Interesting, thanks for the heads up.
.
.
.
#internetofshit
?
?
Personally speaking, I'm not fussed. I run my WiFI network like a public one. That means all encapsulated protocols are over TLS anyway. This is a minor setback. At worst someone can poison DNS or get themselves attached to my network and eat up all the bandwidth (which is free and unlimited anyway). This is no different to my teenage daughter giving our bloody wifi password out to all her friends and then them all loitering outside my house.
The real killer here is all the wireless infrastructure around. CCTV cameras, street lighting etc. If that uses WPA2 then there's going to be some interesting shit going down shortly
No it's not dead at all.
The authoritative information source is this:
https://www.krackattacks.com/#faqAs they point out, the flaws can be solved with some changes and they notified vendors in July. Patches are being published now.
And there is a lot of confusion around the issue because the announcement covers several flaws. Not all of them are the same, and networks using AES-CCMP are much less vulnerable than networks using TKIP.
I won't repeat the information, just read the comprehensive Q&A
Some vendors were notified.
Personally speaking, I'm not fussed. I run my WiFI network like a public one. That means all encapsulated protocols are over TLS anyway. This is a minor setback.
Krackattack site says. "Although websites or apps may use HTTPS as an additional layer of protection, we warn that this extra protection can (still) be bypassed in a worrying number of situations."
HTTPS is only effective when the data is from one trusted source. As soon as you have other sources in the mix, there is no way of telling if one has been proxied.
It is not dead, only need to patch the clients afaik from the paper.
However this needs to be addressed in a new standard (WPA3 ?) so that partly key renegotiation will not be allowed.
My cursory read through this morning suggested that an attacker could obtain the actual network PSK from a compromised client (which would mean that all it would take was a single unpatched client anywhere on the network to compromise the whole thing), but reading through it again I see now that they can only obtain the encryption key for that specific connection.
This means that any unpatched client will have its own connection decrypted and possibly interfered with, but not the rest of the network. Still bad, but not as bad as I originally thought.
My cursory read through this morning suggested that an attacker could obtain the actual network PSK from a compromised client (which would mean that all it would take was a single unpatched client anywhere on the network to compromise the whole thing), but reading through it again I see now that they can only obtain the encryption key for that specific connection.
This means that any unpatched client will have its own connection decrypted and possibly interfered with, but not the rest of the network. Still bad, but not as bad as I originally thought.
And even that depends on a number of circumstances.
It is not dead, only need to patch the clients afaik from the paper.
However this needs to be addressed in a new standard (WPA3 ?) so that partly key renegotiation will not be allowed.
Not really. The specs must be updated, though. Part of the problem, according to the author, is that the specification is incomplete and some details are just written into code.
Curiously, the newest protocol designed for 802.11ad networks is weaker than WPA2 with AES-CCMP.
The simplest workaround is wired Ethernet instead of wireless.
Tablets can use a thin USB cable to a hub with a USB network card attached to them.
Run Ethernet to every room and make it easy to plug into.
Thanks for the advice cdev. If you could only make a quick youtube video to make it less useless, i.e a video of yourself cutting drywalls, patching them back, drilling through floor and floor joists and the house outside walls, pulling ethernet wiring through the holes, installing Rj45 outlets and stuff. That would be greatly appreciated.
Would a VPN/SSH-tunnel from a laptop to the Wifi AP connected to wired LAN/WAN do the trick?**
** Edit: I mean in the office environment. In the open Wifi-hotspot one should always use VPN/SSH-tunneling to a trusted network connection.
I don't browse directly on my mobile wifi devices. I currently use TeamViewer on public networks, who claim to encrypt their data, and all web browsing is actually done on my wired home PC instead. I wonder how secure TeamViewer is since it doesn't use any HTTP at all. If Team viewer has faulty encryption, maybe I should find better remote desktop app.
drilling through floor and floor joists and the house outside walls
If you route Ethernet cable outdoors, you just made a very easy way to break into the network.
