closing tag is in template navbar
timefactors watches



TZ-UK Fundraiser
Results 1 to 17 of 17

Thread: WPA2 - WiFi insecurities found

  1. #1
    Master
    Join Date
    Jan 2010
    Location
    Coming Straight Outer Trumpton
    Posts
    9,385

    WPA2 - WiFi insecurities found

    Still working my way through these but it seems that the WPA2 encryption protocol for WiFI has been cracked might be time to apply any patches recommended by your OS providers.

    https://www.theguardian.com/technolo...arns?CMP=fb_gu

    https://www.krackattacks.com/

  2. #2
    Master
    Join Date
    May 2005
    Location
    Cheshire, UK
    Posts
    5,144
    Been discussing this loophole for a while now - it's been found to be valid and patchable.

    Advice seems to be do your banking or anything "secure" using RJ45 and turn off router wifi until all patches are applied.

    Turn off file sharing on any machone that you do banking (above )on.

    B

    Forgot to mention VPN for those on fixed ip
    Last edited by Brian; 17th October 2017 at 11:19.

  3. #3
    Master
    Join Date
    Jun 2014
    Location
    Driffield, UK
    Posts
    3,122
    tbh I'd never do anything like banking over a wifi link! I know the 'smartphone generation' are really into doing all sorts of private things and communications over wifi from their phone but it really is not a good idea. When I'm away from a 'proper' internet connection I do all my internet (banking/email/shopping/etc) over a vpn connection.

  4. #4
    Master Alansmithee's Avatar
    Join Date
    Jul 2013
    Location
    Burscough, UK
    Posts
    9,573
    Microsoft has already patched this on supported OS (W7 upwards).

  5. #5
    Does anyone know if you need to patch your wifi router as well as your wifi devices?

  6. #6
    Quote Originally Posted by jools View Post
    Does anyone know if you need to patch your wifi router as well as your wifi devices?
    Yes

  7. #7
    Here's how my on-line chat with a BT person went:

    ...
    ...
    ...
    Pavithra: Hi jools, Thanks for the above details. I know you are concerned whether your hub is potentially at risk of being hacked. I want to confirm, that we're aware of the issue and we are working with the industry to update the software as appropriate. This will be done, in the next 5 to 7 working days.
    Pavithra: Is there anything else I can help you with. If not, can you please close the chat browser completely.
    jools: So at the moment it is not patched?
    Pavithra: No its not patched at the moment.
    jools: Does BT recommend I still do on-line banking via wifi?
    Pavithra: Yes you still can access online banking, please use virtual key board for the access.
    jools: Ok thanks that's all. Bye.

  8. #8
    Master
    Join Date
    Jun 2014
    Location
    Driffield, UK
    Posts
    3,122
    Quote Originally Posted by Nogbad The Bad View Post
    Yes
    No! This issue effects client devices not infrastructure access points. In a wifi connection from your PC (phone/tablet/etc) to a wifi router then it's the PC end that is a client and the router end is the infrastructure access point. This security issue is with the client device so a normal wifi router running normal access point mode isn't the problem. The only time when it might matter is if you use the access point or wifi router in some form of wifi repeater mode. Wifi repeater mode means you wifi router runs as an access point (AP) AND a client at the same time. However I can't think of any situation where in normal operation you would run your wifi router as a repeater so the issue would never arise. So to summarise you probably should patch your client devices be that windows/android/ios BUT with normal access point mode there is no need to change or patch anything on your wifi router.

    Of course the other point is 99.9999% of bank and shopping sites use an SSL https web site connection which means the data is encrypted at the client device before being sent over the wifi connection so that means even if someone did hack your data connection then couldn't do anything or read the encrypted data!!

    Essentially this is all just a load of hot air! Heck even google uses https for their web site now so this really is not worth worrying about.

