WPA2 has been cracked

[mr moose]

5 minutes ago, LAwLz said:

I don't remember where the WPA2 encryption is applied, but chances are the MAC address is not encrypted. If that's the case then finding a white listed mac address will take like 10 seconds (not hyperbole).

what if they are already connected then?

[dmaes]

I studied at KU Leuven (together with @Joachim Opdenakker), the guy that found this (Mathy Vanhoef), was one of our teachers. Proud to know him!

[LAwLz]

31 minutes ago, mr moose said:

what if they are already connected then?

I don't think there is a standard for how access points handle that. Guess it would vary based on vendor implementation. 

It will probably not refuse the connection from the attacker, but MAC collisions will occur (and how that is handled varies greatly from network to network). 

[Eniqmatic]

1 hour ago, mr moose said:

 

wouldn't the person who wants unrequested access to your wifi network then need to know a white listed mac address?

Its very simple to discover MAC addresses of devices connected to an AP, even when you are not connected. 

[leadeater]

16 minutes ago, Eniqmatic said:

Its very simple to discover MAC addresses of devices connected to an AP, even when you are not connected. 

Even without going to a techy solution, all you need is 15 seconds of access to someone's phone that is connected who isn't paying attention to their device for example.

[Lurick]

4 hours ago, leadeater said:

@Lurick

 

Any idea how this is going to effect RADIUS/802.1x wireless networks? I'd like to say they should not be affected but I'd like to see those unreleased CVE's first, it could also depend on implementation too so there might not even be a solid answer.

Yah, I thought the paper at the bottom was a preview or snippet of what's going to be released but looks like I missed the published date x.x

[LAwLz]

The report is out now.

I haven't had the time to look at it but at a glance it seems like:

1) It affects WPA-Enterprise too (really, really bad news).

2) It can be patched either at the client or the access point (good news)

3) The patch is backwards compatible, which means that there will be no issues with a patched client talking to an unpatched AP, or vice versa.

 

 

TL;DR:
Update your clients and access points and you will be fine.

[Guest]

4 hours ago, leadeater said:

@Lurick

 

Any idea how this is going to effect RADIUS/802.1x wireless networks? I'd like to say they should not be affected but I'd like to see those unreleased CVE's first, it could also depend on implementation too so there might not even be a solid answer.

Yeah that was my first thought - otherwise it’s going to be a shit week for me. 

2 hours ago, KuJoe said:

Thank god Ubiquiti already released firmware to address these exploits.

Yeah - found this on their site

 

https://www.krackattacks.com/

[Guest]

2 hours ago, mr moose said:

 

wouldn't the person who wants unrequested access to your wifi network then need to know a white listed mac address?

Number of different ways you can figure that out

[Trixanity]

1 minute ago, LAwLz said:

The report is out now.

I haven't had the time to look at it but at a glance it seems like:

1) It affects WPA-Enterprise too (really, really bad news).

2) It can be patched either at the client or the access point (good news)

3) The patch is backwards compatible, which means that there will be no issues with a patched client talking to an unpatched AP, or vice versa.

 

 

TL;DR:
Update your clients and access points and you will be fine.

Well, patch is the keyword. Depending on client/AP, how likely are we to get a patch?

 

With consumer APs, it's mostly recent flagship products that get updated especially if you're running a maintained third party firmware. If say you're running an Android device, you're stuck in the same situation where you need a security update which again depends on if you have a flagship device of recent date. On PCs it will depend on what wifi solution you have and how well maintained it is (again, depends on where it resides in the product stack). I'm imagining that a lot of devices will be left unpatched which is very bad but corporations don't give a fuck about that unless they have to.

[Guest]

Update: no Meraki firmware fix yet

[Eniqmatic]

1 minute ago, Windspeed36 said:

Update: no Meraki firmware fix yet

Yeah I second that, just was checking ours this minute as well!

[weq]

Demo on how it can be exploited at https://www.krackattacks.com/

 

[NvidiaIntelAMDLoveTriangle]

How is this news again?

WPA2 was cracked/hacked ages ago. WPA is even less secure than having no password.

[Guest]

3 minutes ago, NvidiaIntelAMDLoveTriangle said:

How is this news again?

WPA2 was cracked/hacked ages ago. WPA is even less secure than having no password.

New flaw..

[TidaLWaveZ]

13 hours ago, paddy-stone said:

Might sound stupid here (probably). But what if you don't broadcast your SSID?

Now days not broadcasting your SSID is like shining a beacon that says I have something worth securing, so it likely makes your network more attractive to those with a more insidious agenda.

 

Gotta spread those honey pots all throughout your system 

[paddy-stone]

10 hours ago, Ryujin2003 said:

Might just be better to reduce the power on your router. I can't access my network outside of my house, so someone would have to break in to attack WiFi... Internet security would be the least of problems at that point.

