WPA2 cracked... virtually all wifi routers affected...

Discussion in 'Technical Corner' started by denverpilot, Oct 16, 2017.

  1. denverpilot

    denverpilot Taxi to Parking

    Joined:
    Nov 8, 2009
    Messages:
    48,653
    Location:
    Denver, CO
    Display Name:

    Display name:
    DenverPilot
  2. jsstevens

    jsstevens En-Route

    Joined:
    May 18, 2007
    Messages:
    4,246
    Display Name:

    Display name:
    jsstevens
    Wow. I wonder how they're going to fix that one?
     
  3. GTO1969

    GTO1969 Filing Flight Plan

    Joined:
    Apr 2, 2016
    Messages:
    21
    Display Name:

    Display name:
    Kevin
    As you would expect, initial coverage is somewhat sensationalized. The truth is that while the issue is widespread the fixes are very straightforward, which even the researcher acknowledges. Major platform vendors have already deployed patches. Microsoft, for example, has acknowledged that they updated Windows. You should see additional public disclosures on patch status published throughout the day. See https://www.wi-fi.org/security-update-october-2017 and the linked resources there.
     
    mikea likes this.
  4. denverpilot

    denverpilot Taxi to Parking

    Joined:
    Nov 8, 2009
    Messages:
    48,653
    Location:
    Denver, CO
    Display Name:

    Display name:
    DenverPilot
    It’s not that patches from big name vendors won’t be available. It’s the magnitude of the number of routers out there in consumer land that won’t ever get patched or won’t have them made available.

    All sorts of fly by night consumer router makers, and even more clueless consumers who have no idea and won’t even with “sensationalized” news to break through the highly important stuff like which oligarch is playing golf.

    This one is going to be a real threat to a lot of people for a very long time. The long tail on this one will drag out for a decade.
     
  5. Scrabo

    Scrabo Pattern Altitude

    Joined:
    Oct 17, 2008
    Messages:
    1,826
    Location:
    PHX
    Display Name:

    Display name:
    Scrabo
    I know NetGear emailed me last week and basically said install this new firmware now. I checked and there were updates for their complete wireless router range.
     
  6. TCABM

    TCABM Line Up and Wait

    Joined:
    Apr 23, 2013
    Messages:
    783
    Display Name:

    Display name:
    TCABM
    Huh. AT&T hasn’t pushed a fix for their branded box in my closet yet. Go to manufacturer website and no mention of a fix for this model.

    I’m guessing it’ll be a cold day in hell before AT&T spends a dime on the upgrade.

    And that’s how the next Equifax-type incident will work.
     
  7. Clark1961

    Clark1961 Touchdown! Greaser!

    Joined:
    Jun 7, 2008
    Messages:
    17,746
    Display Name:

    Display name:
    Display name:
    Looks like DLink is dragging their feet on updates also. The say access points aren't exposed but that clients are.
     
  8. Skyrys62

    Skyrys62 Pattern Altitude

    Joined:
    Apr 5, 2017
    Messages:
    1,850
    Location:
    Owensboro, KY
    Display Name:

    Display name:
    Skyrys62
    I grow sooooo tired of dishonest people making everything in others lives harder.
     
    Norman and Let'sgoflying! like this.
  9. jsstevens

    jsstevens En-Route

    Joined:
    May 18, 2007
    Messages:
    4,246
    Display Name:

    Display name:
    jsstevens
    Linksys doesn't have a new updates for my older router. Sigh.
     
  10. Skyrys62

    Skyrys62 Pattern Altitude

    Joined:
    Apr 5, 2017
    Messages:
    1,850
    Location:
    Owensboro, KY
    Display Name:

    Display name:
    Skyrys62
    yes.. buy tech stocks now.
     
  11. RJM62

    RJM62 Touchdown! Greaser!

    Joined:
    Jun 15, 2007
    Messages:
    11,978
    Location:
    Catskill Mountains, New York
    Display Name:

    Display name:
    Geek On The Hill
    They're working on fixes for LEDE, OpenWrt, and Gargoyle as we speak. One of them might be flashable to your old Linksys.

