Is Wi-Fi security irretrievably broken?

Topic

New Reply

There’s a lot of buzz this weekend about a flaw that’s purported to break security on most Wi-Fi connections, allowing an eavesdropper to snoop or use
[See the full post at: Is Wi-Fi security irretrievably broken?]

4 users thanked author for this post.

Elly, SueW, AJNorth, MrBrian

Reply | Quote

Replies

So how do I prevent my router from being hijacked?

Reply | Quote

One of many such articles on “KRACK” say this:

 
On social media right now, strong rumours are spreading that the WPA2 encryption scheme has been broken in a fundamental way. What this means: the security built into WiFi is likely ineffective, and we should not assume it provides any security.
…
Keep Calm
Remember, there is a limited amount of physical security already on offer by WiFi: an attack needs to be in proximity. So, you’re not suddenly vulnerable to everyone on the internet. It’s very weak protection, but this is important when reviewing your threat level.
…
Story for friends / family
This is where it gets really sucky. Lots of us have old routers at home, which have no chance of a firmware upgrade, and lots of WiFi equipment that may well not get a protocol upgrade if one is required. Right now, it sounds like all this stuff is going to be worthless from the perspective of encryption.

Reiterate the same points as above:
– secure websites are still secure, even over WiFi;
– think about setting your computers to “Public Network” mode – that increases the level of security on the device relative to “Private / Home Network” modes. Remember, if third parties can get onto our home networks, they’re no longer any safer than an internet cafe;
– if you’re paranoid about your mobile, turn off WiFi and use mobile data when necessary;
– it sounds like no similar attack against ethernet-over-mains power line is possible, so home networks based on mains plugs are problem still ok;
– keep computers and devices patched and up-to-date.

 
(And we know how much patch OS at the moment isn’t exactly a walk in the park…)

The article can be found here:
WPA2: Broken with KRACK. What now?
from Alex Hudson

8 users thanked author for this post.

Elly, SueW, Microfix, Ascaris, DeWayne12, Great Lake Bunyip, AJNorth, NetDef

Reply | Quote

Couple of early thoughts, without knowing the specifics of the attack vector.

Internal LAN communication can likely be compromised – for secure environments updating will be required.  that will include Wi-Fi access points as well as likely all devices: mobile phones, tablets, laptops, wi-fi connected systems.  Hopefully driver updates can solve this, but I could see where updated firmware might be required in some cases.  It’s going to be messy.

– Legacy systems with limited or no support will have to be replaced.

– A bunch of Android devices that are not being actively updated (some as little as a year old) will have to be replaced.

– Older Wi-Fi access points – you guessed it – will have to be replaced.

– IoT devices – can we just toss them into the hazmat dump outright?  (bleah!)

WPA2 has been with us since 2004.  It’s overdue for a complete overhaul.  Actually a bit surprised we don’t already have WPA3 or it’s equivalent.

We should have seen this coming and had a new standard to switch over to already.

~ Group "Weekend" ~

6 users thanked author for this post.

Elly, Microfix, DeWayne12, AJNorth, BobbyB, Kirsty

Reply | Quote

Dan G at ArsTechnica just posted some info from a privately released US-Cert update.

“US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven, will be publicly disclosing these vulnerabilities on 16 October 2017.

https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/

If that’s what I think it is, then firmware updates are going to be required to fix this across most devices.

Also of interest:  One of the AP vendors I buy from (a lot) may have a patch ready to release already.  I just got a notice from them that a firmware update on a new minor version sequence is going to be available in the next 24 hours.  Their notes only speak in general terms about a few bug fixes and a security release. Coincidence?

One may hope that all the enterprise grade hardware companies are already on top of this.  (I like hope.)

~ Group "Weekend" ~

4 users thanked author for this post.

Elly, AJNorth, SueW, Kirsty

Reply | Quote

? says:

glad i kept my tin cans with the extra long cat 5 string…

maybe microsoft has a fresh kb waiting in the wings to make it all better, ha ha!

Reply | Quote

anonymous wrote:

maybe microsoft has a fresh kb waiting in the wings to make it all better, ha ha!

Whether it needs to be patched in the OS, in the wireless driver, or if it can only be handled in the access point itself remains to be seen, is the big question I’d love to see answered.  The problem is in the wifi specification itself, apparently, so it seems that any short-term solution would be to creatively break compliance with the spec in a way that defeats the exploit but not desired functionality.

Since I use DD-WRT on my router, I’ve already checked the DD-WRT site for word on this, but other than a single thread from people not part of the dev team, there has been no word yet.

 

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon
XPG Xenia 15, i7-9750H/16GB & GTX1660ti, OpenSUSE Tumbleweed

Reply | Quote

A separate security issue that users need to address: How to Disable WPS In Order to Protect Your Network.

4 users thanked author for this post.

