WPA2 Going the Way of WEP After Wi-Fi Researchers Find Critical Flaw

[ForgottenSeer 58943]

Fortinet is on it. Impending firmware updates for the entire product line.

In addition, mitigation technologies implemented into the IPS structure to reduce (eliminate?) the impact.

Key Reinstallation Attacks: Cryptographic/protocol attack against WPA2

 

[codswollip]

Here, hold my beer while I unplug my rou....

 

[VecchioScarpone]

This one is a real worry for us all, is there anything to be done to protect against this.

Severe flaw in WPA2 protocol leaves Wi-Fi traffic open to eavesdropping
There are several more related links on that thread.
Storm in a tea cup? Perhaps...

 

[Marko :)]

Microsoft said that they fixed WPA2 vulnerability with update. Android will be patched within weeks.

Microsoft has already fixed the Wi-Fi attack vulnerability

 

[shmu26]

This issue does not change anything for security-conscious users.
You don't transmit sensitive data over a simple HTTP connection, and you always are cautious with a file that you downloaded over a simple HTTP connection.
It's the people who don't worry about security who really have something to worry about.

 

[ForgottenSeer 58943]

Severe flaw in WPA2 protocol leaves Wi-Fi traffic open to eavesdropping
There are several more related links on that thread.
Storm in a tea cup? Perhaps...

This is every bit a storm. Fortinet has all of their engineers working on firmware, IPS and examining mitigation methods. My Cisco engineer buddies tell me they are going through the same thing. This is pretty huge.

 

[VecchioScarpone]

This is every bit a storm. Fortinet has all of their engineers working on firmware, IPS and examining mitigation methods. My Cisco engineer buddies tell me they are going through the same thing. This is pretty huge.

Sly I don't mean to argue, just that reading through the links of the thread I posted (hence my storm in a tea cup comment), it seems that windows already fixed that. Updating related software should fix that.
That the hackers need to be on range of a compromised or not updated wi-fi or router, what are the chances of that for a Joe Bloke to be so unlucky? @shmu26 post #25 make good sense. Average, uninformed or careless users are most at risk.

 

[ForgottenSeer 58943]

Quick and dirty countermeasure I guess;

Install a local VPN client from a local VPN server, such as Fortigate VPN. Put the wireless on it's own VLAN, then have local clients connect on the device to the VPN which will connect on it's own VLAN. Thus offering local WiFi connectivity but putting local clients through an encrypted VPN. Devices won't be visible as they will be on an internal, local VPN.

 

[lowdetection]

The problem will be if in the meantime a toolkit is developed, some people using custom firmware already fixed that vulnerability, but a potential excalation will be measured by the full/partial coverage of manufacters time fixing and developing of toolkit for kiddies.

 

[frogboy]

More from Bleeping Computer. Microsoft Quietly Patched the Krack WPA2 Vulnerability Last Week

 

[Entreri]

Good job to M$!

Android, lol, especially given various manufacturers. If you want to do anything secure, iOS is the way to go.

 

[LASER_oneXM]

....i found another article on the net about this bug: What You Should Know About the ‘KRACK’ WiFi Security Weakness — Krebs on Security

....in this article you can also find a list with affected devices:

The Computer Emergency Readiness Team has a running list of hardware vendors that are known to be affected by this, as well as links to available advisories and patches.

 

[ForgottenSeer 58943]

Good job to M$!

Android, lol, especially given various manufacturers. If you want to do anything secure, iOS is the way to go.

Nice try, but iOS and Mac's, including Apples crap routers are all vulnerable to this.. That much has been CONFIRMED BY APPLE.

'iOS is the way to go' said nobody. Ever. Let's not even go to places where Apple fails, such as user configurability, flexibility, privacy and customization..

Wi-Fi WPA2 security cracked: Android & Linux most vulnerable, but iOS and macOS too [U]

 

[ForgottenSeer 58943]

The problem will be if in the meantime a toolkit is developed, some people using custom firmware already fixed that vulnerability, but a potential excalation will be measured by the full/partial coverage of manufacters time fixing and developing of toolkit for kiddies.

