WPA2 vulnerability revealed - update your devices NOW!

If it's not ZDoom, it goes here.
User avatar
Rachael
Posts: 13532
Joined: Tue Jan 13, 2004 1:31 pm
Preferred Pronouns: She/Her
Contact:

WPA2 vulnerability revealed - update your devices NOW!

Post by Rachael »

https://arstechnica.com/information-tec ... sdropping/

Thanks to Linguica on the Doomworld forums for mentioning this topic, it's how I noticed it.

The down and dirty of it:
  • Linux is more vulnerable than Windows. This is a huge problem for most home users, since many routers use some form of Linux. Therefore, it is imperative that you patch your router as soon as possible. If your ISP does not have updated firmware available to fix this exploit, pester the everliving fuck out of them until they have one available.
  • Android is a Linux variant. If you have an Android phone or tablet, you must install updates and allow your device to patch itself when it becomes available. (You can easily trigger an update *if* it's downloaded simply by restarting your phone while it's charging - if not, you can dial *#*#checkin#*#* to get it to check for one)
  • Windows is not in the clear, and still must be patched to prevent this exploit. Last week's update (10-10-2017) has the relevant fixes.
  • From what I understand, Mac OS X and iOS devices are not affected. (Older devices might be, though - still, patch if you can)
  • This exploit is not usable from the internet, itself. Rather, it requires someone with a crack-enabled device to move within range of your computer, or your Wi-Fi access point.
Kinsie wrote:Some additional info:
  • Google will push a fix to its own Android-based Pixel devices on November 6th. Expect the fix to spread to other Android devices from there... but of course, it's always a crapshoot as to whether Androids get the latest updates.
  • Public developer betas of Apple's operating systems are already patched. Expect a public release in a few weeks. In the meantime, Apple devices are apparently in the same "less vulnerable" bucket as pre-patch Windows devices.

If you choose not to patch, don't use Wi-Fi. Your data and security is not worth the risk.

If you want to research this on your own simply Google "Krack" (exact spelling).
Last edited by Rachael on Tue Oct 17, 2017 5:13 am, edited 1 time in total.
Reason: updates
User avatar
Dancso
Posts: 1906
Joined: Wed Oct 11, 2006 10:39 am
Location: at home.. Status: lazy like hell

Re: WPA2 vulnerability revealed - update your devices NOW!

Post by Dancso »

Thanks for the heads up!
User avatar
Firebrand
Posts: 58
Joined: Wed Jul 16, 2003 10:54 am
Preferred Pronouns: He/Him
Graphics Processor: nVidia with Vulkan support
Location: Mexico
Contact:

Re: WPA2 vulnerability revealed - update your devices NOW!

Post by Firebrand »

It will be interesting to see which manufacturers update their firmware, for which old models and how fast, lol :P .

Same with mobile phone manufacturers XP.
User avatar
Rachael
Posts: 13532
Joined: Tue Jan 13, 2004 1:31 pm
Preferred Pronouns: She/Her
Contact:

Re: WPA2 vulnerability revealed - update your devices NOW!

Post by Rachael »

Yeah - anything that uses any Linux variant is more vulnerable than any other system because they can apparently force the encryption key to "00:00:00:00:00" while the device is in use. But Ubuntu already has patches available, a simple "apt-get update&apt-get upgrade" and a reboot fixes the problem.

That doesn't stop routers and Android phones from being affected, though, and the patch rollouts depend specifically on their vendors/manufacturers. And that's a colossal clusterfuck of its own variety.

You can apparently root your Android phone/tablet but that will cause all data on it to be erased. It allows you to install an updated developer version of Android though, which in turn allows you to apply the patch that Google apparently made available. I personally don't think I want to go this route for my own phone, but I guess it's worth mentioning since such a path exists.

As for routers - good luck with that. It's possible to gain root access to some routers, but you're in entirely uncharted territory, and considering that such devices are usually owned by the ISP's themselves that might not be a good idea (not to mention a liability on your part).
User avatar
Firebrand
Posts: 58
Joined: Wed Jul 16, 2003 10:54 am
Preferred Pronouns: He/Him
Graphics Processor: nVidia with Vulkan support
Location: Mexico
Contact:

Re: WPA2 vulnerability revealed - update your devices NOW!

Post by Firebrand »

It seems to be more important to patch client devices than access points since the attack goes directed to them, but it doesn't make it easy with old devices or unsupported ones, it will updating them will be a big mess. Seeing that manufacturers were told months before this announcement is a big surprise as well, not many have patches ready for their devices now that the attack has been made public.
User avatar
Rachael
Posts: 13532
Joined: Tue Jan 13, 2004 1:31 pm
Preferred Pronouns: She/Her
Contact:

Re: WPA2 vulnerability revealed - update your devices NOW!

Post by Rachael »

Firebrand wrote:Seeing that manufacturers were told months before this announcement is a big surprise as well, not many have patches ready for their devices now that the attack has been made public.
And this is precisely why leaving security in the hands of major corporations is a baaaaad idea...

They don't even want to spend the money to even pretend to "care" about security these days.
Gez
 
 
Posts: 17834
Joined: Fri Jul 06, 2007 3:22 pm

Re: WPA2 vulnerability revealed - update your devices NOW!