I don't browse directly on my mobile wifi devices. I currently use TeamViewer on public networks, who claim to encrypt their data, and all web browsing is actually done on my wired home PC instead. I wonder how secure TeamViewer is since it doesn't use any HTTP at all. If Team viewer has faulty encryption, maybe I should find better remote desktop app.
Let's hope they actually fixed the issue after their infamous security breach. Are there any independent security reviews to confirm that it actually is secure now?
I don't browse directly on my mobile wifi devices. I currently use TeamViewer on public networks, who claim to encrypt their data, and all web browsing is actually done on my wired home PC instead. I wonder how secure TeamViewer is since it doesn't use any HTTP at all. If Team viewer has faulty encryption, maybe I should find better remote desktop app.
Let's hope they actually fixed the issue after their infamous security breach. Are there any independent security reviews to confirm that it actually is secure now?
It looks as if you want that WiFi security, you need to write your own remote viewing app which no one else has, with your own encryption algorithm. If there are only 1 or 2 users of the app and it is not public, no-one is trying or aware of your security algorithm let alone the method you encode the audio/video/mouse-keyboard events & it wont ever be cracked.
I don't browse directly on my mobile wifi devices. I currently use TeamViewer on public networks, who claim to encrypt their data, and all web browsing is actually done on my wired home PC instead. I wonder how secure TeamViewer is since it doesn't use any HTTP at all. If Team viewer has faulty encryption, maybe I should find better remote desktop app.
Let's hope they actually fixed the issue after their infamous security breach. Are there any independent security reviews to confirm that it actually is secure now?
It looks as if you want that WiFi security, you need to write your own remote viewing app which no one else has, with your own encryption algorithm. If there are only 1 or 2 users of the app and it is not public, no-one is trying or aware of your security algorithm let alone the method you encode the audio/video/mouse-keyboard events & it wont ever be cracked.
Security through obscurity is not considered safe either.
https://en.wikipedia.org/wiki/Security_through_obscurity
It looks as if you want that WiFi security, you need to write your own remote viewing app which no one else has, with your own encryption algorithm. If there are only 1 or 2 users of the app and it is not public, no-one is trying or aware of your security algorithm let alone the method you encode the audio/video/mouse-keyboard events & it wont ever be cracked.
You would be amazed at what a skilled cryptoanalist can achieve.
So, unless your algoritm is really good...
Many years ago, when using wireless cards without encryption support I used IPSec. But no need to explain how clumsy it was!
Security through obscurity is not considered safe either.
https://en.wikipedia.org/wiki/Security_through_obscurity
If so, the the whole business of patching software is a bad practice. After all, the only reason the unpatched vulns had not been exploited up to now is that they were obscure. WPA2 has been in use for a long time, and at any time during that interval the vuln could have been exploited. Maybe was exploited. Who knows?
The proper answer being to get rid of all software written with compilers prone to these security bugs. Especially C with its unchecked buffer risk.
Your alternative 'software' would be punch cards? clay tablets?
A similar huge vulnerability exists in bluetooth, also recently discovered.
Is all of this coincidental?
Sorry, already did it many years ago. Its not the big deal you make it out to be.
Thanks for the advice cdev. If you could only make a quick youtube video to make it less useless, i.e a video of yourself cutting drywalls, patching them back, drilling through floor and floor joists and the house outside walls, pulling ethernet wiring through the holes, installing Rj45 outlets and stuff. That would be greatly appreciated.
Microsoft has you covered:
https://www.microsoft.com/en-us/store/p/crack-attack/9nblggh3s5v5Seriously, I'm wondering who supplies the patch for my Windows 10 desktop machines? I think MS would be pushing an update since I believe I'm using the OS application to access the network.
OK, just found that the Oct 10th update provided the patch. Win7 not supported?
Sorry, already did it many years ago. Its not the big deal you make it out to be.
Wireless is for kids and housewives who cannot handle tools, men lay copper.