Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5 | 6

dt

206 posts

Master Geek
+1 received by user: 26

Subscriber

  Reply # 1885012 17-Oct-2017 11:39
Send private message

Can anyone confirm this is only isolated to 802.11r ? finding conflicting stories.. I cant figure out if its the only way to use the exploit or if its one of the ways

 

We have 434 aerohives spread across 9 facilities and aerohive is yet to release a patch.. sigh.. 


2396 posts

Uber Geek
+1 received by user: 113


  Reply # 1885017 17-Oct-2017 11:57
One person supports this post
Send private message

timmmay:

kyhwana2: Make sure your wifi encryption mode is set to WPA2-CCMP (ONLY!) as the worst bits of the attack are possible with WPA2-TKIP. With CCMP mode (ONLY) the worst an attacker can do is inject packets into TCP streams. (Unencrypted streams like HTTP etc.)

 

Are there any downsides to this? My Fritzbox is set to WPA + WPA2, but I could change to WPA2 (CCMP). We have a mix of Android 4, 5, and 6 devices, a few consumer products that use WiFi such as Broadlink WiFi/IR controllers for heat pumps, and visitors that occasionally use WiFi.

 

 

Yes, there are downgrade to TKIP attacks that were presented last year and the KRACK attacks against TKIP are worse than CCMP only.

 


 
 
 
 


2396 posts

Uber Geek
+1 received by user: 113


  Reply # 1885022 17-Oct-2017 12:13
One person supports this post
Send private message

dt:

Can anyone confirm this is only isolated to 802.11r ? finding conflicting stories.. I cant figure out if its the only way to use the exploit or if its one of the ways

 

We have 434 aerohives spread across 9 facilities and aerohive is yet to release a patch.. sigh.. 

 

The 802.11r attacks allow for client->AP replay/decrypt (and forgery if TKIP/GCMP), the 4 way handshake attack is AP->client replay and client->AP decrypt (and injection).

 

It's not just isolated to 802.11r.

438 posts

Ultimate Geek
+1 received by user: 123

Subscriber

  Reply # 1885046 17-Oct-2017 12:35
4 people support this post
Send private message

kyhwana2:
dt:

 

Can anyone confirm this is only isolated to 802.11r ? finding conflicting stories.. I cant figure out if its the only way to use the exploit or if its one of the ways

 

We have 434 aerohives spread across 9 facilities and aerohive is yet to release a patch.. sigh.. 

 

The 802.11r attacks allow for client->AP replay/decrypt (and forgery if TKIP/GCMP), the 4 way handshake attack is AP->client replay and client->AP decrypt (and injection). It's not just isolated to 802.11r.

 

There are 10 vulnerabilities listed. Essentially 10 different ways to exploit this, and 802.11r is only one of them.

 

The key advice for home users is your AP/router probably doesn't matter.  Focus on patching clients as per FAQ.

 

What if there are no security updates for my router?

 

Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates. We strongly advise you to contact your vendor for more details. In general though, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming). For ordinary home users, your priority should be updating clients such as laptops and smartphones.


dt

206 posts

Master Geek
+1 received by user: 26

Subscriber

  Reply # 1885047 17-Oct-2017 12:36
One person supports this post
Send private message

kyhwana2:

 

 The 802.11r attacks allow for client->AP replay/decrypt (and forgery if TKIP/GCMP), the 4 way handshake attack is AP->client replay and client->AP decrypt (and injection). It's not just isolated to 802.11r.

 

 

 

 

Perfect, thanks for the nice simple answer! just recieved this from Aerohive as well

 

 

 

Aerohive Networks:

 

 

 

*Snip*

 

Aerohive has reviewed the research paper and has several observations.

 

Aerohive access points and branch routers are not exposed to this EXCEPT when operating as a wifi client to another access point or operating as a mesh point. Aerohive switches do not have integrated wifi and are not affected.

 

This is NOT a flaw in the WPA2 protocol. It is a flaw in the standards that were too loosely interpreted by the industry as a whole. There is no imminent WPA3 (that we are aware of). Patches to address this are backward compatible.

 

There are no known exploits for this in the wild at this time that we are aware of.