Post by Gez »

Rachael wrote:
  • This exploit is not usable from the internet, itself. Rather, it requires someone with a crack-enabled device to move within range of your computer, or your Wi-Fi access point.
That's the advantage of living in a isolated house more than a km away from the nearest neighbor. :)
User avatar
Trance
Posts: 1089
Joined: Mon Jan 17, 2005 6:28 am
Location: 1, Rotation: 0

Re: WPA2 vulnerability revealed - update your devices NOW!

Post by Trance »

Little Gez on the Prairie
User avatar
Graf Zahl
Lead GZDoom+Raze Developer
Lead GZDoom+Raze Developer
Posts: 49056
Joined: Sat Jul 19, 2003 10:19 am
Location: Germany

Re: WPA2 vulnerability revealed - update your devices NOW!

Post by Graf Zahl »

Rachael wrote: [*]This exploit is not usable from the internet, itself. Rather, it requires someone with a crack-enabled device to move within range of your computer, or your Wi-Fi access point.[/list]


... and it should be clear that they are going to target public access points where a lot of traffic from unrelated people accumulates. I guess this will render lots and lots of old Android phones essentially useless garbage because they cannot be used safely anymore. While I can verify that my private router gets patched, the same cannot be said for public Wi-Fi.

As for more recent Androids, the way updates get filtered down to the end users will pose a huge challenge here. I smell some big lawsuits against those who can't be made to provide patches quickly.
User avatar
Dark-Assassin
Posts: 742
Joined: Thu Mar 19, 2009 3:40 am
Location: South Australia

Re: WPA2 vulnerability revealed - update your devices NOW!

Post by Dark-Assassin »

Still waiting for an update from Samsung about this...
Too bad my Netgear routers are too old to receive updates anymore and their models are too niche to have custom firmware for them.
Ah well, I live in the country too, so no neighbours.
User avatar
Graf Zahl
Lead GZDoom+Raze Developer
Lead GZDoom+Raze Developer
Posts: 49056
Joined: Sat Jul 19, 2003 10:19 am
Location: Germany

Re: WPA2 vulnerability revealed - update your devices NOW!

Post by Graf Zahl »

Dark-Assassin wrote:Still waiting for an update from Samsung about this...
Too bad my Netgear routers are too old to receive updates anymore and their models are too niche to have custom firmware for them.

It should go without saying that you should seriously consider replacing them. An unpatched router is a huge security risk and if someone manages to hijack it and use it for evil purposes it's you who will be held liable, if only because you were careless enough to run that thing on outdated firmware.
User avatar
CrashOveride
Posts: 13
Joined: Mon Jul 18, 2016 12:19 pm
Contact:

Re: WPA2 vulnerability revealed - update your devices NOW!

Post by CrashOveride »

Luckily, my Linksys router is configured to receive firmware updates automatically as they become available. So I'm in the clear.
for now. i hope
User avatar
Kinsie
Posts: 7399
Joined: Fri Oct 22, 2004 9:22 am
Graphics Processor: nVidia with Vulkan support
Location: MAP33
Contact:

Re: WPA2 vulnerability revealed - update your devices NOW!

Post by Kinsie »

Rachael wrote:
  • Linux is more vulnerable than Windows. This is a huge problem for most home users, since many routers use some form of Linux. Therefore, it is imperative that you patch your router as soon as possible. If your ISP does not have updated firmware available to fix this exploit, pester the everliving fuck out of them until they have one available.
  • Android is a Linux variant. If you have an Android phone or tablet, you must install updates and allow your device to patch itself when it becomes available. (You can easily trigger an update *if* it's downloaded simply by restarting your phone while it's charging - if not, you can dial *#*#checkin#*#* to get it to check for one)
  • Windows is not in the clear, and still must be patched to prevent this exploit. Last week's update (10-10-2017) has the relevant fixes.
  • From what I understand, Mac OS X and iOS devices are not affected. (Older devices might be, though - still, patch if you can)
  • This exploit is not usable from the internet, itself. Rather, it requires someone with a crack-enabled device to move within range of your computer, or your Wi-Fi access point.
Some additional info:
  • Google will push a fix to its own Android-based Pixel devices on November 6th. Expect the fix to spread to other Android devices from there... but of course, it's always a crapshoot as to whether Androids get the latest updates.
  • Public developer betas of Apple's operating systems are already patched. Expect a public release in a few weeks. In the meantime, Apple devices are apparently in the same "less vulnerable" bucket as pre-patch Windows devices.
User avatar
Rachael
Posts: 13532
Joined: Tue Jan 13, 2004 1:31 pm
Preferred Pronouns: She/Her
Contact:

Re: WPA2 vulnerability revealed - update your devices NOW!

Post by Rachael »

I'll add that to OP. Thanks Kinsie!
User avatar
Viscra Maelstrom
Posts: 6200
Joined: Thu Dec 04, 2008 1:14 am
Location: plergleland

Re: WPA2 vulnerability revealed - update your devices NOW!

Post by Viscra Maelstrom »

i can't find any new updates for the firmware on our router over here, should i be worried? it doesn't detect any updates when i check for them in the router settings, and the site that supposedly should have my model on it (Netgear) doesn't yield any results for our router (OnNetworks 300R).
Post Reply

Return to “Off-Topic”