    Rich
     
  12. GTO1969

    GTO1969 Filing Flight Plan

    Joined:
    Apr 2, 2016
    Messages:
    21
    Display Name:

    Display name:
    Kevin
    There is a good chance that your residential routers won't need a patch. Of the 10 CVEs related to this vulnerability, only 1 (related to Fast Transition) requires patching on the network side, though some could benefit from patching on both sides. Fast Transition is more commonly found in enterprise equipment that requires a mobile client to move between multiple access points rapidly without dropping packets. Most of the patches for this vulnerability are on the client side. That is why you see companies like Microsoft (who quietly deployed patches last week on patch Tuesday) and individual maintainers in the Linux community moving quickly to update. Apple is still only rumored to have patched (reported in iMore). One reason you might see updates for consumer routers is that some of them offer a client mode, e.g. allowing them to connect with another access point and serve as a range extender. This isn't to say you shouldn't check for router updates, only explain how there are legitimate reasons why you may not see any.

    Definitely get those clients patched though.
     
    Last edited: Oct 16, 2017
  13. denverpilot

    denverpilot Taxi to Parking

    Joined:
    Nov 8, 2009
    Messages:
    48,653
    Location:
    Denver, CO
    Display Name:

    Display name:
    DenverPilot
    Yeah. Sure throws a monkey wrench in BYOD shops though. Telling people they have to get off until their vendor puts out a patch and then proving it, will just lead to even worse alternatives to get their devices online. Ugh.

    Not that BYOD isn’t a semi-nightmare anyway.

    Telling the boss his Apple toy won’t be patched for a month (typical Apple release speed) and all his iThingys too... here’s your ethernet cable, use it... isn’t going to make anybody happy.

    Oh well. We put out the warning that “if we need to do something drastic with the WiFi Access, we’ll let you know” and are running the slight risk of data loss for the moment. I can’t imagine a HIPAA or PCI or similar environment has that luxury today. Or if they’re putting their heads in the sand, they’re out of bounds on their certs once they’ve been made aware of the issue until everything is patched.
     
  14. denverpilot

    denverpilot Taxi to Parking

    Joined:
    Nov 8, 2009
    Messages:
    48,653
    Location:
    Denver, CO
    Display Name:

    Display name:
    DenverPilot
    By the way, want to put $20 on this shining a spotlight on that code in all products and at least two more major problems in the implementation of the WPA2 code are found within a couple of months, including fair warning time to the vendors? LOL.

    The “many eyes” BS on most of this code doesn’t work. Nobody is actually reading any of it.
     
    deonb likes this.
  15. flyingron

    flyingron Touchdown! Greaser!

    Joined:
    Jul 31, 2007
    Messages:
    15,377
    Location:
    Catawba, NC
    Display Name:

    Display name:
    FlyingRon
    Virtually doesn't mean "almost." It means in appearance, not in fact. You can replace it with "not" or "no" to get a proper read on the sentence.
     
  16. JOhnH

    JOhnH Touchdown! Greaser!

    Joined:
    May 20, 2009
    Messages:
    10,735
    Location:
    Florida
    Display Name:

    Display name:
    Spun Out
    I disagree:

    vir·tu·al·ly
    ˈvərCH(o͞o)əlē/
    adverb
    1. 1.
      nearly; almost.
      "virtually all those arrested were accused"
      synonyms: effectively, in effect, all but, more or less, practically, almost, nearly, close to, verging on, just about, as good as, essentially, to all intents and purposes, roughly, approximately; More
     
  17. deonb

    deonb Pattern Altitude

    Joined:
    Aug 17, 2015
    Messages:
    1,834
    Display Name:

    Display name:
    deonb
    I remember working on fixing a TCP/IP bug back in the early 2000's. Can't remember which it was. Maybe SYN loopback attack, or RST attack. It escapes me now. But that bug was in every single implementation of TCP/IP since the 1970's. 1000s of people ported it by hand over to 100s of platforms, and nobody ever noticed it. Open source, proprietary source vendors - didn't matter - everybody had that bug.

    IIRC - the bug wasn't even in the RFC. People just used reference implementations and everybody copied the same mistake.

