GameAddict411
Member
Android phones have very bad track history with updates and that's even from large phone makers. Phones several years old will never be patched.
-
Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.
All your WiFi devices are broken, Android/Linux devices particularly devastated
- Thread starter emag
- Start date
KernelPanic
Member
And the VPN provider can see everything you anyway(I believe theyre also now allowed to sell it)
thequickandthedead
Member
Anyone suspicious-looking coming within my WiFi range is getting their ass beat
In the attack they demoed, it looks exactly like your AP except on a different channel.
Oops thought you were talking about suspicious looking APs lol
Average person aren't going to know wtf any of this means or even care either way unless it's dumb down to 'you are fucked unless you update' so it's kind of doing its job. Rest were just example of how it can affect rest of the world. If you don't care, that's fine too.
W. L. Saga
Neo Member
What about those stuck on Marshmallow like mine? =(
"You know what I like about pen and paper? Nobody can hack into this shit." (Samuel L. Jackson, Kingsman: The Secret Service)
Valentine knew his shit.
RoadHazard
Gold Member
What does "won't realistically affect Windows devices" mean?
What is actually possible isnt really clear from the articles Ive seen, but if it allows people to use your WiFi to get free internet access and snoop all unencrypted traffic so long as your fridge is around, thats a massive problem.
For the time being, keep in mind that:
- The attacker has to be in range of the victim (ie, he has to be able to receive wireless signals from your router)
He has to know what he's doing and have malicious intent.
There has to be at least one Linux / Android device connected to the wireless network in question to compromise it. It's not that windows / Mac OS / ios aren't vulnerable ; it's that currently the exploit is most damaging in Linux based devices but everything that can connect to a WiFi is vulnerable.
HTTPS websites can also vulnerabl in combination with this exploit
Both routers and clients can be patched to disarm the vulnerability. Unfortunately most of the vulnerable devices will never be patched.
TheLaughingStock
Member
So everyone can be surveiled with ease and scammed with ease if you're the target.
I believe it is that a hacker could not cause your patched Windows client to divert to a different channel and connect to the hackers own AP to utilize the flaw, but that may only be one facet of the flaw.
VincentMatts
Member
how do we know if our router is ok or not?
I would be more concerned about wifi clients, your phones/tablets/pc etc..
Hello? This is Hailun!
Member
RF Architect and Engineer here.
Your devices aren't broken, there's just an exploit that makes it easy for someone to decrypt your traffic as well as insert themselves as a MitM. It requires the perpetrator to be on site and actively working to decrypt the traffic.
You are going to be fine. This exploit has been known internally for about 45 days. Patches for most devices are already on their way out.
Your devices aren't broken, there's just an exploit that makes it easy for someone to decrypt your traffic as well as insert themselves as a MitM. It requires the perpetrator to be on site and actively working to decrypt the traffic.
You are going to be fine. This exploit has been known internally for about 45 days. Patches for most devices are already on their way out.
VincentMatts
Member
I keep all my stuff up to date, my modem/router is the only thing i cant update because its a Bell provided modem/router with no user ability to update FW.
Hello? This is Hailun!
Member
Pretty much everything is affected since it is a problem with the standard.
Turn off 802.11r and Fast Roaming in the meantime if you're really paranoid.
windows and iOS do not accept the re-transmission message that the main attack relies on. there are a number of different issues described in the paper though, and all clients are susceptible to the broadcast group key vulnerability
Could you explain how someone could get, say, what you type into a Google search if you're using a compromised device? As far as I can tell, the most an attacker can see is your encrypted packet data which would be useless for them.
The hack works by spoofing a known router/AP. It doesn't matter if the real router is patched if the client is tricked into connecting into the spoofed AP.
Yes.
Yes.
Patched PC/smartphones are safe. A "KRACKed" device isn't actually connected to your real router, but a "fake" router in the area that's spoofing your real router, so your real network and patched devices aren't directly at risk.
Not for any data intended to be secure, certainly. Presumably attackers could also intercept requests to app servers and the Google Play Store, so they could send pretty much anything to the device in place of valid content. But I'm sure the vast majority of people with vulnerable devices will never be hacked, so you could just play the odds.
The vast majority of HTTPS servers are vulnerable to trivial SSL stripping (although savvy users would notice the lack of padlock icon in Chrome, etc.). Hopefully bank servers are better managed than most other HTTPS servers.
Most supported devices/OSes, sure. The keyword being supported. Consumer devices rarely are.
https://moxie.org/software/sslstrip/
Hello? This is Hailun!
Member
No. It's somewhat difficult to do, requires specific hardware, and relies heavily on an issue requiring retransmits and a cryptographic nonce to be sent incorrectly, allowing the exploit.
No they aren't. The paper just notes that there have been other attacks against HTTPS in the past so if a new one is found, it could be used in combination with this exploit
RandomExpletive
Member
Shoot, I've got homework to-do and I'm in classes all day w/o ethernet ports :/
Double shoot, will Apple update the airport extreme? Or is it time for a new router...
Double shoot, will Apple update the airport extreme? Or is it time for a new router...
Hello? This is Hailun!
Member
Windows forces a RST if the handshake doesn't complete properly.
You are right, it should be clarified. I edited my post. He warns that you shouldn't feel you're safe just because you're using HTTPS.
