[Closed] Wifi insecurity

Horses mouth here - https://www.krackattacks.com/

So what's the idiot proof fix?

There's a key point missing from the Grauniad's report that is on The Register's ( https://www.theregister.co.uk/2017/10/16/wpa2_inscure_krackattack/)

the attacker would have to be on the same base station as the victim, which restricts any attack's impact somewhat.

Which basically means, your network would already need to be compromised in order to compromise devices on your network.

Not that it shouldn't be taken seriously, and given CVEs are being issued, vendors will be working on patches as soon as they can, but it's not like every scrote in the neighbourhood is suddenly going to start cracking your network.

seosamh77 - Member
So what's the idiot proof fix?

Turn it off.

As a warning it's up there with "you're going to die at some point" for most people.

seosamh77 - Member
So what's the idiot proof fix?

The attack needs to be close enough to get the signal and have some time to work on it, so the hacker needs to be in reasonably close proximity to you for the time to do it and then remain there to collect the information.
How far does your wifi extend?
Do your neighbours work have a lot of PC's and never go outside?

Which basically means, your network would already need to be compromised in order to compromise devices on your network.

At home or work yes- but people use WiFi in all sorts of place that they don’t manage

Is it the base station that is the vulnerable or is the issue of traffic betweem the base station and connected devices can be intercepted?

Is it the base station that is the vulnerable or is the issue of traffic betweem the base station and connected devices can be intercepted?

This is specifically about WPA2 Encryption between you and the base station (WEP is already breakable) in which situations are you using that connection - if they are handing out the password for nothing then who knows who is on there)

First who is hacking your wifi?

I think it's more the concept that what was once considered safe is now far less so.

Still using WEP? Thought not...

The attack needs to be close enough

Will isps send out a fix for routers, or does it mean new routers?

Oi Zokes do the full quote so it makes sense!!
that was in response to what's the quick fix

Far less safe for me is an interesting one, from here I can only just pick up the neighbor's wifi, in apartments more so but you need to have the physical proximity to execute this - that leads to motive and time to do it, yes there is a vulnerability but for most practical home uses it's not massive and not going to bring everything down.

Think I've got about 8 connections i can pick up.

Will isps send out a fix for routers, or does it mean new routers?

I [i]think[/i] it's a client thing (or more likely client & base station).

I.e. your phone, Chromecast, laptop & robo-butler will need updating (as well as the base station).

So what's the idiot proof fix?

One of these whenever possible

[img] [/img]

from here I can only just pick up the neighbor's wifi, in apartments more so but you need to have the physical proximity to execute this

Well that's fine and dandy for you....I live on an unremarkable terraced street in a small city in Devon, so hardly bustling metropolis, I can pick up no less than 28 identifiable SSID's from the front of the house, and 23 from the back, there's also another handful that I can see but not advertising.

Also the [i]attacker [/i]doesn't need to be close, only their [i]device[/i] needs to be, it might not be a big deal for you at home (it might though, who knows!) but it's a big deal for some people and given how small, mobile and easily hidden devices are the 'they need to be close' is no more relevant than it ever was.

As always normal rules apply, if you don;t run the network, assume anything you transmit or receive is potentially available to others, so if it's important make sure it's protected in other ways. If you do control the network then [i]normally [/i]you could assume less chance**, but now you might as well assume if someone wants it* they can get it, so as before, prtoect in other ways.

*this [i]is [/i]important, as for most people nobody gives two hoots what you're doing. But obviously for sensitive information take precautions like you would on a public network until it's patched.

**still out of your control once it's in transit so as above...

I thought most routers have MAC address access so you can configure it to just allow access for specific devices.

Also you can make your SSID not visible which might make it more secure against the causal opportunistic hacker.

I thought most routers have MAC address access so you can configure it to just allow access for specific devices.

That's true and it is worth doing - but it is trivial for a proper hacker to spoof a MAC address:

https://en.wikipedia.org/wiki/MAC_spoofing

Also you can make your SSID not visible which might make it more secure against the causal opportunistic hacker.

Completely pointless IMO. Only makes it harder for legit users.

Regarding cable networks: Perhaps not as safe as it seems.

How many cable based network segments offer encryption?