    I don't think that can happen anymore, proprietary vendors will do everything from spec instead of from code to avoid GPL poison pills. But it was a jungle back then. But if a bug is in a spec, you still have an issue.
     
  18. denverpilot

    denverpilot Taxi to Parking

    Joined:
    Nov 8, 2009
    Messages:
    48,653
    Location:
    Denver, CO
    Display Name:

    Display name:
    DenverPilot
    Now that more information is out, it should read “all”. It’s a protocol level problem. Every device that does WPA2 is affected.

    Sorry I couched it, but the information was early.

    Whether or not it’s the client that gets patched to cover the problem up or not, is immaterial, the protocol itself is bad and the router certainly understands the protocol and will happily participate with a bad client and an attacker’s additional bad behavior, wherever both exist.

    Millions of bad clients exist, and a significantly large number will never be patched by clueless folks. They’ll be vulnerable forever until the routers all stop participating, and many routers will never be patched.

    The industry is a sad joke, really. WPA2 was the fix to two other protocol level problems before it. Like the OpenSSL problem, this one has been in this “secure” protocol for over a decade. Let’s all fire up some WEP and enjoy that again, shall we? LOL. It was “secure” once, too.

    Craptacular.
     
  19. Let'sgoflying!

    Let'sgoflying! Touchdown! Greaser!

    Joined:
    Feb 23, 2005
    Messages:
    15,802
    Location:
    west Texas
    Display Name:

    Display name:
    Dave Taylor
    This sounds like the nefarians may access your computers when connected to any wifi?
    Ie no different than using the wifi at a hotel? (where they warn you the network is insecure)?

    How about my server, which gets its internet from a Uverse box via cable and a firewall. The Uverse box transmits wifi too.
     
  20. denverpilot

    denverpilot Taxi to Parking

    Joined:
    Nov 8, 2009
    Messages:
    48,653
    Location:
    Denver, CO
    Display Name:

    Display name:
    DenverPilot
    Was it smurf?

    I forget which one my staff used to use against the Director to get him off the phone. If he wouldn’t end a conference call, they’d just toss the magic packets his way and blue screen his desktop machine, until I caught them doing it.

    They fessed up because I pointed out to them that the Director had had three expensive desktop machines and a laptop replaced in less than a year because he kept telling the other help desk the hardware was bad. lol. I knew this from our management meetings.

    “Knock it off, kids... you know better now... this is costing us real money and if he figures it out, it won’t go well for you...”

    But I quietly laughed my butt off back in my office that afternoon. I knew who figured out how to do it and taught my other staff how, too. He still works in security. Last papers he published were on attacking laptops through USB and FireWire DMA. Nice of those specs to leave direct access to the machine’s RAM open to something plugged into an external port, eh?

    LOL. It’s been a while since that mistake was understood. Everyone just wanted their external hard drives and flash drives to go faster... let’s just hook them straight to the RAM... brilliant.
     
  21. exncsurfer

    exncsurfer Pattern Altitude

    Joined:
    Sep 15, 2014
    Messages:
    1,798
    Location:
    NC
    Display Name:

    Display name:
    exncsurfer
    They already have your credit info via the equifax hack, 'the evil doers' don't need to get into your pc.
     
    denverpilot likes this.
  22. Mistake Not...

    Mistake Not... Cleared for Takeoff

    Joined:
    Jun 18, 2013
    Messages:
    1,251
    Display Name:

    Display name:
    Mistake Not...
    Disagree. Several someones are reading the code and finding the bugs. Only, they probably call them exploits, and they probably don't work for people that have your best interests in mind.

    Air gap, shut off wifi, bluetooth, step into the cage. Oh, wait, ultrasonic beacons are now a thing. And then there's google somehow magically showing the thing I happen to be having a conversation about as the first item in search results more often than not, even with "ok, google" supposedly disabled.
     
  23. Let'sgoflying!

    Let'sgoflying! Touchdown! Greaser!

