Support NeoGAF

[Noema]

It's CLIENT SIDE.

What we need is every WiFi device to get patched ie phones, laptops, servers, tablets, iot, pos systems... basically fuckin anything and everything

Client = your device ie your phone (not your router)

This needs to be emphasized. Updating the router is not enough. It needs to be stated that WPA2 itself has not been cracked. The vulnerability lies within the multi-step handshake process between client and router. That's why the client needs to be patched.

I'm pretty sure Windows, MacOS, iOS, Xbox Ones, PS4, Switches, etc will be patched pretty soon. Google will no doubt roll in a fix into the next monthly security for Android. Hopefully Chromecasts will be patched promptly.

The problem is the billions of Android devices (and older iOS devices) that will never be updated, as well as hundreds of millions of Smart TVs. A single outdated vulnerable client can compromise the whole network.

I have a lot of old devices. I don't really care if people spy on which YouTube videos I watch or which NeoGAF pages I visit. However, I obviously do care about banking information and similar content.

Can I continue to use my standard WiFi for most things and then switch to Ethernet for all financials? Or would that approach still make me unsafe?

Sure as long as the Ethernet device is on an Ethernet only network that cannot be compromised by vulnerable wifi devices on the same network.

 

[Canklestank]

Related, but slightly tangent: Is there a successor to WPA2? Either already here or in the works? It's been around since 2004. That's a long time for vulnerabilities to be found. I guess that says a lot about how good it is, but you'd think we'd have moved on by now.

 

[Yukiari]

This needs to be emphasized. Updating the router is not enough. It needs to be stated that WPA2 itself has not been cracked. The vulnerability lies within the multi-step handshake process between client and router. That's why the client needs to be patched.

I'm pretty sure Windows, MacOS, iOS, Xbox Ones, PS4, Switches, etc will be patched pretty soon. Google will no doubt roll in a fix into the next monthly security for Android. Hopefully Chromecasts will be patched promptly.

The problem is the billions of Android devices (and older iOS devices) that will never be updated, as well as hundreds of millions of Smart TVs. A single outdated vulnerable client can compromise the whole network.

So say a smart tv is vulnerable, what could a hacker do to a smart tv?

 

[Noema]

So say a smart tv is vulnerable, what could a hacker do to a smart tv?

It's not about what he can do to the Smart TV. It's the fact that he can exploit the vulnerability of an unpatched Smart TV by piggybacking on its handshake to gain access to your network.

 

[Random Human]

This needs to be emphasized. Updating the router is not enough. It needs to be stated that WPA2 itself has not been cracked. The vulnerability lies within the multi-step handshake process between client and router. That's why the client needs to be patched.

I'm pretty sure Windows, MacOS, iOS, Xbox Ones, PS4, Switches, etc will be patched pretty soon. Google will no doubt roll in a fix into the next monthly security for Android. Hopefully Chromecasts will be patched promptly.

The problem is the billions of Android devices (and older iOS devices) that will never be updated, as well as hundreds of millions of Smart TVs. A single outdated vulnerable client can compromise the whole network.

So in other words I should just stop using my old Android tablet even if I'm not transmitting any personal data?

 

[AyzOn]

I'm still on my good old HTC One M7, HTC stopped supporting it so I guess I have to get rid off it now?

 

[clav]

DD-WRT patched. If you know how to compile your own builds, then you're good to go. Otherwise, wait for next public releases although 8 MB setups using kernel version 3 are broken on latest builds (firmware sizes are too big).

edit: Someone posted already. Check posts back.

 

[Gamegeneral]

Jeezus. I'm going to have a nightmare of a headache fixing all the devices in my house.

 

[Diprosalic]

So in other words I should just stop using my old Android tablet even if I'm not transmitting any personal data?

nah. just patch all your other stuff.
communication between patched and unpatched devices is safe.

 

[TripleBee]

Is there really that much incentive to use an exploit like this against home users. Half the people out there have their router login as admin/admin - yet there isn't wide spread stealing of their information. Or does HTTPS pretty much negate banking info etc from getting out.

 

[emag]

So in other words I should just stop using my old Android tablet even if I'm not transmitting any personal data?

I'm still on my good old HTC One M7, HTC stopped supporting it so I guess I have to get rid off it now?

That depends on your tolerance for risk. Are you okay with whatever information you enter[ed] on the device (network/service passwords, at least) being available to -- and any data from the outside world being read/modified by -- anyone within WiFi range?

