Jump to content

WPA2 has been cracked

snortingfrogs
By snortingfrogs
in Tech News
 Share
Posted
7 minutes ago, kingfurykiller said:

This is true.  My experiences were the unfortunate exceptions; the application I was working with required outside communication.

Well I deeply apologize on behalf of those systems lol. What OS was it if you don't mind me asking?

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
17 minutes ago, Swatson said:

Now's the point when I ragret buying a TP-Link router. Doubtful I'll get a firmware update. It was a good price (even for TP-Link), I couldn't resist.....

Ditto. Last FW update is over a year old for my router.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
18 hours ago, Lurick said:

The attack also appears to need TKIP to work, which should have been replaced by AES-256 at this point

While this is true. Older devices dont support AES. For instance the PS3 I have connected to my network. I use it mostly for blu ray play back. I guess, it wont have a network connection from now on. 

I just want to sit back and watch the world burn. 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
1 hour ago, Swatson said:

Now's the point when I ragret buying a TP-Link router. Doubtful I'll get a firmware update. It was a good price (even for TP-Link), I couldn't resist.....

Synology's router is crushing every other router I've ever used (Asus + Linksys).  They push out updates every 3-4 weeks and have an actual pro-level UI.

Workstation:  13700k @ 5.5Ghz || Gigabyte Z790 Ultra || MSI Gaming Trio 4090 Shunt || TeamGroup DDR5-7800 @ 7000 || Corsair AX1500i@240V || whole-house loop.

LANRig/GuestGamingBox: 9900nonK || Gigabyte Z390 Master || ASUS TUF 3090 650W shunt || Corsair SF600 || CPU+GPU watercooled 280 rad pull only || whole-house loop.

Server Router (Untangle): 13600k @ Stock || ASRock Z690 ITX || All 10Gbe || 2x8GB 3200 || PicoPSU 150W 24pin + AX1200i on CPU|| whole-house loop

Server Compute/Storage: 10850K @ 5.1Ghz || Gigabyte Z490 Ultra || EVGA FTW3 3090 1000W || LSI 9280i-24 port || 4TB Samsung 860 Evo, 5x10TB Seagate Enterprise Raid 6, 4x8TB Seagate Archive Backup ||  whole-house loop.

Laptop: HP Elitebook 840 G8 (Intel 1185G7) + 3080Ti Thunderbolt Dock, Razer Blade Stealth 13" 2017 (Intel 8550U)

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
21 minutes ago, AnonymousGuy said:

Synology's router is crushing every other router I've ever used (Asus + Linksys).  They push out updates every 3-4 weeks and have an actual pro-level UI.

Good thing your mentioned this. I just checked DDWRT's website for a new firmware. Seems the latest is September. I hope they release a new one quickly. 

I just want to sit back and watch the world burn. 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

This is very big news.  I remember back when people were realizing that WEP was no longer viable, other options (WPA) were already available so it wasn't a huge deal, you just had to use that instead.  But WPA2 is still the best option afaik so this basically means wireless is unsafe until the next thing comes out.  I also wonder how many devices will be able to be updated to support the new thing, whatever and whenever it is.  I suspect things like phones probably will get the update but I wouldn't be so sure about most routers.

Solve your own audio issues  |  First Steps with RPi 3  |  Humidity & Condensation  |  Sleep & Hibernation  |  Overclocking RAM  |  Making Backups  |  Displays  |  4K / 8K / 16K / etc.  |  Do I need 80+ Platinum?

If you can read this you're using the wrong theme.  You can change it at the bottom.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
1 hour ago, Donut417 said:

While this is true. Older devices dont support AES. For instance the PS3 I have connected to my network. I use it mostly for blu ray play back. I guess, it wont have a network connection from now on. 

No it's not true, the TKIP is a lie. It affects WPA2 as a whole.

49 minutes ago, AnonymousGuy said:

Synology's router is crushing every other router I've ever used (Asus + Linksys).  They push out updates every 3-4 weeks and have an actual pro-level UI.