    Joined:
    Feb 23, 2005
    Messages:
    15,802
    Location:
    west Texas
    Display Name:

    Display name:
    Dave Taylor
    Yay, my firewall supplier sent out this message
    So I have no worries....right?
    :D
    On Monday, a critical vulnerability in the WPA2 wireless security protocol was published by Dutch researchers. KRACKs — or key reinstallation attacks — can theoretically be deployed by attackers to steal sensitive information from unsuspecting wireless users leveraging flaws in the Wi-Fi standard.

    The SonicWall Capture Labs investigated the WPA2 vulnerabilities and found the following:
    • SonicPoint and SonicWave wireless access points, as well as SonicWall TZ and SOHO wireless firewalls, are not vulnerable to KRACK attacks.
    • No updates are needed for SonicWall wireless access points or firewalls with integrated wireless.
    • Attackers must be in physical proximity to the wireless client or access point to execute a KRACK-based man-in-the-middle (MITM) attack.
    As a customer with SonicWall access points or firewalls with wireless capabilities, you are not susceptible to KRACK attacks and no updates are needed at this time.
     
  24. denverpilot

    denverpilot Taxi to Parking

    Joined:
    Nov 8, 2009
    Messages:
    48,653
    Location:
    Denver, CO
    Display Name:

    Display name:
    DenverPilot
    You’ve noticed that too? Mine isn’t Google but it’s pretty eerie.

    Zuckerberg supposedly has tape over both the video camera and the microphone holes in his own smartphone when using his own products.

    Oh. And the latest South Park with The Zuck in it, is freaking hilarious. You’re welcome, if you haven’t seen it yet. :)
     
  25. JOhnH

    JOhnH Touchdown! Greaser!

    Joined:
    May 20, 2009
    Messages:
    10,735
    Location:
    Florida
    Display Name:

    Display name:
    Spun Out
    Well, "no worries" is a little strong. You may have no worries about your firewall being "Kracked" while you are using it at your house, but do you ever use WIFI at the gym, or starbucks, or the FBO or . . . anywhere?
     
    Let'sgoflying! likes this.
  26. mikea

    mikea Touchdown! Greaser!

    Joined:
    Feb 12, 2005
    Messages:
    16,953
    Location:
    Lake County, IL
    Display Name:

    Display name:
    iWin
    Set up AES encryption and segregate any devices that need WPA2.
     
  27. deonb

    deonb Pattern Altitude

    Joined:
    Aug 17, 2015
    Messages:
    1,834
    Display Name:

    Display name:
    deonb
    No, smurf was before my time.

    I remember at some point I discovered a bug in the way Windows XP displayed shortcuts icon. I could form a way to create a shortcut (.lnk file) by hand in a way that it would instantly crash whatever application is trying to display the icon for that .lnk fle.

    For extra effect, I added a .lnk file to the bug report :).

    Ahh, good times.
     
  28. Clark1961

    Clark1961 Touchdown! Greaser!

    Joined:
    Jun 7, 2008
    Messages:
    17,746
    Display Name:

    Display name:
    Display name:
    So now it looks like the 5 GHz radio in my wireless system died. Running on the 2.4 GHz radio for now.

    Wait to replace? Replace with what? Cheap is always good. This is a home network without VPN in or any of that type of crap.

    Edit: current unit is an N600 dlink thing. It was cheap.
     
  29. deonb

    deonb Pattern Altitude

    Joined:
    Aug 17, 2015
    Messages:
    1,834
    Display Name:

    Display name:
    deonb
    AC3200 tri-band is probably the sweet spot between price & performance right now. You can get a refurb one for $65:

    https://www.linksys.com/us/p/EA9200...e2wcp_c-3lF63HXZgKaWflAJ2ci3BAkMaAu5PEALw_wcB

    This is if you like Linksys as a brand. All brands have A3200's.
     
  30. Clark1961

    Clark1961 Touchdown! Greaser!

