KRACK - WPA2 essentially cracked.

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › KRACK - WPA2 essentially cracked.

1 | 2 | 3 | 4 | 5 | 6

1152 posts

Uber Geek
Inactive user

#1885012 17-Oct-2017 11:39

Can anyone confirm this is only isolated to 802.11r ? finding conflicting stories.. I cant figure out if its the only way to use the exploit or if its one of the ways

We have 434 aerohives spread across 9 facilities and aerohive is yet to release a patch.. sigh..

kyhwana2

2566 posts

Uber Geek

#1885017 17-Oct-2017 11:57

timmmay:
kyhwana2: Make sure your wifi encryption mode is set to WPA2-CCMP (ONLY!) as the worst bits of the attack are possible with WPA2-TKIP. With CCMP mode (ONLY) the worst an attacker can do is inject packets into TCP streams. (Unencrypted streams like HTTP etc.)

Are there any downsides to this? My Fritzbox is set to WPA + WPA2, but I could change to WPA2 (CCMP). We have a mix of Android 4, 5, and 6 devices, a few consumer products that use WiFi such as Broadlink WiFi/IR controllers for heat pumps, and visitors that occasionally use WiFi.

Yes, there are downgrade to TKIP attacks that were presented last year and the KRACK attacks against TKIP are worse than CCMP only.

kyhwana2

2566 posts

Uber Geek

#1885022 17-Oct-2017 12:13

dt:
Can anyone confirm this is only isolated to 802.11r ? finding conflicting stories.. I cant figure out if its the only way to use the exploit or if its one of the ways

We have 434 aerohives spread across 9 facilities and aerohive is yet to release a patch.. sigh..

The 802.11r attacks allow for client->AP replay/decrypt (and forgery if TKIP/GCMP), the 4 way handshake attack is AP->client replay and client->AP decrypt (and injection).

It's not just isolated to 802.11r.

hashbrown

463 posts

Ultimate Geek

#1885046 17-Oct-2017 12:35

kyhwana2:
dt:

Can anyone confirm this is only isolated to 802.11r ? finding conflicting stories.. I cant figure out if its the only way to use the exploit or if its one of the ways

We have 434 aerohives spread across 9 facilities and aerohive is yet to release a patch.. sigh..

The 802.11r attacks allow for client->AP replay/decrypt (and forgery if TKIP/GCMP), the 4 way handshake attack is AP->client replay and client->AP decrypt (and injection). It's not just isolated to 802.11r.

There are 10 vulnerabilities listed. Essentially 10 different ways to exploit this, and 802.11r is only one of them.

The key advice for home users is your AP/router probably doesn't matter. Focus on patching clients as per FAQ.

What if there are no security updates for my router?

Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates. We strongly advise you to contact your vendor for more details. In general though, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming). For ordinary home users, your priority should be updating clients such as laptops and smartphones.

dt

1152 posts

Uber Geek
Inactive user

#1885047 17-Oct-2017 12:36

kyhwana2:

The 802.11r attacks allow for client->AP replay/decrypt (and forgery if TKIP/GCMP), the 4 way handshake attack is AP->client replay and client->AP decrypt (and injection). It's not just isolated to 802.11r.

Perfect, thanks for the nice simple answer! just recieved this from Aerohive as well

Aerohive Networks:

*Snip*

Aerohive has reviewed the research paper and has several observations.

Aerohive access points and branch routers are not exposed to this EXCEPT when operating as a wifi client to another access point or operating as a mesh point. Aerohive switches do not have integrated wifi and are not affected.

This is NOT a flaw in the WPA2 protocol. It is a flaw in the standards that were too loosely interpreted by the industry as a whole. There is no imminent WPA3 (that we are aware of). Patches to address this are backward compatible.

There are no known exploits for this in the wild at this time that we are aware of.

The targets of the attacks described in the research paper and the web site are all CLIENTs. Per the researcher’s own words “Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates. We strongly advise you to contact your vendor for more details. In general though, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming).”

*Snip*

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#1885062 17-Oct-2017 13:05

As pointed out above the compromise primarily affects clients, it typically does not affect AP/routers.

hio77

12999 posts

Uber Geek

ID Verified

Trusted

Lizard Networks

#1885078 17-Oct-2017 13:12

sbiddle:

As pointed out above the compromise primarily affects clients, it typically does not affect AP/routers.

but steve! it's always the routers fault not the handheld devices!!

#include <std_disclaimer>

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

dt

1152 posts

Uber Geek
Inactive user

#1885089 17-Oct-2017 13:48

If you had 20 laptops all connecting to 1 AP, does patching the one AP make those 20 laptops safe until they leave that environment?

Understand its more preferable to patch client side but if that above scenario is correct its heaps easier to first patch the AP then move onto the 20 client devices..

stinger

628 posts

Ultimate Geek
Inactive user

#1885091 17-Oct-2017 13:52

dt:

If you had 20 laptops all connecting to 1 AP, does patching the one AP make those 20 laptops safe until they leave that environment?