 

The targets of the attacks described in the research paper and the web site are all CLIENTs. Per the researcher’s own words “Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates. We strongly advise you to contact your vendor for more details. In general though, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming).”

 

*Snip*

 


25975 posts

Uber Geek
+1 received by user: 5654

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 1885062 17-Oct-2017 13:05
One person supports this post
Send private message

As pointed out above the compromise primarily affects clients, it typically does not affect AP/routers.

 

 


'That VDSL Cat'
7133 posts

Uber Geek
+1 received by user: 1403

Trusted
Spark
Subscriber

  Reply # 1885078 17-Oct-2017 13:12
Send private message

sbiddle:

 

As pointed out above the compromise primarily affects clients, it typically does not affect AP/routers.

 

 

but steve! it's always the routers fault not the handheld devices!!





#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.


dt

206 posts

Master Geek
+1 received by user: 26

Subscriber

  Reply # 1885089 17-Oct-2017 13:48
Send private message

 

 

If you had 20 laptops all connecting to 1 AP, does patching the one AP make those 20 laptops safe until they leave that environment?

 

Understand its more preferable to patch client side but if that above scenario is correct its heaps easier to first patch the AP then move onto the 20 client devices..


171 posts

Master Geek
+1 received by user: 39


  Reply # 1885091 17-Oct-2017 13:52
Send private message

dt:

 

If you had 20 laptops all connecting to 1 AP, does patching the one AP make those 20 laptops safe until they leave that environment?

 

 

 

 

Yes. From the paper: "This means a patched client can still communicate with an unpatched access point, and vice versa. In other words, a patched client or access point sends exactly the same handshake messages as before, and at exactly the same moment in time. However, the security updates will assure a key is only installed once, preventing our attack"


106 posts

Master Geek
+1 received by user: 31


  Reply # 1885125 17-Oct-2017 14:36
One person supports this post
Send private message

stinger:

 

dt:

 

If you had 20 laptops all connecting to 1 AP, does patching the one AP make those 20 laptops safe until they leave that environment?

 

 

Yes. From the paper: "This means a patched client can still communicate with an unpatched access point, and vice versa. In other words, a patched client or access point sends exactly the same handshake messages as before, and at exactly the same moment in time. However, the security updates will assure a key is only installed once, preventing our attack"

 

 

I would've said no. Patching the AP is minor (802.11r only?) and offers no protection to the four way handshake vulnerability from my understanding. I take that statement as clarifying compatibility. Yes unpatched devices will work on a patched AP, but no they won't be safe.


1962 posts

Uber Geek
+1 received by user: 547


  Reply # 1885134 17-Oct-2017 14:50
Send private message

caminham:

 

stinger:

 

dt:

 

If you had 20 laptops all connecting to 1 AP, does patching the one AP make those 20 laptops safe until they leave that environment?

 

 

Yes. From the paper: "This means a patched client can still communicate with an unpatched access point, and vice versa. In other words, a patched client or access point sends exactly the same handshake messages as before, and at exactly the same moment in time. However, the security updates will assure a key is only installed once, preventing our attack"

 

 

I would've said no. Patching the AP is minor (802.11r only?) and offers no protection to the four way handshake vulnerability from my understanding. I take that statement as clarifying compatibility. Yes unpatched devices will work on a patched AP, but no they won't be safe.

 

 

But wouldn't the part bolded above imply that as long as one side is patched (either client or AP) then you are safe? This doesn't seem clear one way or the other to me.


'That VDSL Cat'
7133 posts

Uber Geek
+1 received by user: 1403

Trusted
Spark
Subscriber

  Reply # 1885139 17-Oct-2017 15:01
Send private message

caminham:

 

I would've said no. Patching the AP is minor (802.11r only?) and offers no protection to the four way handshake vulnerability from my understanding. I take that statement as clarifying compatibility. Yes unpatched devices will work on a patched AP, but no they won't be safe.

 

 

 

 

Agreed, overall this is a Client side issue for the most part.

 

How this hit the news, seems to be causing a bit of an outcry however, OMG rsp! what are you doing to protect me!