    Joined:
    Jun 7, 2008
    Messages:
    17,746
    Display Name:

    Display name:
    Display name:
  31. sferguson524

    sferguson524 Pattern Altitude

    Joined:
    Feb 8, 2011
    Messages:
    1,703
    Location:
    Las Vegas
    Display Name:

    Display name:
    FormerSocalFlyer
    I'm pretty happy with my 2 MR-33s from Meraki.. they were patched the morning the exploit was discovered
     
  32. denverpilot

    denverpilot Taxi to Parking

    Joined:
    Nov 8, 2009
    Messages:
    48,653
    Location:
    Denver, CO
    Display Name:

    Display name:
    DenverPilot
    When mine die or I get bored and decide to do the upgrade, my next setup for the house is going to be Ubiquiti. We went with them at the office and they’re up where you need a man lift or a very tall ladder to get at them, and that’s only after you kick a couple people out of their cubicles to set the ladder up over them.

    We put them up there a few years ago and have never had any reason to get up there and mess with them ever again.

    Rock solid except for one firmware update and all that one did was reboot them about once a week on their own due to a memory leak. Reverted them backward a version easily (unlike other companies who give no reverse firmware path) and waited for another version.

    3 APs and about 100 users. All access is handled off of Active Directory to them and people as devices attach to their “correct” VLAN as well. (Multiple companies in the building have their Ken VLANs as well as the Guest WiFi isolated on its own VLAN also. And can Mix and Match authentication methods. The Guest network has an automated way to issue expiring login credentials.
     
  33. luvflyin

    luvflyin Final Approach

    Joined:
    May 8, 2015
    Messages:
    5,341
    Location:
    Vancouver, WA
    Display Name:

    Display name:
    Luvflyin
    This is all over my head. I got Cable. Comcast/Xfinity. The cable screws in to that box over there on the floor with all the lights that blink some of the time. That's my WiFi. Am I in danger
     
  34. Clark1961

    Clark1961 Touchdown! Greaser!

    Joined:
    Jun 7, 2008
    Messages:
    17,746
    Display Name:

    Display name:
    Display name:
    Blinking lights you say? The aliens are monitoring you. Soak it in water for 24 hours then call Comcast and say it broke.
     
  35. kayoh190

    kayoh190 Pattern Altitude

    Joined:
    May 29, 2014
    Messages:
    2,300
    Display Name:

    Display name:
    Kayoh@190
    Netgear is telling their customers that KRACK is really a client side issue. In other words, a router is only compromised if you're using it as a bridge. Is this true?
     
  36. Clark1961

    Clark1961 Touchdown! Greaser!

    Joined:
    Jun 7, 2008
    Messages:
    17,746
    Display Name:

    Display name:
    Display name:
    dlink is saying the same thing. Post 12 in this thread suggests otherwise.
     
  37. kayoh190

    kayoh190 Pattern Altitude

    Joined:
    May 29, 2014
    Messages:
    2,300
    Display Name:

    Display name:
    Kayoh@190
    Damn - I must have glossed over his post. Thanks!
     
  38. RJM62

    RJM62 Touchdown! Greaser!

    Joined:
    Jun 15, 2007
    Messages:
    11,978
    Location:
    Catskill Mountains, New York
    Display Name:

    Display name:
    Geek On The Hill
  39. Rushie

    Rushie Pattern Altitude

    Joined:
    Jun 21, 2006
    Messages:
    1,657
    Display Name:

    Display name:
    Rushie
    I'm swamped right now; traveled away from home, on my laptop with wifi and don't have time to sort this. Can anyone tell me the bottom line with this hack? Do I need to disable wifi and go plug in a patch cable if I do banking on my laptop? That's what I did yesterday. Do I need to worry somebody is seeing my password to log into PoA and is going to hijack my identity and start posting "boobs" or something? Here it's just the cable company provided "box" with wifi in it, I don't think that means it's a "bridge"; does that mean it's not an issue here?

    But back at my house I have Airport Extreme which connects to the cable companies box. Does that mean it's a bridge? Excuse my ignorances.
     
  40. rtk11

    rtk11 Cleared for Takeoff

    Joined:
    Apr 25, 2015
    Messages:
    1,131
    Location:
    Southern California
    Display Name:

    Display name:
    rtk
    Rushie - you are not bridged. If you had a router communicating to another router (extending your network’s range), that would be a bridge. But your AirPort Extreme is just the router coming off the cable modem. I would make sure you have the latest firmware installed, however.
     
    Rushie likes this.