 

Let me know when Synology is cheap.

 

MOAR COARS: 5GHz "Confirmed" Black Edition™ The Build
AMD 5950X 4.7/4.6GHz All Core Dynamic OC + 1900MHz FCLK | 5GHz+ PBO | ASUS X570 Dark Hero | 32 GB 3800MHz 14-15-15-30-48-1T GDM 8GBx4 |  PowerColor AMD Radeon 6900 XT Liquid Devil @ 2700MHz Core + 2130MHz Mem | 2x 480mm Rad | 8x Blacknoise Noiseblocker NB-eLoop B12-PS Black Edition 120mm PWM | Thermaltake Core P5 TG Ti + Additional 3D Printed Rad Mount

 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
1 hour ago, Dylanc1500 said:

Well I deeply apologize on behalf of those systems lol. What OS was it if you don't mind me asking?

Haha no apologies necessary. Fault lay with localized admins.

 

The OS's we're Windows XP and 98; the application I was working with was a proprietary piece of patient tracking software that the company I worked for developed and configured.

 

Really amazing piece of software. Significantly less amazing company.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
6 minutes ago, Ryan_Vickers said:

This is very big news.  I remember back when people were realizing that WEP was no longer viable, other options (WPA) were already available so it wasn't a huge deal, you just had to use that instead.  But WPA2 is still the best option afaik so this basically means wireless is unsafe until the next thing comes out.  I also wonder how many devices will be able to be updated to support the new thing, whatever and whenever it is.  I suspect things like phones probably will get the update but I wouldn't be so sure about most routers.

There is no need to develop WPA3 or whatever it would be called.

WPA2 will be safe as soon as patches are released (a lot of vendors are already releasing patches).

It could have been a catastrophe, but luckily for us WPA2 will remain safe.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
1 minute ago, Ryan_Vickers said:

This is very big news.  I remember back when people were realizing that WEP was no longer viable, other options (WPA) were already available so it wasn't a huge deal, you just had to use that instead.  But WPA2 is still the best option afaik so this basically means wireless is unsafe until the next thing comes out.  I also wonder how many devices will be able to be updated to support the new thing, whatever and whenever it is.  I suspect things like phones probably will get the update but I wouldn't be so sure about most routers.

So if my router is unlikely to provide updates, my only option is to buy a new router if I want to use wifi?

This sounds like a huge vulnerability, but how likely are you going to be affected by this though? I remember there being a huge vulnerability in android not too long ago, but it seemed like there was a low chance of it happening because how difficult it looked.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
2 minutes ago, kingfurykiller said:

Haha no apologies necessary. Fault lay with localized admins.

 

The OS's we're Windows XP and 98; the application I was working with was a proprietary piece of patient tracking software that the company I worked for developed and configured.

 

Really amazing piece of software. Significantly less amazing company.

Honestly I have seen numerous systems still running 9x. Especially in the financial sector. Heck I couldn't tell you the amount of account systems still running 16bit software.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

First Bluetooth and now WPA2, better invest in a faraday cage.

 

So repeatedly sending this Step 3 of the handshake causes a stream cipher to be effectively turned into an electronic code book cipher ?

So theoretically one could monitor for a large number of handshake packets , once detected one knows that someone is attempting the attack.

This could be especially worrying as unlike most attacks on WPA2 such as the handshake capture does not require as

much computing power. This would mean one could place a bunch of raspberry pi zeros  or ESPs with wifi in monitor mode and simply repeat the attack and collect the packets encoded with an ECB method.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

Well shit, Update everything? 