  9. #9
    Master danmiddle2's Avatar
    Join Date
    Sep 2010
    Location
    Midlands
    Posts
    1,847
    Quote Originally Posted by solwisesteve View Post
    No! This issue effects client devices not infrastructure access points. In a wifi connection from your PC (phone/tablet/etc) to a wifi router then it's the PC end that is a client and the router end is the infrastructure access point. This security issue is with the client device so a normal wifi router running normal access point mode isn't the problem. The only time when it might matter is if you use the access point or wifi router in some form of wifi repeater mode. Wifi repeater mode means you wifi router runs as an access point (AP) AND a client at the same time. However I can't think of any situation where in normal operation you would run your wifi router as a repeater so the issue would never arise. So to summarise you probably should patch your client devices be that windows/android/ios BUT with normal access point mode there is no need to change or patch anything on your wifi router.

    Of course the other point is 99.9999% of bank and shopping sites use an SSL https web site connection which means the data is encrypted at the client device before being sent over the wifi connection so that means even if someone did hack your data connection then couldn't do anything or read the encrypted data!!

    Essentially this is all just a load of hot air! Heck even google uses https for their web site now so this really is not worth worrying about.
    With respect, I am afraid you are wrong - you should patch your router when (and if) a fix is available for your hardware. The specific attack the OP is referring to is the one recently published on https://www.krackattacks.com/

    A quote from their site - "The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations"

    Some implementations may not be fixable through software updates, however, as some of the key handling and implementation components are on-chip rather than in software. So it may be time to upgrade (or, as has previously been mentioned, use a VPN service. A fixed IP is not necessary for this, as you will be the client of the VPN service).

    You are also wrong about this being hot-air. If exploit code makes it into-the-wild, it could be as significant as the weak IV issues that killed WEP as an effective wireless security mechanism.

    here is a link to the current list of affected / unaffected vendors:
    https://www.kb.cert.org/vuls/byvendo...&SearchOrder=4

    In terms of online banking, you are correct in that these types of services use SSL, however, that doesn't mean they are invulnerable to attack. Some (badly implemented) sites can still leak data over HTTP (in clear), and even if it is well set up, a carefully crafted man-in-the-middle attack (once an attacker is on your network using this WPA weakness, for example), would see you unwittingly communicating with the attackers system over SSL and not the final website.

    As far as I am aware, the poster has not made exploit code available, so it will be a little while for others to create a working exploit using this technique, so there is a little time.

  10. #10
    ^^ Damn beaten to it by Dan :o) ^^

    Quote Originally Posted by solwisesteve View Post
    No! This issue effects client devices not infrastructure access points. In a wifi connection from your PC (phone/tablet/etc) to a wifi router then it's the PC end that is a client and the router end is the infrastructure access point. This security issue is with the client device so a normal wifi router running normal access point mode isn't the problem. The only time when it might matter is if you use the access point or wifi router in some form of wifi repeater mode. Wifi repeater mode means you wifi router runs as an access point (AP) AND a client at the same time. However I can't think of any situation where in normal operation you would run your wifi router as a repeater so the issue would never arise. So to summarise you probably should patch your client devices be that windows/android/ios BUT with normal access point mode there is no need to change or patch anything on your wifi router.

    Of course the other point is 99.9999% of bank and shopping sites use an SSL https web site connection which means the data is encrypted at the client device before being sent over the wifi connection so that means even if someone did hack your data connection then couldn't do anything or read the encrypted data!!

    Essentially this is all just a load of hot air! Heck even google uses https for their web site now so this really is not worth worrying about.
    CERT seem to think it's an issue.

    https://www.kb.cert.org/vuls/byvendo...&SearchOrder=4

    Most of my stuff bar the IOT devices runs WPA2-Enterprise and that's in it's own VLAN.
    Last edited by Nogbad The Bad; 17th October 2017 at 19:38.