 

[Yukiari]

It's not about what he can do to the Smart TV. It's the fact that he can exploit the vulnerability of an unpatched Smart TV by piggybacking on its handshake to gain access to your network.

Okay, I just worry about my mother who doesn't understand any tech stuff and I'll have to help her patch all this and I'm trying to understand myself. Thank you.

 

[texhnolyze]

Yes it’s worldwide, yes you need to update, and no using WiFi is not safe.

Anyone who can’t or doesn’t know how to patch their network/devices who can get hardwired should do so.

The router you’re using doesn’t have much to do with whether or not you’re vulnerable to this attack.

Your PC is the client. If the client is patched, then it’s OK. Microsoft said they’ve already pached the problem so you should be OK if you’re running a fully updated Windows 7, 8, or 10.

I’d like some confirmation on MS’ fix though.

And yes, this affects virtually all wifi devices worldwide.

Well, damn.

Yeah, my PC has been updated earlier.

Hoping for the best as I live in an apartement.

 

[RuGalz]

A lot of talk about https connection will be 'okay'. But typically a single device isn't limited to only using https or secured connection for everything so all those traffics are vulnerable.

Now correct me if I'm wrong, isn't it theoretically possible for an attacker to penetrate one device with malware if they just get a hold of one connection and have that malware spread across the other devices on the network? That's probably more catastrophic.

 

[clav]

A lot of talk about https connection will be 'okay'.

False.

Watch since people hate reading:

https://youtu.be/Oh4WURZoR98

 

[WalshyB]

People think Microsoft had it in the patch last Tuesday after being notified before this whole thing went public.

Still need to wait for an actual confirmation though.

 

[Gaogaogao]

More evidence I need an iPhone

 

[Deleted member 465307]

Sure as long as the Ethernet device is on an Ethernet only network that cannot be compromised by vulnerable wifi devices on the same network.

Ah, so, when doing sensitive activities, make sure that I'm using Ethernet for the active device and that all other devices that use WiFi have been disconnected?

 

[pronk420]

To be clear, if there is an un-patched device on your wifi network (e.g. a TV), then no matter what you do to your router or other devices, someone could snoop all traffic on your wifi network?

Obviously some of that would be encrypted but if they could see non-encrypted traffic that would be bad.

edit:
also does this mean my neighbours can steal my wifi as long as there is an un-patched device on the network?

 

[jelly]

Is there really that much incentive to use an exploit like this against home users. Half the people out there have their router login as admin/admin - yet there isn't wide spread stealing of their information. Or does HTTPS pretty much negate banking info etc from getting out.

You need to be connected to the router first before getting the basic admin log in, not the same thing. You still need the Wifi password, the router log in is after that.

 

[BrokenFiction]

Read this, feel better:

https://doublepulsar.com/regarding-krack-attacks-wpa2-flaw-bf1caa7ec7a0

Regarding Krack Attacks — WPA2 flaw

So there’s a new Wi-Fi attack. In the media it is being presented as a flaw in WPA protocol which isn’t fixable. This isn’t true.

Before we all burn the house down, however, and declare security problems not fixable, let’s get to some important things for organisations:

• It is patchable, both client and server (Wi-Fi) side.
  
• Linux patches are available now. Linux distributions should have it very shortly.
  
• The attack realistically doesn’t work against Windows or iOS devices. The Group vuln is there, but it’s not near enough to actually do anything of interest.
  
• There is currently no publicly available code out there to attack this in the real world — you would need an incredibly high skill set and to be at the Wi-Fi base station to attack this.
  
• Android is the issue, which is why the research paper concentrates on it. The issue with Android is people largely don’t patch.

My suggestion for organisations is they ask their Wi-Fi network providers for patches — this is absolutely patchable, as per the researcher’s own website.

 

[low-G]

I took it from the other thread, but a quick google shows that it was Alex Hudson, Iron Group CTO

https://www.theregister.co.uk/2017/10/16/wpa2_inscure_krackattack/

Not sure if reliable at all...

Thank you for the source.

I wonder what the context of that quote really was, because it is not the case with all attacks with this flaw. Maybe under specific circumstances, such as attacking the router-> client communications?

 

[Dreams-Visions]

Read this, feel better:

https://doublepulsar.com/regarding-krack-attacks-wpa2-flaw-bf1caa7ec7a0

but nothing has said it's "not fixable". On the main website it specifically says that software updates will address this. derp?

 

[Chezzymann]

I have an old moto g that doesn't receive any updates. Is there nothing I can do?

 

[RuGalz]

False.

