WPA2 vulnerability exposed

[stj]

this is where people learn never to buy android devices with an intel cpu.
Intel locked the bootloaders down so tight that there is no custom firmware for them - you can consider them disposeable.

unfortunatly i speak from experience - i have both a useless fone, and a useless tablet - thanks to intel for being scum and asus for using their cpu's 

[Naguissa]

this is where people learn never to buy android devices with an intel cpu.
Intel locked the bootloaders down so tight that there is no custom firmware for them - you can consider them disposeable.

unfortunatly i speak from experience - i have both a useless fone, and a useless tablet - thanks to intel for being scum and asus for using their cpu's 

I have a Cube iWork 7, an Intel tablet.

 Originally was Android/Win10 dual boot.

Then I wiped Android and reinstalled Win10 on full NAND.

Then I installed Debian in a USB using OTG port.

Then USB port died and next touch also died.


Now I have a to-try-repair tablet.

But until HW failures it was letting me change everything except 1st dual boot screen (i didn't tried it).

Enviado desde mi Jolla mediante Tapatalk

[Mr. Scram]

this is where people learn never to buy android devices with an intel cpu.
Intel locked the bootloaders down so tight that there is no custom firmware for them - you can consider them disposeable.

unfortunatly i speak from experience - i have both a useless fone, and a useless tablet - thanks to intel for being scum and asus for using their cpu's 

Unfortunately, it's far from the only platform this happens to. Software support is terrible on a lot of mobile devices.

[metrologist]

is there any mobile device with reliable software support. I think they are all designed to be disposable with a 3-5 year max life. I won't be buying any more and my next phone will probably not be a smart phone, or the cheapest possible phone that is usable as an actual phone.

[borjam]

is there any mobile device with reliable software support. I think they are all designed to be disposable with a 3-5 year max life. I won't be buying any more and my next phone will probably not be a smart phone, or the cheapest possible phone that is usable as an actual phone.

My iPhone 4S was released in 2011 and the last software update was issued in 2016.

[IanMacdonald]

In view of the massive amount of work to actually deal with it, it would actually be useful to know how large an attack surface this vuln exposes.

Many of the man-in-the-middle classes of vuln are more of a theoretical risk than one which is often encountered in the real world. Though, WiFi is more prone to this class of attack than wired connections, simply by nature of the fact that an attacker can connect without gaining physical access to the hardware, or sometimes even the premises.

Not yet seen any lowdown on this. Is it feasible for anyone other than an expert hacker to exploit it in the public sphere?  Would this only be possible in some circumstances, or in all? How long would such an attack take?

One of the key problems I foresee, is that upgrading router firmware often involves the loss of all settings. In which case it can't be done remotely, and might involve a lot of manual work reinstating the settings if the site has services on it.  Not just for WiFi but for all router functions too.

Point of fact, this debacle strongly suggests the use of standalone WiFi APs. Integrating them into routers creates a domino effect outage. At least I'm on separate units here so I can just chuck the (fairly old) AP away if I need to.

[suicidaleggroll]

In view of the massive amount of work to actually deal with it, it would actually be useful to know how large an attack surface this vuln exposes.

Many of the man-in-the-middle classes of vuln are more of a theoretical risk than one which is often encountered in the real world. Though, WiFi is more prone to this class of attack than wired connections, simply by nature of the fact that an attacker can connect without gaining physical access to the hardware, or sometimes even the premises.

Not yet seen any lowdown on this. Is it feasible for anyone other than an expert hacker to exploit it in the public sphere?  Would this only be possible in some circumstances, or in all? How long would such an attack take?

From what I understand, using this attack to break the encryption on a WPA2 link is quite easy and quick.  If there isn't already, I'm sure soon there will be a tool to do it for you, and script kiddies will just have to click a button to watch your wifi traffic unencrypted.

