Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5 | 6

dt

165 posts

Master Geek
+1 received by user: 18

Subscriber

  Reply # 1885012 17-Oct-2017 11:39
Send private message quote this post

Can anyone confirm this is only isolated to 802.11r ? finding conflicting stories.. I cant figure out if its the only way to use the exploit or if its one of the ways

 

We have 434 aerohives spread across 9 facilities and aerohive is yet to release a patch.. sigh.. 


2374 posts

Uber Geek
+1 received by user: 104


  Reply # 1885017 17-Oct-2017 11:57
One person supports this post
Send private message quote this post

timmmay:

kyhwana2: Make sure your wifi encryption mode is set to WPA2-CCMP (ONLY!) as the worst bits of the attack are possible with WPA2-TKIP. With CCMP mode (ONLY) the worst an attacker can do is inject packets into TCP streams. (Unencrypted streams like HTTP etc.)

 

Are there any downsides to this? My Fritzbox is set to WPA + WPA2, but I could change to WPA2 (CCMP). We have a mix of Android 4, 5, and 6 devices, a few consumer products that use WiFi such as Broadlink WiFi/IR controllers for heat pumps, and visitors that occasionally use WiFi.

 

 

Yes, there are downgrade to TKIP attacks that were presented last year and the KRACK attacks against TKIP are worse than CCMP only.

 


 
 
 
 


2374 posts

Uber Geek
+1 received by user: 104


  Reply # 1885022 17-Oct-2017 12:13
One person supports this post
Send private message quote this post

dt:

Can anyone confirm this is only isolated to 802.11r ? finding conflicting stories.. I cant figure out if its the only way to use the exploit or if its one of the ways

 

We have 434 aerohives spread across 9 facilities and aerohive is yet to release a patch.. sigh.. 

 

The 802.11r attacks allow for client->AP replay/decrypt (and forgery if TKIP/GCMP), the 4 way handshake attack is AP->client replay and client->AP decrypt (and injection).

 

It's not just isolated to 802.11r.

438 posts

Ultimate Geek
+1 received by user: 123

Subscriber

  Reply # 1885046 17-Oct-2017 12:35
4 people support this post
Send private message quote this post

kyhwana2:
dt:

 

Can anyone confirm this is only isolated to 802.11r ? finding conflicting stories.. I cant figure out if its the only way to use the exploit or if its one of the ways

 

We have 434 aerohives spread across 9 facilities and aerohive is yet to release a patch.. sigh.. 

 

The 802.11r attacks allow for client->AP replay/decrypt (and forgery if TKIP/GCMP), the 4 way handshake attack is AP->client replay and client->AP decrypt (and injection). It's not just isolated to 802.11r.

 

There are 10 vulnerabilities listed. Essentially 10 different ways to exploit this, and 802.11r is only one of them.

 

The key advice for home users is your AP/router probably doesn't matter.  Focus on patching clients as per FAQ.

 

What if there are no security updates for my router?

 

Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates. We strongly advise you to contact your vendor for more details. In general though, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming). For ordinary home users, your priority should be updating clients such as laptops and smartphones.


dt

165 posts

Master Geek
+1 received by user: 18

Subscriber

  Reply # 1885047 17-Oct-2017 12:36
One person supports this post
Send private message quote this post

kyhwana2:

 

 The 802.11r attacks allow for client->AP replay/decrypt (and forgery if TKIP/GCMP), the 4 way handshake attack is AP->client replay and client->AP decrypt (and injection). It's not just isolated to 802.11r.

 

 

 

 

Perfect, thanks for the nice simple answer! just recieved this from Aerohive as well

 

 

 

Aerohive Networks:

 

 

 

*Snip*

 

Aerohive has reviewed the research paper and has several observations.

 

Aerohive access points and branch routers are not exposed to this EXCEPT when operating as a wifi client to another access point or operating as a mesh point. Aerohive switches do not have integrated wifi and are not affected.

 

This is NOT a flaw in the WPA2 protocol. It is a flaw in the standards that were too loosely interpreted by the industry as a whole. There is no imminent WPA3 (that we are aware of). Patches to address this are backward compatible.

 

There are no known exploits for this in the wild at this time that we are aware of.

