Krack Attack: Security Flaw Puts Every Wi-Fi Connection at Risk
18Thanks to a newly discovered security flaw, your home Wi-Fi is completely hackable, giving cyber thieves a front row seat to everything from your private chats to your baby monitor. And there’s not much you can do about it — yet.
I am so not in the mood for this.
http://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=228519&SearchOrder=4
Comments from those knowledgeable about IT security?
/giphy hacked
Some devices and OS’s have patch updates?
I hear that a properly configured VPN offers some degree of packet protection? Is that true?
- 21 comments, 35 replies
- Comment
The joke is on them. I’m not using WPA2.
I’m using WEP.
(And yes, I know that in 2003 WEP was deemed completely unsafe.)
@mflassy
I suspect the joke is on us all.
/giphy joker
http://wccftech.com/keep-safe-wifi-wpa2-krack-exploit/
In that case, run outside screaming.
You could simply enclose you whole house inside a Faraday cage - or cover the inside of your house with
"stealth wallpaper" - which also doubles as a padded cell when it all gets to be too much to deal with.
@rockblossom or tinfoil?
Time to break out my 1990s vintage DEC RoamAbout equipment with its stellar 2Mbps transfer rate. It used different frequencies; bet nobody but NSA is monitoring for it now.
Last week I watched Kevin Mitnick give a presentation and live demo. The takeaway: nothing is secure, ever. Actually pretty chilling.
One of the other speakers at this event quoted Vint Cerf as stating that the Internet never made it out of beta code.
Properly configured VPN will ensure that your packets are encrypted from one end of the tunnel to the other. SSL everywhere will also ensure this. That encryption is susceptible to potentially flaws, as at both your endpoint and the other end of your connection or tunnel.
I want to take up woodcarving in the mountains somewhere anytime I really take a step back and think about data security.
@djslack Stupid Bank of America website will not work with my VPN running, so I have to close it to pay their bill. I pay everyone else first, turn off the VPN, pay them and shut down the laptop.
@djslack That is why we need to throw him back in jail for 5 more years, I hear he has a pretty scary whistle.
@caffeine_dude lol. The bad thing is there’s only a slight variation in tone between launching all the nukes and just downloading candy crush on all the NORAD computers. You have to be careful with that whistle.
Don’t broadcast your SSID. That will at least make it a bit harder for the bad guys. That way they’ll have to be in range of your wifi and know what to look for. Slow 'em down a bit…maybe…
@medz I understand that’s not a good solution. As Microsoft says, “Choosing not to broadcast the SSID of a wireless network does not make it undetectable. The SSID is still advertised in the probe requests sent out by wireless clients and in the responses to the probe requests sent by wireless APs.”
@sligett Ok, so broadcast it. See if I care.
/giphy fine whatever
@medz @sligett Opting not to broadcast your SSID is essentially security through obscurity - that is to say, not security at all. If this was all you were doing to secure yourself, yeah, it would be a terrible plan. And if it gives you a false sense of security when vulnerabilities like KRACK are discovered, that’s probably not great either. But that’s not to say that there’s no value in being slightly-less-low-hanging fruit. Daniel Miessler has a good article on the subject.
Excerpted from the summary:
Food for thought, blahblah.
@brhfl Right. We call that sort of thing the “idiot firewall” or “ignorance firewall”. At least it stops people who are too dumb to know ways around it.
@medz Also from what I understand this increases power usage of wifi cards so you will kill your phone battery faster.
@darkzrobe ok. Do what you want.
/giphy be hatin
Some days I really wish I spoke tech.
Starting to think this whole internet thing wasn’t such a good idea after all.
@Moose
Read this and then tell me if you feel the same way.
@Moose But wait! Without the internet, we wouldn’t have Twitter, or Amazon, or Faceboo… er. Yeah, I see what you mean.
@Moose The internet was pretty awesome between maybe 1997 and 2007. All downhill from there.
@Moose They call it the World Wide Web for a reason. Like flies in a spider web, we’ve all become entangled in the web and will soon be sucked dry of our virtual life juices.
@Moose
https://shirt.woot.com/offers/the-internet-is-never-wrong?ref=meh_com
@medz I don’t think that was the reason
@Moose There is literally no other possible explanation.
Enjoy your WiFi lightbulbs, suckers!
rummages in closet looking for ethernet cables
@awk If they’re close enough to hack your wifi, they’re close enough to tap into your physical network. Heck, they could just bug your whole house for that matter.
@medz
/giphy your risk assessment is flawed
@awk holy crap that is really dumb what that kid is doing.
@Kidsandliz
/youtube extreme parkour
@Kidsandliz That’s Spiderman!
@awk Right. Ugh. Can’t watch (I do realize it will end well or it wouldn’t be able to stay posted, but still…). Although I will admit to doing stupid things in my misspent youth… I did a lot of rock climbing, including some free climbing (eg without a rope), which in retrospect was incredibly stupid - but then again in your 20’s your frontal lobe is still developing (at least that is my excuse - grin).
@awk If yer spine don’t tingle watching that video, you’re already dead. One wonders how many didn’t make it attempting the same?