Not many, i'd guess.

I thought most routers have MAC address access so you can configure it to just allow access for specific devices.

have? yes
configured? unlikely
foolproof? nope

MAC filtering is just another layer of protection that you could use, it has it's upsides and downsides like most options, and it's not unbeatable. As always it comes back to your personal risk level, if your data is genuinely a target for someone then MAC filtering 'aint gonna stop them.

It's one of those 'stops novice users' but 'trivial for techies' things, and lets be honest, anyone attempting to intercept traffic for nefarious reasons is unlikely to be a novice user, chances are though, they also don't care about your home wifi as you're not a good target.

Sorry, what I mean is close, motivated, invested in tech and time, know about the vulnerability, be able to execute it and pick their target.
I assume most people here had wep while that was vulnerable too.
If I was going to invest my time in this I'd probably be looking for a corporate target or somebody I knew was dodgy enough to blackmail already.
You have 2 choices really at present.
Stop using WiFi.
Carry on but be a little aware.

The biggest impact will probably be on mobile data speeds if people swap back to that.

maccruiskeen - Member
At home or work yes- but people use WiFi in all sorts of place that they don’t manage

Is it the base station that is the vulnerable or is the issue of traffic betweem the base station and connected devices can be intercepted?

Agreed. I've only skimmed the material, but it looks like it's the initial handshake between the client and base station that's now vulnerable. But what the attacker could then do to the client I'm not quite clear on.

In the public wifi scenario, one should always be practising decent security and using a VPN anyway, otherwise you must assume you can be eavesdropped.

I thought most routers have MAC address access so you can configure it to just allow access for specific devices.

Also you can make your SSID not visible which might make it more secure against the causal opportunistic hacker.

Neither of those steps are any sort of security at all. It's akin to removing your door numbers so that burglars can't find your house.

You have 2 choices really at present.
Stop using WiFi.
Carry on but be a little aware.

Or use a VPN on untrusted connections

And make sure you choose a good password:

😉

Blimey, ESP8266/Arduino has been patched already. That was quick!
https://twitter.com/i_grr/status/919872443329650689

Suggests that it isn't too hard to sort out. But I bet it'll still be months if not years before many consumer devices get patched (assuming they are still actively supported).

The vendors have known about this for months, Apple shipped their patches for macOS/iOS/etc weeks ago.

My expectation is that if the vendor doesn't patch this week, they won't.

Suggests that it isn't too hard to sort out.

It was a very simple bug in the set up algorithm. The underlying encryption was fine, just it could be bypassed or tricked into using a known key during the key exchange process.

brassneck - Member 
Or use a VPN on untrusted connections

Doesn't help. Your connection to the access point will still be vulnerable, getting someone access to your device and they can snoop on the unencrypted end of the VPN connection, i.e. your device.

Not that this is in the wild and it requires a malicious hack from someone nearby at present (until some malware virus spreads about auto hacking, but it requires other vulnerabilities to spread).

There's a risk, it's really quite low at the moment, and it's mostly patched already.

Problem in the main is with Android due to extra flaws in 6+ and device fragmentation & manufacturer lock in. Those not on a pure(er) Android could take months, years or maybe never get an update.

Even when the hack goes wild, it requires a deliberate hack from someone nearby or a virus with the hack to distribute to the network of the access point you are using, which needs further vulnerabilities to exploit.

A VPN will help, as any traffic over wifi is inside the VPN. Unless you're running a VPN from your router, which seems a bit pointless.

they can snoop on the unencrypted end of the VPN connection, i.e. your device.

How does that work? The VPN connection is made by my device, so surely my device is doing the decryption of the VPN traffic? I can't see how this would let a hacker access that.

[quote=bensales ]I've only skimmed the material, but it looks like it's the initial handshake between the client and base station that's now vulnerable. But what the attacker could then do to the client I'm not quite clear on.

My understanding is that it allows an attacker to then have access to all wifi traffic, effectively nullifying the encryption. If somebody is attacking on a public wifi hotspot using WPA2 then it makes it no more secure than a public wifi network with no encryption. So treat any encrypted network as if it is unencrypted and rely on end-to-end encryption (ie https or a VPN) for anything important.