 

The targets of the attacks described in the research paper and the web site are all CLIENTs. Per the researcher’s own words “Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates. We strongly advise you to contact your vendor for more details. In general though, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming).”

 

*Snip*

 


25585 posts

Uber Geek
+1 received by user: 5361

Moderator
Trusted
Biddle Corp
Subscriber

  Reply # 1885062 17-Oct-2017 13:05
One person supports this post
Send private message quote this post

As pointed out above the compromise primarily affects clients, it typically does not affect AP/routers.

 

 


'That VDSL Cat'
6667 posts

Uber Geek
+1 received by user: 1266

Trusted
Spark
Subscriber

  Reply # 1885078 17-Oct-2017 13:12
Send private message quote this post

sbiddle:

 

As pointed out above the compromise primarily affects clients, it typically does not affect AP/routers.

 

 

but steve! it's always the routers fault not the handheld devices!!





#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.


dt

165 posts

Master Geek
+1 received by user: 18

Subscriber

  Reply # 1885089 17-Oct-2017 13:48
Send private message quote this post

 

 

If you had 20 laptops all connecting to 1 AP, does patching the one AP make those 20 laptops safe until they leave that environment?

 

Understand its more preferable to patch client side but if that above scenario is correct its heaps easier to first patch the AP then move onto the 20 client devices..


118 posts

Master Geek
+1 received by user: 24


  Reply # 1885091 17-Oct-2017 13:52
Send private message quote this post

dt:

 

If you had 20 laptops all connecting to 1 AP, does patching the one AP make those 20 laptops safe until they leave that environment?

 

 

 

 

Yes. From the paper: "This means a patched client can still communicate with an unpatched access point, and vice versa. In other words, a patched client or access point sends exactly the same handshake messages as before, and at exactly the same moment in time. However, the security updates will assure a key is only installed once, preventing our attack"


101 posts

Master Geek
+1 received by user: 28


  Reply # 1885125 17-Oct-2017 14:36
One person supports this post
Send private message quote this post

stinger:

 

dt:

 

If you had 20 laptops all connecting to 1 AP, does patching the one AP make those 20 laptops safe until they leave that environment?

 

 

Yes. From the paper: "This means a patched client can still communicate with an unpatched access point, and vice versa. In other words, a patched client or access point sends exactly the same handshake messages as before, and at exactly the same moment in time. However, the security updates will assure a key is only installed once, preventing our attack"

 

 

I would've said no. Patching the AP is minor (802.11r only?) and offers no protection to the four way handshake vulnerability from my understanding. I take that statement as clarifying compatibility. Yes unpatched devices will work on a patched AP, but no they won't be safe.


1849 posts

Uber Geek
+1 received by user: 513


  Reply # 1885134 17-Oct-2017 14:50
Send private message quote this post

caminham:

 

stinger:

 

dt:

 

If you had 20 laptops all connecting to 1 AP, does patching the one AP make those 20 laptops safe until they leave that environment?

 

 

Yes. From the paper: "This means a patched client can still communicate with an unpatched access point, and vice versa. In other words, a patched client or access point sends exactly the same handshake messages as before, and at exactly the same moment in time. However, the security updates will assure a key is only installed once, preventing our attack"

 

 

I would've said no. Patching the AP is minor (802.11r only?) and offers no protection to the four way handshake vulnerability from my understanding. I take that statement as clarifying compatibility. Yes unpatched devices will work on a patched AP, but no they won't be safe.

 

 

But wouldn't the part bolded above imply that as long as one side is patched (either client or AP) then you are safe? This doesn't seem clear one way or the other to me.


'That VDSL Cat'
6667 posts

Uber Geek
+1 received by user: 1266

Trusted
Spark
Subscriber

  Reply # 1885139 17-Oct-2017 15:01
Send private message quote this post

caminham:

 

I would've said no. Patching the AP is minor (802.11r only?) and offers no protection to the four way handshake vulnerability from my understanding. I take that statement as clarifying compatibility. Yes unpatched devices will work on a patched AP, but no they won't be safe.

 

 

 

 

Agreed, overall this is a Client side issue for the most part.

 

How this hit the news, seems to be causing a bit of an outcry however, OMG rsp! what are you doing to protect me!