Yes. From the paper: "This means a patched client can still communicate with an unpatched access point, and vice versa. In other words, a patched client or access point sends exactly the same handshake messages as before, and at exactly the same moment in time. However, the security updates will assure a key is only installed once, preventing our attack"

kiwicam

136 posts

Master Geek

#1885125 17-Oct-2017 14:36

stinger:

dt:

If you had 20 laptops all connecting to 1 AP, does patching the one AP make those 20 laptops safe until they leave that environment?

Yes. From the paper: "This means a patched client can still communicate with an unpatched access point, and vice versa. In other words, a patched client or access point sends exactly the same handshake messages as before, and at exactly the same moment in time. However, the security updates will assure a key is only installed once, preventing our attack"

I would've said no. Patching the AP is minor (802.11r only?) and offers no protection to the four way handshake vulnerability from my understanding. I take that statement as clarifying compatibility. Yes unpatched devices will work on a patched AP, but no they won't be safe.

Paul1977

5039 posts

Uber Geek

#1885134 17-Oct-2017 14:50

caminham:

stinger:

dt:

If you had 20 laptops all connecting to 1 AP, does patching the one AP make those 20 laptops safe until they leave that environment?

Yes. From the paper: "This means a patched client can still communicate with an unpatched access point, and vice versa. In other words, a patched client or access point sends exactly the same handshake messages as before, and at exactly the same moment in time. However, the security updates will assure a key is only installed once, preventing our attack"

I would've said no. Patching the AP is minor (802.11r only?) and offers no protection to the four way handshake vulnerability from my understanding. I take that statement as clarifying compatibility. Yes unpatched devices will work on a patched AP, but no they won't be safe.

But wouldn't the part bolded above imply that as long as one side is patched (either client or AP) then you are safe? This doesn't seem clear one way or the other to me.

hio77

12999 posts

Uber Geek

ID Verified

Trusted

Lizard Networks

#1885139 17-Oct-2017 15:01

caminham:

I would've said no. Patching the AP is minor (802.11r only?) and offers no protection to the four way handshake vulnerability from my understanding. I take that statement as clarifying compatibility. Yes unpatched devices will work on a patched AP, but no they won't be safe.

Agreed, overall this is a Client side issue for the most part.

How this hit the news, seems to be causing a bit of an outcry however, OMG rsp! what are you doing to protect me!

providers can get manufactures to release an update patching 802.11r, they can disable TKIP (at the risk of device compatibility).. but at the end of the day, the end user client device needs updates to resolve this.

#include <std_disclaimer>

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

kiwicam

136 posts

Master Geek

#1885149 17-Oct-2017 15:08

Paul1977:

caminham:

stinger:

dt:

If you had 20 laptops all connecting to 1 AP, does patching the one AP make those 20 laptops safe until they leave that environment?

Yes. From the paper: "This means a patched client can still communicate with an unpatched access point, and vice versa. In other words, a patched client or access point sends exactly the same handshake messages as before, and at exactly the same moment in time. However, the security updates will assure a key is only installed once, preventing our attack"

I would've said no. Patching the AP is minor (802.11r only?) and offers no protection to the four way handshake vulnerability from my understanding. I take that statement as clarifying compatibility. Yes unpatched devices will work on a patched AP, but no they won't be safe.

But wouldn't the part bolded above imply that as long as one side is patched (either client or AP) then you are safe? This doesn't seem clear one way or the other to me.

Having read it a few times, and the original quote (it is in the context of a compatibility question), I believe that statement is referring to Client security updates.

https://www.krackattacks.com/#faq

Do we now need WPA3?

No, luckily implementations can be patched in a backwards-compatible manner. This means a patched client can still communicate with an unpatched access point, and vice versa. In other words, a patched client or access point sends exactly the same handshake messages as before, and at exactly the same moment in time. However, the security updates will assure a key is only installed once, preventing our attack. So again, update all your devices once security updates are available.

Earbanean

937 posts

Ultimate Geek

#1885154 17-Oct-2017 15:18

If you have 'dumb' clients on your network, that may be unpatchable for some time. Say WiFi connected stereos, Airplay speakers etc. But they don't send or receive any sensitive data, such as credit card details etc, over WiFi. Then do you still have a security problem? Assuming your clients, like phones and tablets, that do use sensitive data are patched.

Paul1977

5039 posts

Uber Geek

#1885156 17-Oct-2017 15:19

So, the consensus is that patching the AP only plugs a small part of the hole, and no matter what you do with your AP (short of turning it off) the client devices are vulnerable even when connected to a patched AP?

EDIT: Which brings me to my next question. If patching the APs does plug all the holes, what is everyone doing with their wireless networks in the interim until clients patches are available (particularly corporate ones)? What about all the older Android devices that may not get patched, or may be weeks?

1 | 2 | 3 | 4 | 5 | 6