We'll have the full Fortinet product line covered with firmware releases in the next 48 hours or so. Also we will have some tricks in use for WIDS/RAP and IPS to help mitigate risk on impacted devices and IoT gear.

I feel bad for people with a lot of IoT in their homes.. Nothing like rushing into the frontier of IoT without understanding the potential for something catastrophic like this. Good luck getting those Chinese Vendors to issue patches for $19 Smart switches and $9 lightbulbs..

 

[lowdetection]

I will fix two Android devices running LineageOS 7.1.2 today.
For the router I expect a fix on next release.
I will destroy every device that is not fixed within a week.

 

[przemo_one]

From what I understand attack comes by unprotected client. The only way to be safe is to use patched wpa_supplicant. In other words if you use only fixed clients there's no need to patch router.

New devices will most likely get the patch. Hi end devices for that matter definitely. As for old and lo end most of them will not. The only way to be protected is to use 3rd party ports but they might suffer from other vulnerabilities or even pre-installed malicious software.

 

[lowdetection]

I already fixed the Bleah Bluetooth vulnerability, today and tomorrow I will try to fix the rest of Android devices that have this vulnerability.

 

[Entreri]

Nice try, but iOS and Mac's, including Apples crap routers are all vulnerable to this.. That much has been CONFIRMED BY APPLE.

'iOS is the way to go' said nobody. Ever. Let's not even go to places where Apple fails, such as user configurability, flexibility, privacy and customization..

Wi-Fi WPA2 security cracked: Android & Linux most vulnerable, but iOS and macOS too [U]

I was talking in general, and iOS is indeed more secure. Couple of reasons for this, iOS gets updated for 5 years for product X and the Apple Store has so much less malware than the Android Store. Apple zero days are going for millions.

 

[ForgottenSeer 58943]

I was talking in general, and iOS is indeed more secure. Couple of reasons for this, iOS gets updated for 5 years for product X and the Apple Store has so much less malware than the Android Store. Apple zero days are going for millions.

Apples strength is also it's weakness. For example creating a development environment where a product released in 2010 must be fully compatible and use the same OS as a product released in 2018 is ridiculous from a development standpoint and only results in stagnation. I will agree Apple's Repositories are safer than Googles though, but on the flipside, you can put a real AV on Android and pretty much offset that risk.

 

[ForgottenSeer 58943]

From what I understand attack comes by unprotected client. The only way to be safe is to use patched wpa_supplicant. In other words if you use only fixed clients there's no need to patch router.

New devices will most likely get the patch. Hi end devices for that matter definitely. As for old and lo end most of them will not. The only way to be protected is to use 3rd party ports but they might suffer from other vulnerabilities or even pre-installed malicious software.

Obviously hardwired/ethernet devices aren't an issue unless those devices can swap to wireless, in which case, disable their WiFi cards if you exclusively leave them plugged in - then you are fine. UTM/NGFW solutions and wireless controller applications are being patched over the next 48 hours or so. IPS/IDS, WIPS/WIDS signatures are being developed for these to help mitigate risk on clients that are unpatched. I've reached out to camera firms like D-Link and TriVision and I am told they are all rushing out firmware patches to address this.

A very real worry will be cheap Chinese technology firm stuff. Those $9 Smart Bulbs everyone warned people not to buy. They'll never get patched. I know a guy with like 300 smart devices and IoT in his home, he's toast.. He also lives in a busy area which will likely increase his potential exposure to this.. War-Drive might become a big thing again.

Another worry (and it's a big worry) are legacy or older cycle products, not just EOL. The EOL stuff has to be thrown out. Fortinet - interestingly - is updating a discontinued firmware line to address this, which will effectively patch devices going back a decade! 5.2.11 was the last in the 5.2 line, but they are now releasing 5.2.12 - surprisingly!

Since this issue also comes with new WiFi standards, all new devices SHOULD in theory, have this addressed. But I would wait a year before buying anything unless you can be sure to manually patch it yourself.

Tip: If you have to wait more than a couple weeks for a patch you may want to remove the impacted device/s from your network. Possibly sell them on the used market or if possible return them. Any cheap Chinese IoT will never be patched, so just donate/sell/toss those.. UNLESS you can assume the risk of them AND you verify they only use 443 channels of communication..