FredericV Posted October 16, 2017 Share Posted October 16, 2017 Belgian researchers at KUL university found serious issues in Wifi's WPA2 encryption:https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/ In the past, WEP and WPA had serious security issues, with WEP being able to be cracked within just a few minutes. WPA2 was the solution. Now WPA2 suffers from a cipher downgrade attack, so that eavesdropping becomes a reality just like the old WEP protocol:https://www.blackhat.com/docs/webcast/08242017-securely-implementing-network2.pdf It's unlikely your routers firmware will be updated, unless you have a pro brand like UBNT / cisco / .... . If your router is several years old, good luck. Some wifi chipsets like broadcom devices suffer from a coding flaw (see above PDF): "Broadcom cannot distinguish message 2 and 4 Can be abused to downgrade the AP to TKIP" So the solution: 1. either hope for a fix and wait, hen you have a modem with wifi from your ISP, they may patch it, but they may not : it depends if the handshake can be controlled by software, or is hardcoded in hardware 2. buy a router with the fix, typically the pro & carrier grade stuff 3. run a software wifi such as hostapd, where you can disable insecure ciphers in the source code or config I plan to do (3). This can be done on a raspberry pi and most wifi dongles, or a raspberry 3 with builtin wifi. I still have some spare UBNT and Routerboard gear so (2) is also an option. Designer of the 432 EVO music server and Linux specialist Discoverer of the independent open source sox based mqa playback method with optional one cycle postringing. Link to comment
Marcin_gps Posted October 16, 2017 Share Posted October 16, 2017 Waiting for an update for my Ubiquiti access point... JPLAY & JCAT Founder Link to comment
mjb Posted October 16, 2017 Share Posted October 16, 2017 You could always just use a cable. I realise this isn't always practical, I just use wifi at home too, but you can't beat a good old Cat5/6 etc.. cable for through-put and security. Link to comment
mansr Posted October 16, 2017 Share Posted October 16, 2017 7 hours ago, FredericV said: 3. run a software wifi such as hostapd, where you can disable insecure ciphers in the source code or config I plan to do (3) That won't help you. Unpatched client devices are still vulnerable. A long time ago, I configured my router/AP to apply almost the same restrictions to my wifi as to external traffic. The worst an attacker can do is play my music and control my Chromecast. Link to comment
Miska Posted October 16, 2017 Share Posted October 16, 2017 There are number of other issues, apart from WPA2 vulnerabilities. I was today doing some testing and was shocked to find out that neither iOS nor Android (Oreo/8) supports DNSSEC... Signalyst - Developer of HQPlayer Pulse & Fidelity - Software Defined Amplifiers Link to comment
exdmd Posted October 16, 2017 Share Posted October 16, 2017 This security advisory from Peplink discusses the problem and they will have a firmware fix for their routers shortly. If you are looking for commercial quality router at $150 for home or RV use Pepware Surf SOHO is very good. Link to comment
FredericV Posted October 17, 2017 Author Share Posted October 17, 2017 MS has patched windows since at least a week for the WPA2 issue:https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-13080 For 64 bit windows 7 SP1, it's a secret patch part of the October 10th update, as it's not listed in the changelog:https://support.microsoft.com/en-us/help/4041681/windows-7-update-kb4041681 So you can't find this specific patch in the list as shown via Control Panel\System and Security\Windows Update\View update history I don't like security through obscurity. Next step is the AP, probably going to work with hostapd on a raspberry. hostapd has been patched if you pull the source from git:https://w1.fi/cgit/hostap/commit/?id=6f234c1e2ee1ede29f2412b7012b3345ed8e52d3 dd-wrt is to be fixed as well, so I can re-use all my dd-wrt devices (I have > 10) and can keep my raspberries for multiroom http://www.dd-wrt.com/phpBB2/viewtopic.php?t=311679&postdays=0&postorder=asc&highlight=wpa2&start=0 Designer of the 432 EVO music server and Linux specialist Discoverer of the independent open source sox based mqa playback method with optional one cycle postringing. Link to comment
mjb Posted October 17, 2017 Share Posted October 17, 2017 Every Patch For 'KRACK' Wi-Fi Vulnerability Available Right Now Link to comment
Don Hills Posted October 17, 2017 Share Posted October 17, 2017 Note that it's mainly a client problem, not a server problem. In other words, it's the device that connects to your wifi router that more urgently needs to be patched. (But if the router is functioning as an extender / repeater, then it is acting as a client and is vulnerable.) Patching either the client or the server (device or the router) will prevent the attack. Details from the horse's mouth (the discoverer): https://www.krackattacks.com/ "People hear what they see." - Doris Day The forum would be a much better place if everyone were less convinced of how right they were. Link to comment
FredericV Posted October 18, 2017 Author Share Posted October 18, 2017 2 hours ago, Don Hills said: Note that it's mainly a client problem, not a server problem. In other words, it's the device that connects to your wifi router that more urgently needs to be patched. (But if the router is functioning as an extender / repeater, then it is acting as a client and is vulnerable.) Patching either the client or the server (device or the router) will prevent the attack. Details from the horse's mouth (the discoverer): https://www.krackattacks.com/ Thanks for this info. Patching the wifi router will still be important for those devices not likely to receive a update: - certain chinese wifi camera's - older wifi printers In my case, my IP cams & Canon MX925 still can work wired via ethernet. I hope the POC code or exploit comes out, so we can verify if the method can no longer be used. At the time when heartbleed came out, I did the same. Unless I see the actual code, never trust claims about a patched firmware, unless it's a trusted carrier grade brand like Cisco and UBNT. I actually have a long range UBNT setup in my garden. This is why I like hostapd on raspberry: compile it, verify the patch in the code .... with dd-wrt I have to trust that patch is actually compiled into the latest release. Designer of the 432 EVO music server and Linux specialist Discoverer of the independent open source sox based mqa playback method with optional one cycle postringing. Link to comment
rickca Posted October 18, 2017 Share Posted October 18, 2017 Here's another beauty, a new vulnerability in RSA encryption keys. https://www.theinquirer.net/inquirer/news/3019326/roca-rsa-encryption-key-flaw-puts-millions-of-devices-at-risk Pareto Audio AMD 7700 Server --> Berkeley Alpha USB --> Jeff Rowland Aeris --> Jeff Rowland 625 S2 --> Focal Utopia 3 Diablos with 2 x Focal Electra SW 1000 BE subs i7-6700K/Windows 10 --> EVGA Nu Audio Card --> Focal CMS50's Link to comment
AudioDoctor Posted October 18, 2017 Share Posted October 18, 2017 So. Which router should I buy? Other than turning off WiFi is there another way to solve the problem until Apple comes out with a fix? Will only having my phone and iPad on WiFi make me safer, considering I use those for nothing important? No electron left behind. Link to comment
Miska Posted October 18, 2017 Share Posted October 18, 2017 3 hours ago, rickca said: Here's another beauty, a new vulnerability in RSA encryption keys. https://www.theinquirer.net/inquirer/news/3019326/roca-rsa-encryption-key-flaw-puts-millions-of-devices-at-risk Given the nature if this, I suspect it is an NSA planted vulnerability... Signalyst - Developer of HQPlayer Pulse & Fidelity - Software Defined Amplifiers Link to comment
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now