VPNs aren't vulnerable to attack unless you're sharing keys over your wifi network, which I can't see any reason why you would - any form of end-to-end encryption removes your vulnerability.

The only issues due to this are when you're relying solely on WPA2 for security - the most obvious one I can think of is if you're sharing content over your wifi that creates a vulnerability. I suppose anything like a RPi you connect to over wifi is also vulnerable given that id and password go in clear only protected by WPA2.

rossburton - Member 
A VPN will help, as any traffic over wifi is inside the VPN. Unless you're running a VPN from your router, which seems a bit pointless.

GrahamS - Member 
How does that work? The VPN connection is made by my device, so surely my device is doing the decryption of the VPN traffic? I can't see how this would let a hacker access that.

Because while VPN is providing a tunnel for your Internet traffic and they can't snoop on that on the wire, with WPA2 hacked they have access to client devices on the same network and in theory can access the device contents, use a key logger or monitoring software etc. It's like using VPN but someone is watching over your shoulder or has physical access to your device.

In theory. It would require a bunch of other vulnerabilities on the device to exploit though.

Thing with VPN is while your Internet traffic is being encrypted, you are also still on the local network you have connected to and there is traffic there, and you are an authorised device on that network so potentially visible if not hackable to other devices. It's why on any public or untrusted network, on top of VPN you should have every firewall enabled (difficult to do on a phone) and disable any kind of network sharing, visibility on the local network etc.

Hmmm... surely the whole point of a VPN is that it doesn't matter if you are using unsecured wifi or a dodgy hotel ethernet that anyone can be listening in on?

Defeating the WPA2 encryption just brings the network to that level doesn't it?

with WPA2 hacked they have access to client devices on the same network and in theory can access the device contents, use a key logger or monitoring software etc

Not at all. They can try and access the device, but they would need a zero day vulnerability to get access. Being on the same LAN as a computer does not give you access to its contents.

[quote=deadkenny ]In theory. It would require a bunch of other vulnerabilities on the device to exploit though.

Indeed - an attacker gets access to your Wifi packets (and can inject rogue Wifi packets), but that doesn't automatically provide a means to attack anything else. Where this might become an issue is if another vulnerability to wifi packet injection is found. It may be that the bad guys haven't looked too hard at this one before as there hasn't been an easy way to use any wifi packet injection exploit on most networks - but then there are still plenty of unencrypted public networks with plenty of targets on them.

Fundamentally as I mentioned above, if you just consider all wifi networks to be unencrypted then it shouldn't be a problem. Just don't send anything important over http.

footflaps - Member 
Not at all. They can try and access the device, but they would need a zero day vulnerability to get access. Being on the same LAN as a computer does not give you access to its contents.

Indeed, but it's a lot more vulnerable, and depends how patched up you are.

It's like at home you're comfy knowing all your devices on your network are your devices, but with WPA2 vulnerable you may have an intruder on your network potentially. Worse at home as some operating systems will trust other devices on the network, e.g. Windows when it asks if you're on a trusted home network, which means it opens a lot of firewall holes.

You also have other less secure devices on your network possibly. Out of date router software, printer, smart TV, IoT devices.

In short, don't just trust VPN for security. It only secures the traffic.

It's like at home you're comfy knowing all your devices on your network are your devices, but with WPA2 vulnerable you may have an intruder on your network potentially.

But as I understand it, an attacker would still have to be able to join that network BEFORE they can run this attack?

So they'd need to crack my wifi password as well and spoof an approved MAC address. By which point they'd be on my network as an "approved" device regardless of the WPA2 attack.

I think the issue is that an attacker doesn't need to join the network as such - if there is a vulnerable device on your network then they can not only intercept wifi traffic to and from that device, they can also inject wifi packets which will appear to come from that device. Hence they are then effectively on the network.

I believe you don't need to be on the network to exploit it. However the question is whether it's possible to exploit the packets enough to get network access without requiring the wifi password. Apparently the hack doesn't expose the password itself, but with vulnerable clients you're seeing unencrypted network traffic so potentially you could be on the network. You won't be able to decrypt VPN traffic however.

Edit: what @aracer said.

I'm speculating about the network vulnerability, but as I say, I wouldn't just trust VPN is enough to protect you.

