KRACK! Wifi's go-to security, WPA2, is fatally flawed, and will probably never be patched in many places


#1

Originally published at: https://boingboing.net/2017/10/16/eschaton-immanentized.html


#2

Well I guess I have an excuse to buy a new router now…

ETA or just find an old one that works with tomato and try that out for funs.


#3


#4

This is more of a problem for Wi-Fi at your workplace or at the coffee shop (assuming it’s even secured in the first place which it rarely is) than at home unless you live in a dense are or don’t trust that sullen kid next door that never leaves the house.

I haven’t read the Ars article yet. Is this something that can be corrected with patches or is it inherent to the design of WPA2? Is there something waiting in the wings after WPA2? I’ve never heard of anything myself.

I’ve been using a VPN on my phone now for 6 months or so, set to automatically enable whenever I connect to Wi-Fi (thanks, Tasker!). I’ve been pretty satisfied with it. Only thing that hasn’t worked is online banking (they actively block VPNs) but that’s not a huge problem. I can just disconnect from Wi-Fi and use the (presumably) more secure path through my cell data network.

Edit: After reading the Ars article it does sound like this is indeed fixable with patches but as already pointed out that won’t happen in the vast majority of access points.


#5

Do we now need WPA3?
No, luckily implementations can be patched in a backwards-compatible manner. This means a patched client can still communicate with an unpatched access point, and vice versa. In other words, a patched client or access points sends exactly the same handshake messages as before, and at exactly the same moments in time. However, the security updates will assure a key is only installed once, preventing our attacks. So again, update all your devices once security updates are available.


#6

In this case, though this is not a problem with the access points as such but with the client. This affects android and linux more than other systems, and we all know how android patching is the best right?

Access points in mesh or repeater mode, or those using BSS FT can be vulnerable but that’s mostly corporate systems, not home APs.


#7

Shit. This is scary. I guess I need to start using TunnelBear for everything now.


#8

For those of you who’re maybe a little tech-savvy and thinking about buying a new router, take a look at the Turris Omnia.
It’s a small open hardware device running an OS based on OpenWrt/Linux. (It’s THE router for nerds.) I’m using one myself and I’m liking it, a lot. The thing is fast and powerful enough to double as my OpenVPN, NAS and DLNA server and Bittorrent client. Many software packages can be installed in an advanced admin UI.

https://omnia.turris.cz/en/

One of its features are automatic software updates. The devs just announced that a fix for the Krack vulnerability is in testing.

It’s $269.00 on Amazon.


#9

In testing? Mikrotik and Microsoft updated to protect against this vulnerability last week. Ubiquiti has firmware updates today.

Also, putting all your eggs in one basket wrt NAS+backup destination+wifi is very early 2000s… it’s a really shitty feeling when your wifi dies and you can’t access your backups (hello Time Capsule), let alone all your files. Devices divided by function, please.


#10

It seems like the LEDE project was not notified about the issue whereas Mikrotik was. LEDE provides open source WiFi firmware for OpenWrt.

Re: Devices divided by function/early 2000s.

I don’t agree. The Turris Omnia is basically a small Linux server machine with a user-friendly GUI. But if you’re willing to get your hands dirty it can do many things reliably because it does them as proven open source software services. My “NAS” for example is a simple Samba server running on the Turris Omnia, accessing an external USB 3 drive. (With an additional drive RAID is available, because Linux.) Backup is handled separately. Iptables is used to configure the Linux firewall. The WiFi access point and router functionality is yet more software.

Many geeks build a machine like that themselves. But this one comes pre-integrated with crowdsourced, curated software.

You can use the Turris Omnia as a simple router without installing any additional packages if you prefer. Or as a cam server or whatever you want. I’m very happy about the fact that I finally have a efficient, reliable, small form factor basket which is relatively cheap and can handle many eggs safely.


#11

#12

What depresses me a bit about the prospects for improvement through software is this diagram from the other Arstechnica article:

Not only is “MediaTek”, of shoddy SoC fame, apparently compelled to roll their own shoddy WPA supplicant; ever since they bought Ralink those guys are everywhere. Probably a lovely band of hardware too new to have open driver implementations, too old to have vendor support. Blessed be the glories of embedded hardware…


#13

For some reason I’m picturing Gary Glitter with a fondness for ciphers.


#14

I think that’s ‘ponce’, but it’s an understandable mistake.


#15

#16

For the oldstable distribution (jessie), these problems have been fixed in version 2.3-1+deb8u5.

For the stable distribution (stretch), these problems have been fixed in version 2:2.4-1+deb9u1.

For the testing distribution (buster), these problems have been fixed in version 2:2.4-1.1.

For the unstable distribution (sid), these problems have been fixed in version 2:2.4-1.1.

We recommend that you upgrade your wpa packages.

http://debian.org/security/2017/dsa-3999


#17

They only mention Android 6, what about Android 4? Since phones and tablets are awful about updates, I’d guess that many many more people are on older versions than whatever the latest and greatest is. (Never mind smart TVs or IOTs or whatever.)


#18

This.
Also:

I keep wondering about that. Google doesn’t fix anything below 4.4, am I right? However, the fixes should be downward compatible, or am I wrong? Would there be any chance for older smartphones to get this patched? Or are we fucked?


#19

Unless the fix requires violating the compatibility test suite in some way(which I can’t rule out; but which seems unlikely because all reports indicate that fixing WPA2 implementations doesn’t require making them incompatible, even with currently unfixed ones); I don’t think that it would matter that Google doesn’t officially care about the older versions in question.

However, it’s less clear that the fix as issued for current devices is just going to be a drop-in for older ones running older kernels. 3rd party ROMs will(with, perhaps, the exception of the ghastly ‘MediaTek’ case) presumably be able to grab a patched WPA supplicant from a real Linux of appropriate vintage; but just hoping that the one from Android 7 works for 4.3 might not be happening.

Of course, the real winner is going to be all the handsets that never receive vendor attention ever again; for which it barely matters how simple the fix might be; because why try harder when the customer can just buy a new one and re-up that two year contract?


#20