One of the key problems I foresee, is that upgrading router firmware often involves the loss of all settings. In which case it can't be done remotely, and might involve a lot of manual work reinstating the settings if the site has services on it.  Not just for WiFi but for all router functions too.

Point of fact, this debacle strongly suggests the use of standalone WiFi APs. Integrating them into routers creates a domino effect outage. At least I'm on separate units here so I can just chuck the (fairly old) AP away if I need to.

That wouldn't do anything, unfortunately.  The clients are the targets in this attack, there's not a thing your router or AP can do to stop it.  Upgrade your router firmware, don't, it doesn't matter, unless your client device is upgraded, it's vulnerable.  That's the problem with this vulnerability, you can't patch it in a central location, every single client has to be individually patched or it's vulnerable.  Since many people still use laptops, phones, tablets, IoT devices, etc. that can't or won't be upgraded, they'll be permanently left in a vulnerable state until they're trashed and replaced.

[IanMacdonald]

Your alternative 'software' would be punch cards? clay tablets?

Not the media that's the issue. The method of allocating RAM to program variables is the problem. C and C++ have a security weakness in this respect. Even the 1950's and 60's languages like COBOL and Fortran used with punched cards didn't have this vuln.

(I believe it's possible to deliberately create a similar scenario in Fortran, but it would be extremely unlikely to happen through coder error. Whereas in C it's ridiculously easy.)

The problem with fixing this, is that C has become so entrenched in the software industry that it's hard to give it the heave-ho the that it needs. Not just Microsoft either, Much of Linux and MacOS is written in it.

Even if the coders started using another language rightaway, the DLLs and other system libraries are still vulnerable to over-long data strings passed to them from userspace programs. So whatever, it's gonna take a long time to purge this stuff.

The prime time for Microsoft to have tackled it was when Longhorn (Vista/7) came out. They really missed an opportunity there.

I don't think the WPA2 issue is down-to this problem with C, but the vast majority of vulns have been.

[Monkeh]

That wouldn't do anything, unfortunately.  The clients are the targets in this attack, there's not a thing your router or AP can do to stop it.

Not so. It can be largely mitigated (with potential reliability issues) by disabling retransmission of the handshake at the AP.

Not 100% perfect, and carries some issues, but it is possible to significantly hamper exploitation from the AP.

[Naguissa]

is there any mobile device with reliable software support. I think they are all designed to be disposable with a 3-5 year max life. I won't be buying any more and my next phone will probably not be a smart phone, or the cheapest possible phone that is usable as an actual phone.

Sailfish. This is a 2013 phone and this month I recieved an opt-in RC release and final upgrade release.

But it's a tiny company, could disappear tomorrow....

Enviado desde mi Jolla mediante Tapatalk

[Mr. Scram]

is there any mobile device with reliable software support. I think they are all designed to be disposable with a 3-5 year max life. I won't be buying any more and my next phone will probably not be a smart phone, or the cheapest possible phone that is usable as an actual phone.

It's even worse. Some devices get dropped from support while still being sold, only months after release. It's one area I feel lawmakers could make a change for the better. It's better for the consumer and better for the environment to ensure updates somehow.

[bd139]

This is annoying me as well.

I'm going to be honest, even as a professional software dude, I've had enough of it. Next hardware refresh I do is going to be a desktop PC running Linux hard wired by ethernet and a Nokia dumbphone or something. I don't have the time to even think about all the crap that comes around keeping everything else's plates spinning.

[cdev]

For various technical international reasons everything from now on will be deregulation.

(In other words, letting corporations do what they want, more.) the most profitable changes get priority over the slightly more profitable changes That ratchet on laws so to speak is basically being locked in in all sorts of areas. Any regulatory change thats insanely profitable is likely safe.

It's even worse. Some devices get dropped from support while still being sold, only months after release. It's one area I feel lawmakers could make a change for the better. It's better for the consumer and better for the environment to ensure updates somehow.

They are way way ahead of us on this stuff. They have every angle figured out.