So you don't see the problem with after you've reduced the power so that it can't be accessed outside the home, and you then can't access it in other rooms of the house either... unfortunately I have one of those many houses where the router can't be placed centrally.. I in fact don't know anybody that has, as most phone lines come into the property through one of the walls, usually the same side as the telephone poles exist. And no, there's no way currently of doing that either. Plus I actually like using my wifi in the garden too.

[Lurick]

28 minutes ago, Windspeed36 said:

Update: no Meraki firmware fix yet

 

26 minutes ago, Eniqmatic said:

Yeah I second that, just was checking ours this minute as well!

 

Yah, we might be waiting until the full paper is released to push an update out to make sure nothing is missed, or it's still in regression testing  

[Guest]

1 minute ago, Lurick said:

 

 

Yah, we might be waiting until the full paper is released to push an update out to make sure nothing is missed, or it's still in regression testing  

Was it you or someone else asking for the Meraki changelog history? You can get it through the control panel.. 

[Lurick]

17 minutes ago, Windspeed36 said:

Was it you or someone else asking for the Meraki changelog history? You can get it through the control panel.. 

Not me, I know where to get all the good stuff  

[Ryujin2003]

47 minutes ago, paddy-stone said:

So you don't see the problem with after you've reduced the power so that it can't be accessed outside the home, and you then can't access it in other rooms of the house either... unfortunately I have one of those many houses where the router can't be placed centrally.. I in fact don't know anybody that has, as most phone lines come into the property through one of the walls, usually the same side as the telephone poles exist. And no, there's no way currently of doing that either. Plus I actually like using my wifi in the garden too.

My garage doesn't get good reception and one bathroom is basically dead thanks to a mirror. Otherwise, I live in a town house, so it's pretty easy for me to limit my access. When Verizon wireless it, I had them wire it to a central location even though it comes through a side wall. I did a friend's house as well, and he installed Ubiquity WAPs along the center wall, with his router and everything in the basement. Ran cable up the center so he didn't have to worry about neighbors trying to play with his stuff.

[LAwLz]

6 hours ago, leadeater said:

@Lurick

 

Any idea how this is going to effect RADIUS/802.1x wireless networks? I'd like to say they should not be affected but I'd like to see those unreleased CVE's first, it could also depend on implementation too so there might not even be a solid answer.

1 hour ago, Windspeed36 said:

Yeah that was my first thought - otherwise it’s going to be a shit week for me. 

WPA Enterprise is vulnerable, but it depends on the client OS and patch status.

1 hour ago, Windspeed36 said:

Update: no Meraki firmware fix yet

You sure? Some people on Twitter said that there had been a non-descriptive update for Meraki in the last couple of weeks.

45 minutes ago, Windspeed36 said:

Was it you or someone else asking for the Meraki changelog history? You can get it through the control panel.. 

That was me. I can not for the life of me find change logs for previous releases. Change logs for firmware updates that are pending? Easy to find. Change logs for firmware I already have installed? More well hidden than the aliens at area 51.

 

 

1 hour ago, NvidiaIntelAMDLoveTriangle said:

How is this news again?

WPA2 was cracked/hacked ages ago. WPA is even less secure than having no password.

1) It's news because this is a brand new flaw.

2) WPA2 was not broken ages ago.

3) How anyone can think that WPA is less secure than no password is beyond me. It most certainly is not.

 

 

50 minutes ago, Lurick said:

Yah, we might be waiting until the full paper is released to push an update out to make sure nothing is missed, or it's still in regression testing  

The full paper is out now.

It's a lot less serious than I thought.

[The Benjamins]

How do I tell if my routers firmware update has the fix?

 

I have a D-Link DIR-890L running as my AP

[Guest]

4 minutes ago, LAwLz said:

That was me. I can not for the life of me find change logs for previous releases. Change logs for firmware updates that are pending? Easy to find. Change logs for firmware I already have installed? More well hidden than the aliens at area 51.

 

 

I’m thinking they may have patched it very discretely as the patch notes are quite vague. 

 

If you go into the firmware upgrade area, select “schedule upgrade” and click on the version number, it’ll present a screen where you can browse through all current and past change log notes. 

[leadeater]

19 minutes ago, LAwLz said:

WPA Enterprise is vulnerable, but it depends on the client OS and patch status.

This is however one of the very clear down sides to BYOD actually showing it's face. If it can't be mitigated by updates to AP and controllers alone it's a rather problematic issue.

 

We provide multiple different wireless networks with varying degrees of network access and controls, which can be easily defeated by a staff member using a personal device connecting to 'Staff Private Equipment' then signing in to something like the HR portal while their network traffic is compromised.

 

Depending on the type of business the impact could be not too bad to rather big, where I am where we are a university this is on the very upper end of 'Pray for AP patching alone to be enough'.

 

Edit:

Just in case people haven't realized this yet secure application connections will still be secure, but every internal website and application is using SSL/SSH/Kerberos right?