WiFi security flaw puts everyone's everything at risk

canderson

Mr. Brightside
SoSH Member
Jul 16, 2005
39,306
Harrisburg, Pa.
This not only is bad for your tablet and cell, but really bad for your smart bulbs, smart locks, garage door opener, etc.

Yikes. There are experts here on this type of stuff, hopefully they can convince us not to move to a cave.

Researchers have discovered a key flaw in the WPA2 WiFi encryption protocol that could allow hackers to intercept your credit card numbers, passwords, photos and other sensitive information. The flaws, dubbed "Key Reinstallation Attacks," or "Krack Attacks," are in the WiFi standard and not specific products. That means that just about every router, smartphone and PC out there could be impacted, though attacks against Linux and Android 6.0 or greater devices may be "particularly devastating," according to KU Leuven University's Mathy Vanhoef and Frank Piessens, who found the flaw.

Here's how it works. Attackers find a vulnerable WPA2 network, then make a carbon copy of it and impersonate the MAC address, then change the WiFi channel. This new, fake network acts as a "man in the middle," so when a device attempts to connect to the original network, it can be forced to bypass it and connect to the rogue one.

Normally, WPA2 encryption requires a unique key to encrypt each block of plain text. However, the hack described in the Krack Attack paper forces certain implementations of WPA2 to reuse the same key combination multiple times.
https://www.engadget.com/2017/10/16/wifi-vulnerability-krack-attack/
 

j44thor

Member
SoSH Member
Aug 1, 2006
10,934
I wouldn't disconnect all your devices just yet. While theoretically this is bad, it is a local only vuln meaning someone has to actually be within your wifi range and is a rather complex hack without a known exploit yet.

Is important that you keep your router firmware upgraded but for 99.9% of the population this is a non-issue.
 

smastroyin

simpering whimperer
Lifetime Member
SoSH Member
Jul 31, 2002
20,684
I'm not an expert but:

- This is essentially a Man in the Middle attack. It doesn't expose your actual router, and they can't send instructions to your wifi network (at least if you are using WPA2.) So I'm not sure you really have to worry about connected devices because of this specific hack (i.e. someone executing this hack can't open your garage door).

- The patch seems easy enough and I can't imagine the major router brands and major phone/tablet brands aren't going to have a security update relatively quickly. The patch only has to work in one direction to close the vulnerability.

- The vulnerability is specific to the handshake. The hacker can't peer around your network looking for other things. i.e. unless you log in to your banking app on your phone while the hack is active, you don't have to worry about your banking info being compromised.




For safety until there are patches, I would probably stop using apps for banking or credit cards and only use browser based https: websites. Or, switch to all mobile data and turn off your wifi. Connect an ethernet cable for a couple of days to use your computer.
 

slamminsammya

Member
SoSH Member
Jul 31, 2006
9,081
San Francisco
For safety until there are patches, I would probably stop using apps for banking or credit cards and only use browser based https: websites. Or, switch to all mobile data and turn off your wifi. Connect an ethernet cable for a couple of days to use your computer.
The discoverer of the attack notes that an alarmingly high proportion of websites with https do not have it configured correctly and can be easily stripped of that protocol. He has a little youtube video of him doing the attack on match.com, for example.
 

smastroyin

simpering whimperer
Lifetime Member
SoSH Member
Jul 31, 2002
20,684
Yep, nothing is guaranteed protected (although I have read other articles that suggest most https sites are fine), but I think the browser based is going to be a little safer than app. I could be wrong, I know nothing really about the security built into apps.
 

Blacken

Robespierre in a Cape
SoSH Member
Jul 24, 2007
12,152
If you aren't using HTTPS, you have a problem.

If you are, there are theoretical but generally difficult attacks.
 

Red Sox Physicist

Well-Known Member
Gold Supporter
SoSH Member
Jul 15, 2005
296
Natick, MA
I wouldn't disconnect all your devices just yet. While theoretically this is bad, it is a local only vuln meaning someone has to actually be within your wifi range and is a rather complex hack without a known exploit yet.

Is important that you keep your router firmware upgraded but for 99.9% of the population this is a non-issue.
This particular issue is mostly a client issue. You have to upgrade all of the clients, not just the router. That's part of what makes this one bad. There are a lot of abandoned IoT devices out there that won't see an update.
 

canderson

Mr. Brightside
SoSH Member
Jul 16, 2005
39,306
Harrisburg, Pa.
This particular issue is mostly a client issue. You have to upgrade all of the clients, not just the router. That's part of what makes this one bad. There are a lot of abandoned IoT devices out there that won't see an update.
But those aren’t transferring sensitive data so mostly who cares? Door locks and garage doors are a problem, but not really light bulbs, refrigerators, etc I’d think.
 

SumnerH

Malt Liquor Picker
Dope
SoSH Member
Jul 18, 2005
31,842
Alexandria, VA
You mean like this site? According to Chrome, this site is not using HTTPS.
Yeah, we tried to move to all https months ago but there are some mixed content warnings we need to resolve to make it work. There's not much excuse for a modern site not using https, but when you're all volunteer it's a matter of finding the time to do it.
 

charlieoscar

Member
Sep 28, 2014
1,339
Yeah, we tried to move to all https months ago but...
Yeah, I had some recollection of that and said, "oh, good," to myself and didn't pay it any more attention until today.

I'm a bit concerned with the news that came out as I live in a large apartment building and have wireless for the spouse's desktop and laptop. My desktop is connected directly but we both have to use wireless to get updates for our cellphones. Things I've been reading on the web are telling me to update my router. Hello Comcast.
 

Marceline

Well-Known Member
Lifetime Member
SoSH Member
Sep 9, 2002
6,437
Canton, MA
Yeah, I had some recollection of that and said, "oh, good," to myself and didn't pay it any more attention until today.

I'm a bit concerned with the news that came out as I live in a large apartment building and have wireless for the spouse's desktop and laptop. My desktop is connected directly but we both have to use wireless to get updates for our cellphones. Things I've been reading on the web are telling me to update my router. Hello Comcast.
Don't use the Comcast wireless router, it's terrible. Get your own and save $8 a month and then you don't have to worry about them updating it.
 

The_Powa_of_Seiji_Ozawa

Member
SoSH Member
Sep 9, 2006
7,851
SS Botany Bay
Don't use the Comcast wireless router, it's terrible. Get your own and save $8 a month and then you don't have to worry about them updating it.
Plus if you use a Comcast wireless router they, by default, turn you into a mule for providing general Wi-Fi service to other subscribers in range (not affecting your own personal bandwidth, but your router would act as a hub for others).
 

charlieoscar

Member
Sep 28, 2014
1,339
Shouldn't be an issue. No need to use the Comcast router.
It's not quite that simple, I don't think. A quick web search turned up a few compatible routers, all made by the same company that makes the one Comcast supplies. One I looked at, which supposedly meets Comcast's approval, doesn't include a wi-fi router so I would need to get a second router and split the incoming signal. And at $8 per month it would take three years to pay off. There may be better options but they didn't turn up quickly.
 

SumnerH

Malt Liquor Picker
Dope
SoSH Member
Jul 18, 2005
31,842
Alexandria, VA
It's not quite that simple, I don't think. A quick web search turned up a few compatible routers, all made by the same company that makes the one Comcast supplies. One I looked at, which supposedly meets Comcast's approval, doesn't include a wi-fi router so I would need to get a second router and split the incoming signal. And at $8 per month it would take three years to pay off. There may be better options but they didn't turn up quickly.
Any wireless router will work (I'm using an obscure ddwrt-compatible router just fine), just wire it to the cable modem via Ethernet.