Watch since people hate reading:

https://youtu.be/Oh4WURZoR98

Yea I'm aware, hence the quotes. But thanks for the video link.

Read this, feel better:

https://doublepulsar.com/regarding-krack-attacks-wpa2-flaw-bf1caa7ec7a0

It's downplaying it a bit too much IMO. It takes ONE highly skilled person to write the code and that can be sold or passed on to everyone else out there. The method of attack is described in the paper already, getting that to work for someone without source code will just take a day.

 

[clav]

I have an old moto g that doesn't receive any updates. Is there nothing I can do?

Consider switching to LineageOS. This will require a full wipe of your phone.

No patches out yet though.

Yea I'm aware, hence the quotes. But thanks for the video link.

Didn't meant to insult you. I notice people here post reactionary responses and tend to not read.

 

[low-G]

Is there really that much incentive to use an exploit like this against home users. Half the people out there have their router login as admin/admin - yet there isn't wide spread stealing of their information. Or does HTTPS pretty much negate banking info etc from getting out.

The router login is one thing, but people usually use half-decent keys for their WPA key, which is the whole thing this bypasses. The WPA key being the thing that keeps the entire thing secure in the first place.

But you're right there isn't much incentive to attack non-rich & non-gov't people with this attack because you are really only targeting one connection at a time.

 

[pronk420]

It's downplaying it a bit too much IMO. It takes ONE highly skilled person to write the code and that can be sold or passed on to everyone else out there. The method of attack is described in the paper already, getting that to work for someone without source code will just take a day.

Yeah, and being 'at the base station' is quite easy for people who live in blocks of flats (I'm assuming they don't actually mean you need to be able to physically touch the base station).

And if it is possible then it will take next to no time for someone to write tools to let you use your neighbours wifi or snoop their internet traffic.

 

[sangreal]

So does this essentially mean POS systems are compromised and credit card data is there for the taking till they're patched?

no

it could be used as a vector for other exploits but it doesn't break encryption of the underlying communications. It's like if you run wireshark on your pc, you still won't be able to see what is inside all those TLS packets

 

[CloudyTuba]

And all the IT people collectively said: For fuck's sake. Workload incoming.

 

[Ponn]

Yea I'm aware, hence the quotes. But thanks for the video link.



It's downplaying it a bit too much IMO. It takes ONE highly skilled person to write the code and that can be sold or passed on to everyone else out there. The method of attack is described in the paper already, getting that to work for someone without source code will just take a day.

It still doesn’t sound like the sensationalistic “ALL YOUR WIFI DEVICES ARE HACKED!! “. I’m not a fan of chicken littleing when it comes to tech. It happens often and everytime it’s the apocalypse but for the general population it creates apathy.

Update your devices normally like you should be doing should be the clear concise message without the hyperbole. With a caveat for older android device users.

 

[tzare]

so. if the router is patched, is the wifi network safe even if unpatched smartphones connect to it?
Because i see it easier to patch the router, than old devices like 3ds vita and some smartphones

 

[Ahasverus]

Oh no, they'll see my yaoi habits.

 

[Futureman]

So it sounds like MS is on top of it and my Surface Pro 4 should be OK (I have auto-updates on... anyone know if it's been applied yet? EDIT: according to an article on the Verge, the security patch has already been released by MS).

I also have an iMac and MBP both on Sierra. Will I have to update to High Sierra?

Then I have a 6S Plus and Galaxy S7... any word on those?

 

[PillarEN]

I don't know what's going on. Oh well, head in the sand. I'll be blissfully oblivious and hope nothing happens to me.

 

[KHarvey16]

Read this, feel better:

https://doublepulsar.com/regarding-krack-attacks-wpa2-flaw-bf1caa7ec7a0

Firstly, I haven’t seen anyone suggest this isn’t fixable. Second, the researchers describe the effort to attack the newest versions of wpa_supplicant as “trivial.” The descriptions they’ve provided seem to be enough for anyone familiar with wireless implementation and coding to exploit. That’s part of why so much effort has been made to privately disclose and work on updates prior to public release.

 

[Dr.Phibes]

Doesn't matter. Your Wi-Fi signal doesn't stop immediately outside your office/house.

The next house is about a mile away.

 

[low-G]

The next house is about a mile away.