From the guy who discovered the vulnerability:
Our attack is not limited to recovering login credentials (i.e. e-mail addresses and passwords). In general, any data or information that the victim transmits can be decrypted. Additionally, depending on the device being used and the network setup, it is also possible to decrypt data sent towards the victim (e.g. the content of a website). Although websites or apps may use HTTPS as an additional layer of protection, we warn that this extra protection can be bypassed in a worrying number of situations
They said they already patched
efyu_lemonardo
May I have a cookie?
Fuck me
Particle Physicist
between a quark and a baryon
Oh boy. Hospitals are in trouble. So many laptops, iPads, phones that get used with patient data. They are constantly under attack as is. Sounds like someone just has to hang out at a hospital to acquire shit. Im assuming updating everything is going to be a nightmare everywhere.
So help me understand. They cannot just crack into my device and steal info right?
This is about data that is being transmitted via WIFI? So passwords, CC numbers, etc? But what if you have auto login? Can they still get it that way? Or only if you are entering it?
I also heard someone people talk about Our bulbs. What is the concern there? I imagine the data sent to them is not private? Or does it request log in info too?
This is about data that is being transmitted via WIFI? So passwords, CC numbers, etc? But what if you have auto login? Can they still get it that way? Or only if you are entering it?
I also heard someone people talk about Our bulbs. What is the concern there? I imagine the data sent to them is not private? Or does it request log in info too?
Hello? This is Hailun!
Member
IF YOU ARE READING THIS, IGNORE THE SENSATIONALIST THREAD TITLE. 99.999999% OF YOU WILL NOT BE AFFECTED
Anyone savvy enough to pull off this exploit can bypass this by spoofing the MAC Adress of a compromised client.
Stumpokapow
listen to the mad man
Wow the bold all-caps text really convinces people of your deep credibility when it comes to web security issues.
CheDominik
Member
I can spoof a MAC address. Every idiot who can read a 50 word tutorial can do it. It won't help at all, but relax you'll be fine.
I see, thanks. Well, if the other patched devices in the house and the ones that are connected via ethernet (but not necessarily patched - I'm actively avoiding patching my TV lol) are fine even in the highly unlikely situation where someone would place themselves between the tablet and our router, I suppose it's fine. Pretty sure he only uses it to watch youtube or some shit anyway.
great ! Thanks for the answer. Feel a bit safer (well when most devices are patched at least)
Hello? This is Hailun!
Member
Maybe you should lock the thread and create one without a hilariously bad clickbait title?
RoadHazard
Gold Member
Would using TOR do anything here? I understand it wouldn't protect me in general, but the specific traffic going through the TOR browser?
ISee
Member
one of my neighbors "was" running a black market server farm in his basement. He also tried to steal electricity and did something wrong while doing so. In the end there was a big fire in his basement. The night after the fire, a couple of hours before the police came to investigate everything, he loaded a lot of server equipment into a van and drove away. He sometimes claimed to have a server farm running in his basement before, but nobody believed him, till that night. I absolutely trust this fucker to exploit this as much as possible, so no I'd like to be a bit in panic mode atm.
The attacker can get access to the network by decrypting all data the compromised device sends to the access point.
The attacks do not recover the password of the Wi-Fi network. That would probably require further exploits that hinge on the decrypted data sent by the device.
Hello? This is Hailun!
Member
Then these folks are already gigantic walking security holes. This is just another one to add to all of the rest.
Naked Snake
Member
I have a Galaxy Note 4, few years old by now, and I received multiple firmware security updates from Samsung this year alone.
JetBlackPanda
Member
What is Apples response? I have an iPhone, IPad, MacBook for all of my stuff.
At home I have a comcast AC gateway, that will need a firmware patch? I guess I dont understand. Is the router itself what needs to be patched or the devices themselves?
At home I have a comcast AC gateway, that will need a firmware patch? I guess I dont understand. Is the router itself what needs to be patched or the devices themselves?
I'm fine with a mod changing the title of this thread to something less "clickbaity", e.g., "WiFi security KRACKed, update your devices".
That said, although the probability that you will specifically be targeted is low, the vulnerability is still a real cause for concern. >99% of people won't have their identity stolen as a result of the Equifax data breach, either.
Not directly. Your vulnerable device connects to a spoofed router, which can read/modify all transmissions between it and the internet. The existing real network isn't directly affected. Of course, if you send passwords or install software on that vulnerable device, worse things can happen.
AFAIK, Apple has not yet publicly commented on this.
Ideally, both routers/APs and devices that connect to them should be patched. It's [much] more important that the devices are patched than the routers.
I mean, he's not wrong about the current thread title being hilariously dramatic. "All your WIFI devices are broken" would be a very different scenario to the one that is playing out here.
It's a big deal, and the vulnerabilities are real, but that thread title...c'mon
Hello? This is Hailun!
Member
Yeah, Im a bit salty, sorry!. I woke up to 273 eMails this morning from clients and partners freaking out because the first they saw this morning was news saying "the internet is broken and you're information has been stolen".
the one fucking person on my network using an android device is my step dad........damn it
Can patching the router alone and at least leave all other devices and updated units safe if someone else connects with an un-updated device?