  11. #11
    Master
    Join Date
    Jun 2014
    Location
    Driffield, UK
    Posts
    3,122
    As far as the OP asked I still assert there is still no need to patch your wifi router. This issue only effects clients and your wifi router is NOT a wifi client. As long as your OS is up to date (and Windows has already been patched) then there should be no problems.

    Also, the chance the anyone sitting outside your living room window in order to attack your wifi link is, let's face it, a bit darn unlikely. ;-)

  12. #12
    Craftsman
    Join Date
    Jan 2016
    Location
    Oxon
    Posts
    571
    If you only use it for internet then it's less of an issue as most sites are HTTPS and protect you from using insecure networks as the internet is one itself! Being wary of non HTTPS sites is good practice anyway and never ever ignore certificate warnings on any vaguely sensitive website.

    Interesting cross over with loT stuff, if you have a lot of insecure devices on your Wi-Fi network managing heating, locks, lights, etc then you're at risk of having it messed with and given how poor most loT vendors are at releasing updates it sounds like this vulnerability may hang around a while.

    On the site for the vulnerability the FAQ does state you need to patch both client and AP.
    Last edited by wombleh; 18th October 2017 at 08:35.

  13. #13
    Master danmiddle2's Avatar
    Join Date
    Sep 2010
    Location
    Midlands
    Posts
    1,847
    Quote Originally Posted by solwisesteve View Post
    As far as the OP asked I still assert there is still no need to patch your wifi router. This issue only effects clients and your wifi router is NOT a wifi client. As long as your OS is up to date (and Windows has already been patched) then there should be no problems.

    Also, the chance the anyone sitting outside your living room window in order to attack your wifi link is, let's face it, a bit darn unlikely. ;-)
    Likelihood is certainly a consideration, which depends on a number of factors. At the moment, lack of publicly available exploit code will also protect you, as well as proximity to your WiFi signal.

    However you are simply wrong about the need to patch your router. You don't have to take my word for it (having worked as an offensive cyber security expert for the past 20 years), you can also read any article on the subject.

    Here is a pretty good one: http://www.iflscience.com/technology...acker-attacks/

    I am only correcting your statement as I consider that some people might actually listen to your advice and not take the correct actions to remediate this.

  14. #14
    Master
    Join Date
    Jun 2014
    Location
    Driffield, UK
    Posts
    3,122
    Quote Originally Posted by danmiddle2 View Post
    Likelihood is certainly a consideration, which depends on a number of factors. At the moment, lack of publicly available exploit code will also protect you, as well as proximity to your WiFi signal.

    However you are simply wrong about the need to patch your router. You don't have to take my word for it (having worked as an offensive cyber security expert for the past 20 years), you can also read any article on the subject.

    Here is a pretty good one: http://www.iflscience.com/technology...acker-attacks/

    I am only correcting your statement as I consider that some people might actually listen to your advice and not take the correct actions to remediate this.
    okay we agree to disagree :-) tbh I'm only working on the limited info given on the KRACK web site.

  15. #15
    Had a look at my Plusnet router and can see no way in settings to update firmware.

    Are routers provided by ISPs easily updateable (or is it done automatically by the ISP)?

  16. #16
    Master danmiddle2's Avatar
    Join Date
    Sep 2010
    Location
    Midlands
    Posts
    1,847
    Quote Originally Posted by Kingstepper View Post
    Had a look at my Plusnet router and can see no way in settings to update firmware.

    Are routers provided by ISPs easily updateable (or is it done automatically by the ISP)?
    The short answer is that it depends on the ISP and the hardware.

    There are very few fixed devices / firmware updates available as yet - I would contact your ISP and ask them how they update and ensure they are aware of the problem.

  17. #17
    Quote Originally Posted by danmiddle2 View Post
    The short answer is that it depends on the ISP and the hardware.

    There are very few fixed devices / firmware updates available as yet - I would contact your ISP and ask them how they update and ensure they are aware of the problem.
    Thanks, though would hope they’re on top of problem.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Do Not Sell My Personal Information