shmu26

Level 85
Verified
Trusted
Content Creator
This issue does not change anything for security-conscious users.
You don't transmit sensitive data over a simple HTTP connection, and you always are cautious with a file that you downloaded over a simple HTTP connection.
It's the people who don't worry about security who really have something to worry about.
 

Slyguy

Level 43
This is every bit a storm. Fortinet has all of their engineers working on firmware, IPS and examining mitigation methods. My Cisco engineer buddies tell me they are going through the same thing. This is pretty huge.
Sly I don't mean to argue, just that reading through the links of the thread I posted (hence my storm in a tea cup comment), it seems that windows already fixed that. Updating related software should fix that.
That the hackers need to be on range of a compromised or not updated wi-fi or router, what are the chances of that for a Joe Bloke to be so unlucky? @shmu26 post #25 make good sense. Average, uninformed or careless users are most at risk.
 

Slyguy

Level 43
Quick and dirty countermeasure I guess;

Install a local VPN client from a local VPN server, such as Fortigate VPN. Put the wireless on it's own VLAN, then have local clients connect on the device to the VPN which will connect on it's own VLAN. Thus offering local WiFi connectivity but putting local clients through an encrypted VPN. Devices won't be visible as they will be on an internal, local VPN. :)
 

LASER_oneXM

Level 36
Verified

Slyguy

Level 43
Good job to M$!

Android, lol, especially given various manufacturers. If you want to do anything secure, iOS is the way to go.
Nice try, but iOS and Mac's, including Apples crap routers are all vulnerable to this.. That much has been CONFIRMED BY APPLE.

'iOS is the way to go' said nobody. Ever. Let's not even go to places where Apple fails, such as user configurability, flexibility, privacy and customization..

Wi-Fi WPA2 security cracked: Android & Linux most vulnerable, but iOS and macOS too [U]
 

Slyguy

Level 43
The problem will be if in the meantime a toolkit is developed, some people using custom firmware already fixed that vulnerability, but a potential excalation will be measured by the full/partial coverage of manufacters time fixing and developing of toolkit for kiddies.
We'll have the full Fortinet product line covered with firmware releases in the next 48 hours or so. Also we will have some tricks in use for WIDS/RAP and IPS to help mitigate risk on impacted devices and IoT gear.

I feel bad for people with a lot of IoT in their homes.. Nothing like rushing into the frontier of IoT without understanding the potential for something catastrophic like this. Good luck getting those Chinese Vendors to issue patches for $19 Smart switches and $9 lightbulbs..
 

przemo_one

Level 3
From what I understand attack comes by unprotected client. The only way to be safe is to use patched wpa_supplicant. In other words if you use only fixed clients there's no need to patch router.

New devices will most likely get the patch. Hi end devices for that matter definitely. As for old and lo end most of them will not. The only way to be protected is to use 3rd party ports but they might suffer from other vulnerabilities or even pre-installed malicious software.
 

Entreri

Level 7
Nice try, but iOS and Mac's, including Apples crap routers are all vulnerable to this.. That much has been CONFIRMED BY APPLE.

'iOS is the way to go' said nobody. Ever. Let's not even go to places where Apple fails, such as user configurability, flexibility, privacy and customization..

Wi-Fi WPA2 security cracked: Android & Linux most vulnerable, but iOS and macOS too [U]
I was talking in general, and iOS is indeed more secure. Couple of reasons for this, iOS gets updated for 5 years for product X and the Apple Store has so much less malware than the Android Store. Apple zero days are going for millions.
 

Slyguy

Level 43
I was talking in general, and iOS is indeed more secure. Couple of reasons for this, iOS gets updated for 5 years for product X and the Apple Store has so much less malware than the Android Store. Apple zero days are going for millions.
Apples strength is also it's weakness. For example creating a development environment where a product released in 2010 must be fully compatible and use the same OS as a product released in 2018 is ridiculous from a development standpoint and only results in stagnation. I will agree Apple's Repositories are safer than Googles though, but on the flipside, you can put a real AV on Android and pretty much offset that risk.
 

Slyguy

Level 43
From what I understand attack comes by unprotected client. The only way to be safe is to use patched wpa_supplicant. In other words if you use only fixed clients there's no need to patch router.

New devices will most likely get the patch. Hi end devices for that matter definitely. As for old and lo end most of them will not. The only way to be protected is to use 3rd party ports but they might suffer from other vulnerabilities or even pre-installed malicious software.
Obviously hardwired/ethernet devices aren't an issue unless those devices can swap to wireless, in which case, disable their WiFi cards if you exclusively leave them plugged in - then you are fine. UTM/NGFW solutions and wireless controller applications are being patched over the next 48 hours or so. IPS/IDS, WIPS/WIDS signatures are being developed for these to help mitigate risk on clients that are unpatched. I've reached out to camera firms like D-Link and TriVision and I am told they are all rushing out firmware patches to address this.

A very real worry will be cheap Chinese technology firm stuff. Those $9 Smart Bulbs everyone warned people not to buy. They'll never get patched. I know a guy with like 300 smart devices and IoT in his home, he's toast.. He also lives in a busy area which will likely increase his potential exposure to this.. War-Drive might become a big thing again.

Another worry (and it's a big worry) are legacy or older cycle products, not just EOL. The EOL stuff has to be thrown out. Fortinet - interestingly - is updating a discontinued firmware line to address this, which will effectively patch devices going back a decade! 5.2.11 was the last in the 5.2 line, but they are now releasing 5.2.12 - surprisingly!

Since this issue also comes with new WiFi standards, all new devices SHOULD in theory, have this addressed. But I would wait a year before buying anything unless you can be sure to manually patch it yourself.

Tip: If you have to wait more than a couple weeks for a patch you may want to remove the impacted device/s from your network. Possibly sell them on the used market or if possible return them. Any cheap Chinese IoT will never be patched, so just donate/sell/toss those.. UNLESS you can assume the risk of them AND you verify they only use 443 channels of communication..
 
Top