[Halcyon]

It's even worse. Some devices get dropped from support while still being sold, only months after release. It's one area I feel lawmakers could make a change for the better. It's better for the consumer and better for the environment to ensure updates somehow.

I guess it's only a matter of time before people put this to the test through Government organisations such as the ACCC or Fair Trading, or through the courts.

Under Australian Consumer Law, a product has to be "reasonably durable" and "free from defects". If such a major flaw was discovered it would arguably be considered a "major failure" under the law (in that you wouldn't have purchased the product in the first place if you had known about the defect) in which case, the consumer would be entitled to a full refund. There is nothing in the law that says the "defect" has to be a physical breakdown, so it can be something intangible like software/firmware.

If consumers started asserting their consumer rights, instead of issuing refunds for products, manufacturers would be forced to provide remedies even on older and out-of-warranty products.

[Mr. Scram]

This is annoying me as well.

I'm going to be honest, even as a professional software dude, I've had enough of it. Next hardware refresh I do is going to be a desktop PC running Linux hard wired by ethernet and a Nokia dumbphone or something. I don't have the time to even think about all the crap that comes around keeping everything else's plates spinning.

I don't think you will prevent problems. You'll just have different problems.

[Mr. Scram]

I guess it's only a matter of time before people put this to the test through Government organisations such as the ACCC or Fair Trading, or through the courts.

Under Australian Consumer Law, a product has to be "reasonably durable" and "free from defects". If such a major flaw was discovered it would arguably be considered a "major failure" under the law (in that you wouldn't have purchased the product in the first place if you had known about the defect) in which case, the consumer would be entitled to a full refund. There is nothing in the law that says the "defect" has to be a physical breakdown, so it can be something intangible like software/firmware.

If consumers started asserting their consumer rights, instead of issuing refunds for products, manufacturers would be forced to provide remedies even on older and out-of-warranty products.

This is true. Hardware defects have been covered well by warranty laws, but software is a bit more hazy, simply because it's not tested in court yet. Unfortunately, consumers are generally divided and it's easy for manufacturers to use this to their advantage, especially since most people would rather have a shiny new phone than support for their old device.

[Halcyon]

Unfortunately, consumers are generally divided and it's easy for manufacturers to use this to their advantage, especially since most people would rather have a shiny new phone than support for their old device.

True for some products, however consider something like my expensive TV mounted on my wall. Granted it's not exactly communicating sensitive or private information over the network but that's beside the point. One would reasonably expect a costly TV to last 7-10 years. So if my TV has a software glitch and is only a few years old, despite it being superseded by a newer model, the manufacturer should be fixing the problem, otherwise, they can either give me my money back or replace it with a new one.

[Mr. Scram]

True for some products, however consider something like my expensive TV mounted on my wall. Granted it's not exactly communicating sensitive or private information over the network but that's beside the point. One would reasonably expect a costly TV to last 7-10 years. So if my TV has a software glitch and is only a few years old, despite it being superseded by a newer model, the manufacturer should be fixing the problem, otherwise, they can either give me my money back or replace it with a new one.

Well, smart TVs have shown us the opposite. Sometimes manufacturers just drop support on "older" models, leaving the user with a very hampered device. That's happened a few time in the past before, sometimes to the point they're barely or not usable.

Obviously, anything "smart" need to be supplied with proper and regular software updates, but that rarely is the case.

[TheSteve]

So if you have a bunch of devices on your Wifi network and one of them is not updated can a third party monitor all traffic on the network or just traffic to/from the unpatched device?

[suicidaleggroll]

So if you have a bunch of devices on your Wifi network and one of them is not updated can a third party monitor all traffic on the network or just traffic to/from the unpatched device?

Just the affected device.  The vulnerability does not let the attacker retrieve the PSK for the network, only the unique encryption key for that one connection.

[Mr. Scram]

Thats the whole idea behind these "smart" closed devices.

Please substantiate your claim