That said, it seems this isn't in the wild yet, and tricky to exploit anyway.

Ah okay thanks aracer.

I watched the demo video and they are creating a clone of the AP on a different channel, what I didn't quite get was how that works when a password is required to access the AP?

Also in the video they discuss using ssl_strip to force non-SSL versions of websites where possible, which defeats that nicely. VPN still seems to be secure as far as I can tell, but I don't have time to delve too deeply so I'm just going by what the press coverage says.

Ah okay, read up a little on how they do the channel-based AP clone for the MitM attack that sets this up. Makes a bit more sense.

http://www.mathyvanhoef.com/2015/10/advanced-wifi-attacks-using-commodity.html

[quote=GrahamS ]I watched the demo video and they are creating a clone of the AP on a different channel, what I didn't quite get was how that works when a password is required to access the AP?

Ah - that's quite sneaky. What they're doing is routing all wifi traffic through their own AP, hence being a man in the middle. The password doesn't matter, because that is only used for initial setup of a wifi connection -
once the connection is set up then security is provided by encryption of the traffic using the key which is shared with the 4 way handshake. However this is where the vulnerability is. Without the vulnerability, even if you could make the device re-connect on a different channel (which seems to be how they get it to connect to their rogue AP) then you wouldn't be able to do anything as you couldn't communicate with the device, however the vulnerability allows you to reset the encryption key to all zeros and communicate with the device as if you were the legitimate AP.

Also in the video they discuss using ssl_strip to force non-SSL versions of websites where possible, which defeats that nicely. VPN still seems to be secure as far as I can tell, but I don't have time to delve too deeply so I'm just going by what the press coverage says.

Yep - that's where the attack becomes useful, especially for people who reuse passwords. It seems you can protect yourself by checking https is being used (I'm not sure if you can bypass ssl_strip by explicitly specifying that). Yes VPNs are still secure provided they don't have any other vulnerabilities of their own.

The National Cyber Security Centre has published a guide.

https://www.ncsc.gov.uk/krack

It's like at home you're comfy knowing all your devices on your network are your devices, but with WPA2 vulnerable you may have an intruder on your network potentially. Worse at home as some operating systems will trust other devices on the network, e.g. Windows when it asks if you're on a trusted home network, which means it opens a lot of firewall holes.

That's just a false sense of security. You should assume your LAN isn't secure e.g. at work there are 100s of machines on my LAN, who knows if one has been compromised. Best assume it has.

Every day I VPN to various customer's networks and connect to their LANs exposing my laptop to 1000s of machines all over the world e.g. Nigeria, USA, Egypt etc. I basically assume I'm always being exposed to threats. Only been got once (that I know of) by a virus in China in 2003, in 25 years of IT work.

Every day I VPN to various customer's networks and connect to their LANs exposing my laptop to 1000s of machines all over the world

I'd be doing that from a VM if I were you.

Is anyone aware of a list of modems/routers/access points that will be patched?

Mine is donkey’s years old and starting to get a bit flakey, could do with some recommendations for replacing it... What’s currently a good ADSL WiFi router modem for domestic use?

footflaps: how do you protect yourself in that situation?

Strong anti-virus + software firewall + well-configured VPN client?

Cougar's suggestion of a disposable VM condom makes a lot of sense.

Not really the list you’re after verses but may give you an idea.

http://www.zdnet.com/article/here-is-every-patch-for-krack-wi-fi-attack-available-right-now/

I'd be doing that from a VM if I were you.

I do 😉

footflaps: how do you protect yourself in that situation?

Strong anti-virus + software firewall + well-configured VPN client?

Basically all of the above. The main defence is a well updated OS. Then firewall on top of that.

I VPN from a VM, so they can only infect the VM image and most viruses / trojans won't activate on a VM as that's how the anti-virus companies test them, so as soon as they detect VMWare they stop running. However, I do have to transfer files between VM and host, so there is a possible infection path. Although all the files are ones I've created, so generally safe. Also, the VM machine will have zero-day vulnerabilities, so it's not 100%.

Thanks Drac, looks a good place to start

Computerphile have done a nice simplified overview of how KrackAttack works: