Very Serious WIFI Security Flaws Discovered

midgetwaiter · #1 10-16-2017, 04:19 PM

Looks like this is going to to be pretty heavily covered in the news over the next couple of days but it never hurts to get the word out a bit. A researcher has discovered several significant flaws in the way that WPA2 Wifi encryption is implemented in basically everything. In the most heavily impacted products a malicious actor can use these flaw to trick a wifi client into using a bad encryption key allowing the bad actor to decrypt all of the wifi traffic.

This means that someone could not only read all of the traffic on your wifi network, they could possibly execute what is known as a man in the middle attack which would allow them to change that data before it reaches the client device, injecting a virus for example. However if that traffic is also encrypted through SSL/TLS like when you put your credit card details into a secured online store they wouldn't be able to read it right away, There are methods such as the TLS LOGJAM attack one can use on traffic from websites using outdated encryption protocols to get into the middle of that data stream as well though so it's not something you want to ignore.

Vendors of affected products were notified of the problem at the end of August and as such some of them have updates available already, more will become available shortly. Here's a list from US-CERT which is the primary tracking organization for such things.

http://www.kb.cert.org/vuls/byvendor...&SearchOrder=4

Microsoft had patches out last week that mitigate this, Apple has fixes in testing for their devices. Patches for Linux are available from Debian/Ubuntu now but not Redhat yet. Andriod is vulnerable to the simplest forms of this attack but patches will probably have to go from Google to device makers and then carriers so they could take a while. IOT devices like cameras , storage devices and speakers will be vulnerable as well but there isn't a definitive guide out there yet. Many of them use versions of Linux so the fix is available for the manufacturers to integrate.

And here is the researcher's website on the issues:

https://www.krackattacks.com/

Fisherpeak · #2 10-16-2017, 05:00 PM

Now if you were like me and had no idea what a WIFI was or how to use it then you would be safe. You all got to get the hell off of this ticky tacky crap. Back to the old days. Christ, power went out for a month and half of you would die. I have discovered a few flaws in my Wifey, but she has discovered more than a few in me. We get along fine.

silverdoctor · #3 10-16-2017, 05:12 PM

Just keeps getting better and better, and more to come.

TylerThomson · #4 10-16-2017, 08:22 PM

My WiFi security comes in the form of a great pyranese X kangel. Haha you would need to be in my yard and inside his fenced area to use it.

It is a pretty serious flaw though and I do understand the ramifications, just having some fun.

purgatory.sv · #5 10-16-2017, 08:39 PM

What i take from this is captured between networks.

Continuous flow must be interrupted.

Geeks have a role.

I also belive protocol should be maintained?

midgetwaiter · #6 10-17-2017, 11:30 AM

Quote:

Originally Posted by purgatory.sv

What i take from this is captured between networks.

Continuous flow must be interrupted.

Geeks have a role.

I also belive protocol should be maintained?

I have no idea what you are asking here but your first two statements are incorrect. In order to exploit this you must be on the same Wifi network (broadcast domain).

purgatory.sv · #7 10-17-2017, 12:22 PM

I always thought that information travelling from device to another was following a protocol,
You transmit a code then the code was acknowledged,so i assumed if the request and receive did not match an error would occur. I only assume that, i just use the technology and do not trust it.

Stinky Buffalo · #8 10-17-2017, 01:19 PM

Thanks for the heads-up, midgetwaiter!

midgetwaiter · #9 10-17-2017, 03:07 PM

Quote:

Originally Posted by purgatory.sv

I always thought that information travelling from device to another was following a protocol,
You transmit a code then the code was acknowledged,so i assumed if the request and receive did not match an error would occur. I only assume that, i just use the technology and do not trust it.

Well there are things in place like that at a low level but they are meant to avoid transmission errors with a particular frame only.

Look at it this way; Imagine I send you an envelope with 30 pennies in it, you know its coming but not how many pennies are in the envelope. In order to make sure nobody steals any I write "30 pennies" on the outside of the envelope. If someone intercepts that envelope and steals 5 pennies all they have to do is white out "30" and write "25".

So that's not cool. We try to avoid this situation by implementing series of encryption standards that keep people from being able to read or modify the contents of our envelops. Unfortunately in this case the flaw discovered is in the encryption standard so all that pretty much goes out the window.

BBT · #10 10-18-2017, 01:11 AM

Is it true that midget porn takes up half the space on your hard drive?