I guess my cable company is doing me a favor since I don’t have an internet connection most of the time and they can’t seem to fix it. Yay, them!
You should mildly panic here, and make sure all the sites you go to on public wifi are HTTPS only. The best thing you can do here is really the best thing you can do in general- patch regularly and completely, and don’t reuse passwords across sites.
Just to add to the fun, didn’t I see an ad for free WiFi access offered from the many paying customers? Something about offering so many zillions of places you could access because you are a customer?
Here’s another one to add to the noise (it’s actually a decent write up):
https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/
(To be truthful, your device that you connect with is where the risk is. You know, your fancy cell phone, and your tablet.)
I almost never use wifi. The list of places I’ll connect to is REALLY short (when needing to update my phone or ipad, both of which will not update over cell phone networks, and insist on a wireless network).
@Shrdlu So the attacker can clone the wifi on a 2nd channel using the same SSID and encryption type without knowing the password?
I listened to a podcast about a month ago and the hacker said he used this method of attack but I thought it was a bit of hyperbole for the audience. I even backed it up then said this part is BS (the hackee knew he was going to be hacked for the story). The user would need to reenter the password, and how would the attacker know the password to the SSID unless it was brute forced therefor a weak password.
@caffeine_dude Side point: This is trivial for open networks such as attwifi (which at&t iPhones will connect to automatically by default)
Without reading the linked article I believe your actual points are valid, though. Though many users will reinput the password without a second thought if prompted. It may even be possible to do a two stage attack by impersonating the valid SSID, capturing the password supplied, then reimplementing the SSID with the newly obtained password and then having access to all traffic. You could even pass your new SSID traffic back through the original network so traffic comes from the same IP with your malicious device as a nearly invisible hop in between.
Another serious vulnerability was announced today but it’s a little more esoteric and doesn’t have a sweet logo:
https://roca.crocs.fi.muni.cz
Infineon chips used in smart cards, secure tokens, and TPM modules can generate weak RSA keys (you can determine the private key from the public key).
For instance Yubikey 4 is affected… (I use a Yubikey for various things including logging into Google and my Chromebook, but luckily that functionality (U2F) is not affected.)
/image hides under desk
So…maybe this is a stupid question, but how does the security differ from WiFi to 4G?
(I get there are fundamental differences in the technology, but if ATT can keep people out, why can’t D-Link also?)
@lumpthar It’s harder to effectively do security research on cell network hardware (although not impossible) because the equipment is costlier, less well documented, and generally countries & government bodies take dim views of people doing things to regulated spectrums (such as the frequencies cell phones use).
It’s a different kind of security, that’s probably only better if you’re using 4g or LTE- those were built with years of experience and hard-learned security lessons. 2g and 3g both had problems with security, but realistically it was only government funded groups who had the resources to take advantage of those problems until the last 5 years or so.
Wireless routers could be more secure, but I tend to think that security beyond the basics isn’t yet a selling point, and so unless the company decides to make security a selling point or someone is championing it, it just doesn’t happen.
The basics of secure systems are known, but it’s not a one and done thing- it’s a continuous process, and takes considerable time & effort to do well.
/image plumber crack attack
@medz From the warm clothing people are wearing they’ve gotta be feeling a cool breeze back there.
So, for the moment:. Don’t use Wi-Fi? Or use a VPN? Will that kinda do?
And M$ says that windows systems should have already been patched, assuming they have been updated?
Not surprised to find that @shrdlu has the most cautious and, quite likely, the best practices.
I could do something similar, in a n00b kind of way: I mean, I could resist wi-fi; that is, I could resist wi-fi … if I possessed any common sense and any self-discipline.
Ha. And if I were a billionaire I could own a yacht.
/giphy "welcome apocalypse"
In mostly plain language for non-tech-speakers:
https://www.cnet.com/how-to/krack-affects-everyone-heres-what-to-do-now
Good thing I live in a neighborhood with peeling paint, trash filled backyards (and a few not quite as decaying old, very large victorians with old folks living in them - with some exceptions I think this neighborhood used to be grand and then the huge victorians were broken into apartments, torn down), holes in the siding, next door has part of the roof and back of the house tarp covered… Most of the folks who live around me are too broke to hack my wifi. I’d be more concerned that they’d steal my router.
Companies are rushing to patch their devices, we’d be overloaded with patch updates sooner or later. Hey, what about my smart refrigerator? Who’ll patch that!? I have installed VPN on my router and keeping in on 24 hours because I am lazy to even patch update. Here it says I’m a sketchy spammer and it’s making me Krack.
@nickx95 We should trust you why? Does @tHumperchick trust you?
@nickx95 In this case VPN on your router doesn’t do you any good, sorry to say.
The vulnerability is specifically affecting your wireless traffic between the router and your computer, so encryption that only starts and ends at the router won’t really help.
@candreasen Sketchy website the one day member posted as well.
This is link spam. I know you’ve already been tagged but cc @thumperchick
At least it tried to be topical and is not a necropost, but it’s just abusing the forums for seo results and a few potential clicks.
@therealjrn Not even a little bit.
I live in kentucky where it is known as Wi-What?..not worried…