, btw) is preaching to the choir, and we need to do more than that.
I believe this vulnerability allows attackers to intercept packets between your router and your device. The attacker does not have to connect to your network to do it.
edit: The attacker still needs to be in range of your wifi device, however!
Microsoft tells the Verge that they already have fixed it..
https://www.theverge.com/2017/10/16/16481818/wi-fi-attack-response-security-patches
https://www.theverge.com/2017/10/16/16481818/wi-fi-attack-response-security-patches
Earthbound64
Banned
CAT-6 cables stay winning.
Yowza! That's nuts.
UpDownLeftRight
Banned
Wait, I thought it was local only?
You'd be shocked at how many different stealthy ways there are for people to get your data. Look up wifi pineapples.
The Albatross
Member
It's probably likely that your bill payer is secured via TLS (https://), so that data is encrypted between your device and the server. If you're paying bills through any service that doesn't use TLS (https://) then you've always been at risk, and you should stop using that service.
I mean, it's always a risk. There's risk involved in anything, it's just a question of how much effort you want to go through to mitigate risk. There's risk in sending a check in the mail, there's risk in handing someone cash for something. There's risk in carrying your credit card in your wallet.
The safest way, given this, would be to use something like Android Pay, Apple Pay, Samsung Pay, etc., along with an ethernet connection, on an https:// connected service. But, let's be honest, if you haven't thought about updating your router's security, or your modem's security, or anything else, in the last 5 years, then who knows there's probably some exploit somewhere by somebody who wants to get that data. Or maybe the bill payer you use has an employee who has access to secure data (probably not financial data, but still) and they connect to their company's network via WiFi, and then however secure you make yourself there's still some risk.
They still have to have some sort of connection to your router, but I think epmode means they don't have to show up as an approved device using your router, but they'd have to be within range of the Wifi signal to do this. They're not "connected" to your wifi like how you'd think of a friend using your Wifi via their iPhone or something, but they still have to be within range of the signal. Like, someone in Jakarta could not connect to your insecure router in Omaha Nebraska and snoop data from it.
Now, obviously, with sophisticated devices and with what someone is trying to get from it, the 'range' of your router is much greater than with typical consumer devices. With a typical consumer device, phone, laptop, IoT device, console, etc., the "range" is much shorter because the devices are expecting you to be doing something with the router like playing a game or sending photos, which requires a fairly strong signal, so maybe a couple hundred feet or something. But, if the device is trying to snoop packets coming and going, then it doesn't need as strong of a connection and so the range extends much further than that, especially with something that is designed to do this (like security tools from the FBI or any infosec group)
Coreda
Member
Do we know which update specifically this is? I'd like to check if I have it already installed.
They still need to be in range of your network, however.
Jeez. Watchdogs is real.
No, if your router is patched, your unpatched client device is protected on that network as well. Just how it is, if one of the devices in the handshake is patched for the vulnerability, the exploit is rendered useless, since you can no longer keep forcing keys in the 4-way handshake and thus can no longer intercept the traffic.
Shalashaska
Member
Awesome, just as I'm about to spend a bunch of time in a hotel.
If you're on public wifi a lot, I recommend Encrypt.me (formerly Cloak) as a VPN: https://encrypt.me/pricing/
$4/week or $10/month. Also a mini plan with a 5GB cap for $3/month.
Really great native apps.
$4/week or $10/month. Also a mini plan with a 5GB cap for $3/month.
Really great native apps.
The more I read on it, the more I'm thinking this really won't affect properly implemented WPA2-ENT environments. This hijacks the connection, with a MITM, which in a proper Enterprise environment shouldn't be possible, as you've setup your clients to only connect to a certain SSID and verifying the Certificate issuer during handshake.
Unless the hijack starts after the client has verified the certificate issuer...
Not that all clients and AP shouldn't be patched immediately, just that enterprises IT-security might not have to sweat bullets for a few days.
Unless the hijack starts after the client has verified the certificate issuer...
Not that all clients and AP shouldn't be patched immediately, just that enterprises IT-security might not have to sweat bullets for a few days.
Gai Murakumo
Member
The wonders of modern technology am I right? It is still shitty that hackers still go after the little man just for some quick cash, stealing information etc.
StarCreator
Member
Thankfully I have a recent Sony phone and they have been way more on the ball about patching in the latest Android security patches than other phone manufacturers I have used phones from. My phone is on the October 1, 2017 patch level and apparently a fix on Google's end will be in the November patches, if Sony doesn't get to it themselves first.
Still going to push an update to my Unifi AP when I get home.
Still going to push an update to my Unifi AP when I get home.
I think the big issue will be public WiFi like coffee shops. Doesn't look like it would be to hard for someone to spoof a network in the parking lot and just mine data.
mullet2000
Member
So to be clear, as a user there's nothing I can do outside of not using WiFi and waiting for Windows/Android/router/etc updates?
Will devices such as the Switch, 3DS, Vita, etc, just forever be unsafe now if they don't get updated?
My PC is a wired connection that goes into my router, also. Is that also unsafe?
Will devices such as the Switch, 3DS, Vita, etc, just forever be unsafe now if they don't get updated?
My PC is a wired connection that goes into my router, also. Is that also unsafe?
old manatee
Banned
network cable 4 life dawg. Finally I'm vindicated. Just wait until they hack your precious wireless headphones.
I have the same question.
What I wonder is which manufacturers will take advantage and sell more routers?
RumblingRosco
Member
Yeah, this is what I'm wondering. Is there a "to-do" list of some sort for the average user? How do I protect my Android phone, my laptop, while at work, my home WiFi network, etc?
technically, consoles have to be updated too to be safe
mullet2000
Member
Sure, I'm just more confident that PS4/XBO will get updates than I am that the other ones I listed (or PS3/360/Wii U for that matter) will.
Earthbound64
Banned
Yes?
You can still connect a phone cord between your computer and the wall and connect via dial-up if you'd like.
BrokenFiction
Member
AFAIK, I haven't received it yet.
Random Human
They were trying to grab your prize. They work for the mercenary. The masked man.
I have an old Android tablet I use as a "remote" for Chromecast - that's literally all I use it for. Is this insecure now? It sends no personal data beyond what I'm watching on Netflix or YouTube. However, the device is linked to my google account. Should I stop using it?
are you using it in public places?
Random Human
They were trying to grab your prize. They work for the mercenary. The masked man.
No, it just sits on my coffee table. It's literally like a remote for the TV.
Kill Your Masters
Member
Somebody correct me if I'm wrong but this does only affect you if you get attacked at close proximity?
So if you have known hackers in your neighbourhood or if hackers want to come to get you then yes.
Otherwise, probably not?
This type of fearmongering is the equivalent of all the Space news with "gorundbreaking" discoveries where you think aliens are about to invade but then they just found two stars colliding or some shit. The experts make it sound like your wifi can be hacked with a "press to hack" button from anywhere in the world.
Vanillalite
Ask me about the GAF Notebook
They have to be on site so to speak for the attack it seems.
Don't worry so much about your home as WiFi stuff for business especially small business.
Things like WiFi security cameras or point of sale systems or whatever even beyond just public networks.
Don't worry so much about your home as WiFi stuff for business especially small business.
Things like WiFi security cameras or point of sale systems or whatever even beyond just public networks.