 

 

 

providers can get manufactures to release an update patching 802.11r, they can disable TKIP (at the risk of device compatibility).. but at the end of the day, the end user client device needs updates to resolve this.





#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.


101 posts

Master Geek
+1 received by user: 28


  Reply # 1885149 17-Oct-2017 15:08
Send private message quote this post

Paul1977:

 

caminham:

 

stinger:

 

dt:

 

If you had 20 laptops all connecting to 1 AP, does patching the one AP make those 20 laptops safe until they leave that environment?

 

 

Yes. From the paper: "This means a patched client can still communicate with an unpatched access point, and vice versa. In other words, a patched client or access point sends exactly the same handshake messages as before, and at exactly the same moment in time. However, the security updates will assure a key is only installed once, preventing our attack"

 

 

I would've said no. Patching the AP is minor (802.11r only?) and offers no protection to the four way handshake vulnerability from my understanding. I take that statement as clarifying compatibility. Yes unpatched devices will work on a patched AP, but no they won't be safe.

 

 

But wouldn't the part bolded above imply that as long as one side is patched (either client or AP) then you are safe? This doesn't seem clear one way or the other to me.

 

 

Having read it a few times, and the original quote (it is in the context of a compatibility question), I believe that statement is referring to Client security updates.

 

https://www.krackattacks.com/#faq 

 

 

Do we now need WPA3?

 

No, luckily implementations can be patched in a backwards-compatible manner. This means a patched client can still communicate with an unpatched access point, and vice versa. In other words, a patched client or access point sends exactly the same handshake messages as before, and at exactly the same moment in time. However, the security updates will assure a key is only installed once, preventing our attack. So again, update all your devices once security updates are available.

 


233 posts

Master Geek
+1 received by user: 20


  Reply # 1885154 17-Oct-2017 15:18
One person supports this post
Send private message quote this post

If you have 'dumb' clients on your network, that may be unpatchable for some time.  Say WiFi connected stereos, Airplay speakers etc.  But they don't send or receive any sensitive data, such as credit card details etc, over WiFi.  Then do you still have a security problem?  Assuming your clients, like phones and tablets, that do use sensitive data are patched.


1849 posts

Uber Geek
+1 received by user: 513


  Reply # 1885156 17-Oct-2017 15:19
Send private message quote this post

So, the consensus is that patching the AP only plugs a small part of the hole, and no matter what you do with your AP (short of turning it off) the client devices are vulnerable even when connected to a patched AP?

 

EDIT: Which brings me to my next question. If patching the APs does plug all the holes, what is everyone doing with their wireless networks in the interim until clients patches are available (particularly corporate ones)? What about all the older Android devices that may not get patched, or may be weeks?


1 | 2 | 3 | 4 | 5 | 6
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

From small to medium and beyond: Navigating the ERP battlefield
Posted 21-Nov-2017 21:12


Business owners: ERP software selection starts (and finishes) with you
Posted 21-Nov-2017 21:11


Why I'm not an early adopter
Posted 21-Nov-2017 10:39


Netatmo launches smart home products in New Zealand
Posted 20-Nov-2017 20:06


Huawei Mate 10: Punchy, long battery life, artificial intelligence
Posted 20-Nov-2017 16:30


Propel launch Disney Star Wars Laser Battle Drones
Posted 19-Nov-2017 21:26


UFB killer app: Speed
Posted 17-Nov-2017 17:01


The case for RSS — MacSparky
Posted 13-Nov-2017 14:35


WordPress and Indieweb: Take control of your online presence — 6:30 GridAKL Nov 30
Posted 11-Nov-2017 13:43


Chorus reveals technology upgrade for schools, students
Posted 10-Nov-2017 10:28


Vodafone says Internet of Things (IoT) crucial for digital transformation
Posted 10-Nov-2017 10:06


Police and Facebook launch AMBER Alerts system in NZ
Posted 9-Nov-2017 10:49


Amazon debuts Fire TV Stick Basic Edition in over 100 new countries
Posted 8-Nov-2017 05:34


Vodafone VoIP transition to start this month
Posted 7-Nov-2017 12:33


Spark enhances IoT network capability
Posted 7-Nov-2017 11:33



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.