All WPA2 WiFi security is broken?

[Stereodude]

Just saw this: http://www.telegraph.co.uk/technolo...ice-risk-unprecedented-krack-attack-security/ & http://www.zdnet.com/article/wpa2-security-flaw-lets-hackers-attack-almost-any-wifi-device/

They seem to say all WPA2 WiFi is fundamentally broken and vulnerable.

 

[LunarMist]

Cool. Then there is more plausible deniability to blame someone else.

 

[Chewy509]

The site about the issue and links to research papers...

https://www.krackattacks.com/

Microsoft, OpenBSD are already patched (or have patches available). MikroTik and Ubiquiti have beta firmware available. Android will have patches with 2-3 weeks (but who knows when end devices will actually get them).

 

[Stereodude]

The discussion on Slashdot says that only one side needs to be patched to block the attack, so that helps some.

 

[Chewy509]

The discussion on Slashdot says that only one side needs to be patched to block the attack, so that helps some.

That's pretty much what I gathered reading the original research paper.

Let's see how long it takes for all the network gear providers (Netgear, DLink, Sagecom, Technicolor, Cisco, TP-Link, etc) to release patches for any wireless enabled devices.
It'll be interesting to see when all those other WiFI enabled devices (TVs, Blu-Ray players, IoT devices, etc) all get patches as well...

FYI. patches for wpa_supplicant have been released, therefore most GNU/Linux distributions should see patches shortly. (RHEL, Ubuntu, SUSE, Arch, Gentoo have all released patches).

 

[Chewy509]

US CERT vendor database re: WPA2 flaws

https://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=228519&SearchOrder=4

 

[Stereodude]

It'll be interesting to see when all those other WiFI enabled devices (TVs, Blu-Ray players, IoT devices, etc) all get patches as well...

This one is easy. Never...

If it's an expensive name brand piece of equipment like a TV or something like a Blu-Ray player and it's only a few years old they might get a firmware update, but the extreme majority of devices are going to be left out in the cold. I wouldn't even presume that most networking gear with an AP will get an update if it's more than a few years old.

 

[LunarMist]

Yes, never.

 

[Handruin]

I just patched my Ubiquiti UAP-Pro access point at home. Here is the page with all their patches for their products. My understanding is that this is released code, not beta.

 

[Chewy509]

The real interesting thing to come out of this issue, is watching how vendors react to it... It certainly makes you really consider where to spend your money in future... (eg only start purchasing from those that are proactive in getting this fixed)...

 

[Chewy509]

Updated list of vendor responses:

https://www.bleepingcomputer.com/ne...-driver-updates-for-krack-wpa2-vulnerability/

 

[timwhit]

I just patched my Ubiquiti UAP-Pro access point at home. Here is the page with all their patches for their products. My understanding is that this is released code, not beta.

Did it show up for you on the Unifi Controller or did you do it manually? I upgraded the controller software and then upgraded each of my APs, but they're still at version 3.8.14.6780. No more upgrade option is available.

 

[Handruin]

They did not show up automatically for me. I logged into the UniFi controller and copy & pasted the URL from that page I linked into the custom upgrade field to load it into my AP. This is where I did the upgrade from in the lower right corner. I read in their forums that once you do this upgrade the normal upgrade button at the top will be confused with thinking it will need an upgrade when in fact it's a downgrade. This will get addressed shortly.

 

[timwhit]

I may just wait until the controller can upgrade automatically. Any word on when that will happen?

 

[Handruin]

I haven't followed the development of the controller at all so I can't say without googling or looking through their forums more. I only saw it as a comment from one of their community members regarding the incorrect upgrade. It probably won't be long given the amount of press this vulnerability has. What's your concern with just doing the custom upgrade?

 

[sechs]

As I understand it, this is a difficult hack that requires access to the signal. I doubt that most of us yucks will be targets when there are sweet business networks to hack.

 

[snowhiker]

Well at least I updated my routers firmware. It's dated 17-July-2017 so it doesn't contain the needed fixes for the WPA2 issues but at least is newer than the 2013 firmware that it originally came with.

 

[Chewy509]

TP-Link's response was what I would consider typical... Let's EOL a whole stack of devices, and claim no support for them since they are now EOL. (Only current models/revisions for each current model device are set to receive updates).

From what I've seen this sort of behaviour will affect Android based devices most. No word yet from the major players about updates for last/prior models yet. (that I've seen).

 

[Chewy509]

FYI, my Epson printer had a firmware update the day after the public release of the issue...

 

[sechs]

None of my network infrastructure devices needed an update (they're apparently not susceptible to the hack). Since only one side needs to be safe, I only have to worry when attached to other networks.

Also, since the hack works on HTTP injection, using encrypted connections totally defeats it.