"Krack" WIFI Security flaw Found

[shawross]

A security flaw has been discovered that could be used to hack into any device that uses WIFI.

The key reinstallation attacks, or KRACKs, were discovered by Belgian researcher Marty Vanhoef and are so serious the US Department of Homeland Security has issued an official warning.

Microsoft has already supplied Security updates for October that have covered this problem but Google, Apple and others are playing catch up.

If you have an older Android (5.1) as I do then maybe you will never see any updates. I suppose using WIFI on said Androids in less congested areas would be advisable. Not all Androids are as easy to Root either.

This is a major scare and a major industry shakeup.

https://www.cnet.com/news/krack-wi-fi-a ... esponding/

[RealBlackStuff]

These people have a few more patches: http://www.zdnet.com/article/here-is-ev ... right-now/

[Puppy]

As usually, Windows is the only fully patched secure OS leaving others behind.

[shawross]

Microsoft has this covered but it doesn't mean that you are necessarily safe. How many routers and devices out there will never get updated? How quickly will Companies provide these updates?

For people in condo's and low to medium density home environments this will obviously have a greater impact.

Outside your home "patched" and protected environment we may just have to assume that we are at risk. Which most do now in reality and we mark these as a "Public Network" when we connect. YMMV

There has been a spate of exploits this year from back doors to now WPA2's holes and it makes one wonder.

[Puppy]

How many routers and devices out there will never get updated? How quickly will Companies provide these updates?

Most of routers won't get any update of course (because it is not Microsoft kernel based) and the only way would be to buy a new one. Similar to majority of Android devices.

[RealBlackStuff]

There are plenty of routers that can be updated with firmware made by Tomato, DD-WRT and the like.
These routers are not depending on (lazy) manufacturers who rather sell you a new one, than update their firmware.

List of KRACK - WPA2 firmware updates: https://www.bleepingcomputer.com/news/s ... erability/

Companies claimed to be not affected by Krack:
Arista Networks, Inc.
Lenovo
Vmware

Not sure that I believe that...

Here's an (incomplete) list of various supported routers:
DD-WRT: https://www.dd-wrt.com/wiki/index.php/Supported_Devices
Tomato : https://en.wikibooks.org/wiki/Tomato_Fi ... ed_Devices
Tomato by Shibby: http://tomato.groov.pl/?page_id=69

[Cigarguy]

These routers are not depending on (lazy) manufacturers who rather sell you a new one, than update their firmware.

Laziness got nothing to do with it. It's all about the $$$. Everyone in every industry is doing it and have been doing it for a long time. We tolerate it so why wouldn't they.

[shawross]

Not sure that I believe that...

Yes I would think you are correct because a quick search brings up 30 Lenovo devices with Android 6 which will be affected the most.

https://www.gsmarc.com/model-finder/len ... rshmallow/

This doesn't take into account all the other Android OS phones Lenovo make.

I suppose this raises the question whether Google or the other Chinese makers like Lenovo should provide updates.

Both Google and the Chinese makers are fully prepared to put their bloatware onto these phones but when a major exploit is found they are all ducking and diving.
Many of these Chinese Androids are basically clones with only different badges so I wouldn't think it would be too difficult for Google to implement through the websites of the Chinese makers.

[Neil]

While I suppose it would be best for all devices to be patched, including routers, here is what the krackattacks.com web site has to say about the situation:

What if there are no security updates for my router?

Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates. We strongly advise you to contact your vendor for more details. In general though, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming). For ordinary home users, your priority should be updating clients such as laptops and smartphones.

[RealBlackStuff]

And there is more: RSA Encryption has also become "crackable"

[jdrou]

And there is more: RSA Encryption has also become "crackable"

Or at least RSA as implemented using Infineon TPM chips.

[jaspen-meyer]

As usually, Windows is the only fully patched secure OS leaving others behind.

Debian released their patch Oct 16th.
https://www.debian.org/security/2017/dsa-3999 dated

OpenBSD released their patch August 30th.
https://www.openbsd.org/errata60.html
"041: SECURITY FIX: August 30, 2017 All architectures
State transition errors could cause reinstallation of old WPA keys. "

[Dekks]

As usually, Windows is the only fully patched secure OS leaving others behind.

Openbsd got there first, there was a NDA on the bug to co-ordinate release of patches, most6 of the usual suspects had patches ready to go on the expiry of the NDA. Openbsd & MS decided to release early.