Elly, SueW, AJNorth, NetDef

Reply | Quote

From April 2014, Michael Horowitz wrote about the WPS issues on Computerworld:
The Woops of WPS (Wi-Fi Protected Setup) raises its ugly head again

Reply | Quote

I was quite pleased when, during the last round of major upgrades we made for a large office – earlier this year – we observed that WPS was disabled by default on the new AP’s we were installing. Older models always seemed to have that on out of the box.

~ Group "Weekend" ~

Reply | Quote

In addition, there’s another router “feature” that some may have overlooked: Is UPnP a Security Risk?.

Reply | Quote

Yep, we turn that off on all new routers too.  But . . .  on a home network one needs to weigh the risk versus the need.  If a home user does not have the skills needed to get certain applications working, uPnP is a great feature.  And do they need to be that secure?  (I sound like a money manager talking about investments now: what’s your risk aversion profile?)

~ Group "Weekend" ~

Reply | Quote

Checking on the router dashboard, it says that UPnP is only activated when there is a “live WAN service with NAT enabled”…

Reply | Quote

From grc.com (information displayed after accessing the Instant UpnP Exposure Test, from https://www.grc.com/x/ne.dll?rh1dkyd2)

About UPnP and what this means

Here’s what you need to know about Universal Plug n’ Play (UPnP):

UPnP has been provided and enabled by default in consumer Internet routers since 2002 or 2003.
Today, any home appliance — TV’s, DVD players, game consoles, IP cameras, printers, fax machines, and you-name-it, includes support for UPnP.
UPnP is a “zero-authentication” (no passwords required) system for allowing networked devices to discover and easily connect with each other on a private local network.
Additionally, software such as Skype and BitTorrent, and gaming consoles, which wish to be “seen” on the Internet, are able to use UPnP to open “holes” through the protection normally provided by routers in order to allow “unsolicited” traffic to enter.
THE HUGE MISTAKE IS: No part of UPnP was EVER MEANT to be exposed to the EXTERNAL public Internet. It was only ever meant for private local control of devices and routers. Its exposure gives malicious hackers direct access to the inside of any exposed private network. It was a huge mistake for it ever to be exposed. Router manufacturers are at fault, but all they can do now is offer updated router firmware. Now that the mistake has been made, responsibility rests upon router owners to somehow eliminate that exposure.

Further information is available here (if somewhat dated).

1 user thanked author for this post.

AJNorth

Reply | Quote

I don’t worry too much about this with my own home system. But the cause for concern would be retailers who use wireless, or companies which someone could attempt to use this to hack into a system. I never figured wifi security was ever that secure, no wireless system is that good.

Reply | Quote

Kirsty wrote:

– secure websites are still secure, even over WiFi;

Important point right there.  Any HTTPS connections will remain secure (to the degree that it is itself secure) despite the exploit.   Even over a wired connection to the router, I still would not allow any sensitive data to be sent over an unencrypted connection.  In terms of the web, more sites than ever (including this one) are using HTTPS for everything, which provides a second line of defense if the wifi is compromised

As for people with older routers… they may find that one of the aftermarket firmwares available will work on their device.  I use a Netgear WNDR3700, the first hardware version from 2009, and it is still supported by DD-WRT and OpenWRT.  The last factory firmware was from 2010, if I recall, but DD-WRT (which I use) is still updated about once a month.  Not all builds are good ones; the firmware is built for hundreds of different routers, and it’s not possible for DD-WRT to test it on each of them (I am not sure, but the entire thing may be the work of one person).  A build that works brilliantly on some routers is a nightmare on others, so this is not something I would want to suggest to someone who was not accustomed to computers, as it is not out of the question that the router may end up “bricked.”  Even so,  if the router is going to be scrapped anyway if this doesn’t work (because it is insecure), it may be worth a shot even knowing the risk.  Actually flashing the new firmware is dead simple; it’s the “fix it” work in case of a mishap that gets a little hairy.

For those who are familiar with computers and networking, nearly any mishap can be reversed relatively easily, on my router at least.  Debricking is as simple as enabling the router’s recovery mode by holding the reset button down for a specified time and sending a new firmware via TFTP, which is something that you can find the exact syntax for easily with a web search.

Using the factory firmware, I have not been able to get even close to the throughput via wifi that I get with DD-WRT, and there’s much more you can do with DD-WRT compared to stock, so there’s more to recommend it than security updates alone.  I wouldn’t want to go back even if Netgear did release a new firmware for this router.

EDIT: There is not, as I type this, any word of a coming fix for this wifi security issue in DD-WRT.  I would assume it’s coming, but no info is yet available.

 

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon
XPG Xenia 15, i7-9750H/16GB & GTX1660ti, OpenSUSE Tumbleweed

3 users thanked author for this post.

Elly, MrBrian, AJNorth

Reply | Quote

Brian Krebs published an article about fifty minutes ago:  What You Should Know About the ‘KRACK’ WiFi Security Weakness.

1 user thanked author for this post.

NetDef

Reply | Quote

As usual, Brian brings a focus and clarity on the topic that I always find refreshing.

 

~ Group "Weekend" ~

1 user thanked author for this post.

AJNorth

Reply | Quote