 

 

 

providers can get manufactures to release an update patching 802.11r, they can disable TKIP (at the risk of device compatibility).. but at the end of the day, the end user client device needs updates to resolve this.





#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.


106 posts

Master Geek
+1 received by user: 31


  Reply # 1885149 17-Oct-2017 15:08
Send private message

Paul1977:

 

caminham:

 

stinger:

 

dt:

 

If you had 20 laptops all connecting to 1 AP, does patching the one AP make those 20 laptops safe until they leave that environment?

 

 

Yes. From the paper: "This means a patched client can still communicate with an unpatched access point, and vice versa. In other words, a patched client or access point sends exactly the same handshake messages as before, and at exactly the same moment in time. However, the security updates will assure a key is only installed once, preventing our attack"

 

 

I would've said no. Patching the AP is minor (802.11r only?) and offers no protection to the four way handshake vulnerability from my understanding. I take that statement as clarifying compatibility. Yes unpatched devices will work on a patched AP, but no they won't be safe.

 

 

But wouldn't the part bolded above imply that as long as one side is patched (either client or AP) then you are safe? This doesn't seem clear one way or the other to me.

 

 

Having read it a few times, and the original quote (it is in the context of a compatibility question), I believe that statement is referring to Client security updates.

 

https://www.krackattacks.com/#faq 

 

 

Do we now need WPA3?

 

No, luckily implementations can be patched in a backwards-compatible manner. This means a patched client can still communicate with an unpatched access point, and vice versa. In other words, a patched client or access point sends exactly the same handshake messages as before, and at exactly the same moment in time. However, the security updates will assure a key is only installed once, preventing our attack. So again, update all your devices once security updates are available.

 


251 posts

Ultimate Geek
+1 received by user: 20


  Reply # 1885154 17-Oct-2017 15:18
One person supports this post
Send private message

If you have 'dumb' clients on your network, that may be unpatchable for some time.  Say WiFi connected stereos, Airplay speakers etc.  But they don't send or receive any sensitive data, such as credit card details etc, over WiFi.  Then do you still have a security problem?  Assuming your clients, like phones and tablets, that do use sensitive data are patched.


1962 posts

Uber Geek
+1 received by user: 547


  Reply # 1885156 17-Oct-2017 15:19
Send private message

So, the consensus is that patching the AP only plugs a small part of the hole, and no matter what you do with your AP (short of turning it off) the client devices are vulnerable even when connected to a patched AP?

 

EDIT: Which brings me to my next question. If patching the APs does plug all the holes, what is everyone doing with their wireless networks in the interim until clients patches are available (particularly corporate ones)? What about all the older Android devices that may not get patched, or may be weeks?


1 | 2 | 3 | 4 | 5 | 6
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Fujifilm X beats its best with new top of the range, high-performance camera
Posted 24-Feb-2018 14:05


One million kiwis affected by cybercrime
Posted 24-Feb-2018 13:58


New Zealanders want to engage with government online and via mobile apps
Posted 24-Feb-2018 13:56


Samsung launches Samsung Max
Posted 24-Feb-2018 13:52


CPTPP text and National Interest Analysis released for public scrutiny
Posted 21-Feb-2018 19:43


Foodstuffs to trial digitised shopping trolleys
Posted 21-Feb-2018 18:27


2018: The year of zero-login, smart cars & the biometrics of things
Posted 21-Feb-2018 18:25


Intel reimagines data centre storage with new 3D NAND SSDs
Posted 16-Feb-2018 15:21


Ground-breaking business programme begins in Hamilton
Posted 16-Feb-2018 10:18


Government to continue search for first Chief Technology Officer
Posted 12-Feb-2018 20:30


Time to take Appleā€™s iPad Pro seriously
Posted 12-Feb-2018 16:54


New Fujifilm X-A5 brings selfie features to mirrorless camera
Posted 9-Feb-2018 09:12


D-Link ANZ expands connected smart home with new HD Wi-Fi cameras
Posted 9-Feb-2018 09:01


Dragon Professional for Mac V6: Near perfect dictation
Posted 9-Feb-2018 08:26


OPPO announces R11s with claims to be the picture perfect smartphone
Posted 2-Feb-2018 13:28



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.