Check nearby trees for hackers

 

[Lord Error]

Read this, feel better:

https://doublepulsar.com/regarding-krack-attacks-wpa2-flaw-bf1caa7ec7a0

That doesn't make me feel particularly better tbh. Even though I have no bespoke Linux PCs or Android phones or tablets on my network, PS3 and PS4 and freebsd OS based, which is **ix system. My Nest thermostat is running on some variation Android (I'm pretty sure). 3DS is on god knows what, but I wouldn't bet anything on it being very secure. Then there's Vita, again freebsd and probably not seeing many updates... On top of all that, I use Apple TimeCapsule as a router, and they've stopped development of those some time ago (and I can't even remember the last time there was any firmware update for TC)

 

[RuGalz]

It still doesn't sound like the sensationalistic ”ALL YOUR WIFI DEVICES ARE HACKED!! ”. I'm not a fan of chicken littleing when it comes to tech. It happens often and everytime it's the apocalypse but for the general population it creates apathy.

Update your devices normally like you should be doing should be the clear concise message without the hyperbole. With a caveat for older android device users.

The problem is far more than just older android devices. The number of wifi connected device is increasing everyday and many are not going to be patched. It may not be of any use to hack into a fridge or something but if that can expose vulnerability on your network on other devices then it will be an issue eventually. For example, the attacker might not be interested in your devices or home network but if they can increase the number of devices they can use for large scale DDoS attack, sure why not?

Also a lot of people just don't patch their devices especially ones that don't get pushed automatically.

 

[darkwing]

So it sounds like MS is on top of it and my Surface Pro 4 should be OK (I have auto-updates on... anyone know if it's been applied yet? EDIT: according to an article on the Verge, the security patch has already been released by MS).

I also have an iMac and MBP both on Sierra. Will I have to update to High Sierra?

Then I have a 6S Plus and Galaxy S7... any word on those?

just have to wait for security updates for those devices

 

[Beartruck]

Im on an old android so im pretty much fucked right?

 

[Yoshimitsu126]

My school uses wpa2 and i just logged into my school portal with windows. wooops
Hoping it really is just targeting linux and android only.

 

[emag]

so. if the router is patched, is the wifi network safe even if unpatched smartphones connect to it?

The unpatched smartphones (and other devices), along with the data they transmit/receive, are NOT safe in that scenario.

 

[KHarvey16]

The unpatched smartphones (and other devices), along with the data they transmit/receive, are NOT safe in that scenario.

They are safe as long as they’re connected to the patched router. If they connect to an unpatched router they’re vulnerable.

 

[Futureman]

just have to wait for security updates for those devices

damn... props to MS for fixing it so fast and shame on Apple for not even commenting yet.

 

[Ponn]

The problem is far more than just older android devices. The number of wifi connected device is increasing everyday and many are not going to be patched. It may not be of any use to hack into a fridge or something but if that can expose vulnerability on your network on other devices then it will be an issue eventually. For example, the attacker might not be interested in your devices or home network but if they can increase the number of devices they can use for large scale DDoS attack, sure why not?

Also a lot of people just don't patch their devices especially ones that doesn't get pushed automatically.

The only thing your average person is going to care about is “can they get into my Surface Pro or iPhone and get my data”. If said person gets the update for those devices automatically, like most are set to do, that’s where their concern is going to end. Even my HUE system gets updates through the app. Will a smart fridge eventually stop getting updates and could be open to a hacker sitting outside wanting to use it for ddos attacks? Maybe, crunch some realistic numbers and give us the percentage on that. Regardless what’s the real world scenario of what an average person is to do? Pitch their fridge because it MIGHT be used ddos attack PSN? Good luck with that. This is the disconnect between tech people and average people.

 

[isny]

It doesn't seem like Apple is updating the Airport routers any longer are they? Is it time to buy a new router?

 

[tzare]

The unpatched smartphones (and other devices), along with the data they transmit/receive, are NOT safe in that scenario.

I understand that only the traffic from those devices could be affected, Am i right?
My kids use smartphones and 3ds and vita but just to play games and youtube and maybe netflix, so basically netflix password for example if not encrypted could be in danger¿?

Other devices , if patched , should be safe if at same time connected to router?

I don't really understand how this work, if router is not patched but PC or smartphone is, the data sent from those can be spied if another unpatched device is connected to the network?

This is a bit confusing.

 

[aravuus]

To be clear, if there is an un-patched device on your wifi network (e.g. a TV), then no matter what you do to your router or other devices, someone could snoop all traffic on your wifi network?

Obviously some of that would be encrypted but if they could see non-encrypted traffic that would be bad.

I'd like to know this too. My brother has an older Samsung tablet with a custom rom that most likely won't get the security update in any way, I'm wondering if I'll have to straight up tell him he can't use it anymore lol.