Jump to content
IGNORED

WPA2 is no longer secure, advice: buy new router


Recommended Posts

Belgian researchers at KUL university found serious issues in Wifi's WPA2 encryption:

https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/


In the past, WEP and WPA had serious security issues, with WEP being able to be cracked within just a few minutes. WPA2 was the solution.

Now WPA2 suffers from a cipher downgrade attack, so that eavesdropping becomes a reality just like the old WEP protocol:

https://www.blackhat.com/docs/webcast/08242017-securely-implementing-network2.pdf

It's unlikely your routers firmware will be updated, unless you have a pro brand like UBNT / cisco / .... . If your router is several years old, good luck.

Some wifi chipsets like broadcom devices suffer from a coding flaw (see above PDF):

"Broadcom cannot distinguish message 2 and 4
Can be abused to downgrade the AP to TKIP"

So the solution:

1. either hope for a fix and wait, hen you have a modem with wifi from your ISP, they may patch it, but they may not : it depends if the handshake can be controlled by software, or is hardcoded in hardware

2. buy a router with the fix, typically the pro & carrier grade stuff

3. run a software wifi such as hostapd, where you can disable insecure ciphers in the source code or config

I plan to do (3). This can be done on a raspberry pi and most wifi dongles, or a raspberry 3 with builtin wifi.
I still have some spare UBNT and Routerboard gear so (2) is also an option.

 

Designer of the 432 EVO music server and Linux specialist

Discoverer of the independent open source sox based mqa playback method with optional one cycle postringing.

Link to comment
7 hours ago, FredericV said:

3. run a software wifi such as hostapd, where you can disable insecure ciphers in the source code or config

I plan to do (3)

That won't help you. Unpatched client devices are still vulnerable.

 

A long time ago, I configured my router/AP to apply almost the same restrictions to my wifi as to external traffic. The worst an attacker can do is play my music and control my Chromecast.

Link to comment

MS has patched windows since at least a week for the WPA2 issue:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-13080

 

For 64 bit windows 7 SP1, it's a secret patch part of the October 10th update, as it's not listed in the changelog:

https://support.microsoft.com/en-us/help/4041681/windows-7-update-kb4041681

 

So you can't find this specific patch in the list as shown via
Control Panel\System and Security\Windows Update\View update history

I don't like security through obscurity. Next step is the AP, probably going to work with hostapd on a raspberry.


hostapd has been patched if you pull the source from git:

https://w1.fi/cgit/hostap/commit/?id=6f234c1e2ee1ede29f2412b7012b3345ed8e52d3

 

dd-wrt is to be fixed as well, so I can re-use all my dd-wrt devices (I have > 10) and can keep my raspberries for multiroom ;)
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=311679&postdays=0&postorder=asc&highlight=wpa2&start=0

Designer of the 432 EVO music server and Linux specialist

Discoverer of the independent open source sox based mqa playback method with optional one cycle postringing.

Link to comment

Note that it's mainly a client problem, not a server problem. In other words, it's the device that connects to your wifi router that more urgently needs to be patched. (But if the router is functioning as an extender / repeater, then it is acting as a client and is vulnerable.)  Patching either the client or the server (device or the router) will prevent the attack.

Details from the horse's mouth (the discoverer):

https://www.krackattacks.com/

"People hear what they see." - Doris Day

The forum would be a much better place if everyone were less convinced of how right they were.

Link to comment
2 hours ago, Don Hills said:

Note that it's mainly a client problem, not a server problem. In other words, it's the device that connects to your wifi router that more urgently needs to be patched. (But if the router is functioning as an extender / repeater, then it is acting as a client and is vulnerable.)  Patching either the client or the server (device or the router) will prevent the attack.

Details from the horse's mouth (the discoverer):

https://www.krackattacks.com/

 

Thanks for this info. Patching the wifi router will still be important for those devices not likely to receive a update:

- certain chinese wifi camera's
- older wifi printers

In my case, my IP cams & Canon MX925 still can work wired via ethernet. I hope the POC code or exploit comes out, so we can verify if the method can no longer be used.  At the time when heartbleed came out, I did the same.

Unless I see the actual code, never trust claims about a patched firmware, unless it's a trusted carrier grade brand like Cisco and UBNT. I actually have a long range UBNT setup in my garden.

This is why I like hostapd on raspberry: compile it, verify the patch in the code .... with dd-wrt I have to trust that patch is actually compiled into the latest release.

Designer of the 432 EVO music server and Linux specialist

Discoverer of the independent open source sox based mqa playback method with optional one cycle postringing.

Link to comment

Pareto Audio AMD 7700 Server --> Berkeley Alpha USB --> Jeff Rowland Aeris --> Jeff Rowland 625 S2 --> Focal Utopia 3 Diablos with 2 x Focal Electra SW 1000 BE subs

 

i7-6700K/Windows 10  --> EVGA Nu Audio Card --> Focal CMS50's 

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now



×
×
  • Create New...