Primary Laptop (Gearsy MK4): Ryzen 9 5900HX, Radeon RX 6800M, Radeon Vega 8 Mobile, 24 GB DDR4 2400 Mhz, 512 GB SSD+1TB SSD, 15.6 in 300 Hz IPS display

2021 Asus ROG Strix G15 Advantage Edition

 

Secondary Laptop (Uni MK2): Ryzen 7 5800HS, Nvidia GTX 1650, Radeon Vega 8 Mobile, 16 GB DDR4 3200 Mhz, 512 GB SSD 

2021 Asus ROG Zephyrus G14 

 

Meme Machine (Uni MK1): Shintel Core i5 7200U, Nvidia GT 940MX, 24 GB DDR4 2133 Mhz, 256 GB SSD+500GB HDD, 15.6 in TN Display 

2016 Acer Aspire E5 575 

 

Retired Laptop (Gearsy MK2): Ryzen 5 2500U, Radeon Vega 8 Mobile, 12 GB 2400 Mhz DDR4, 256 GB NVME SSD, 15.6" 1080p IPS Touchscreen 

2017 HP Envy X360 15z (Ryzen)

 

PC (Gearsy): A6 3650, HD 6530D , 8 GB 1600 Mhz Kingston DDR3, Some Random Mobo Lol, EVGA 450W BT PSU, Stock Cooler, 128 GB Kingston SSD, 1 TB WD Blue 7200 RPM

HP P7 1234 (Yes It's Actually Called That)  RIP 

 

Also im happy to answer any Ryzen Mobile questions if anyone is interested! 

 

 

 

 

 

 

 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
36 minutes ago, LAwLz said:

There is no need to develop WPA3 or whatever it would be called.

WPA2 will be safe as soon as patches are released (a lot of vendors are already releasing patches).

It could have been a catastrophe, but luckily for us WPA2 will remain safe.

It seems to me this still has the issue of updates that I mentioned though: some devices will be slow to get them, and some may never get them.

Solve your own audio issues  |  First Steps with RPi 3  |  Humidity & Condensation  |  Sleep & Hibernation  |  Overclocking RAM  |  Making Backups  |  Displays  |  4K / 8K / 16K / etc.  |  Do I need 80+ Platinum?

If you can read this you're using the wrong theme.  You can change it at the bottom.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
4 minutes ago, Ryan_Vickers said:

It seems to me this still has the issue of updates that I mentioned though: some devices will be slow to get them, and some may never get them.

Given the security of virtually all IoT devices none will be getting any updates and nor will most routers no longer supported by the manufacturer (read anything but the latest model for most ISP routers ). Not to mention the vast number of android phones no longer supported , 14.5% are still running KitKat!

Thankfully only one side must be patched, not both so either getting a new router / update or updating your devices will fix everything.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
54 minutes ago, Dylanc1500 said:

Honestly I have seen numerous systems still running 9x. Especially in the financial sector. Heck I couldn't tell you the amount of account systems still running 16bit software.

I worked for a company in the financial side of the car business that had a flagship product that ran off of 30 year old code; and it showed.

 

I had heard that developers who had worked a year at that company had a harder time finding a job than devs with no experience.

 

Said company has the largest market share of US car dealerships.

 

Most of their web-based software only supports IE8

 

:(

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
4 hours ago, LAwLz said:

Apple - No statement yet but as with Windows, it seems like it is largely unaffected by this.

From what I read iOS, like Windows, had a limited vulnerability to this however Mac OS is one of the most susceptible. 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
24 minutes ago, ScratchCat said:

Given the security of virtually all IoT devices none will be getting any updates and nor will most routers no longer supported by the manufacturer (read anything but the latest model for most ISP routers ). Not to mention the vast number of android phones no longer supported , 14.5% are still running KitKat!

Yeah agreed

24 minutes ago, ScratchCat said:

Thankfully only one side must be patched, not both so either getting a new router / update or updating your devices will fix everything.

*informative*

Solve your own audio issues  |  First Steps with RPi 3  |  Humidity & Condensation  |  Sleep & Hibernation  |  Overclocking RAM  |  Making Backups  |  Displays  |  4K / 8K / 16K / etc.  |  Do I need 80+ Platinum?

If you can read this you're using the wrong theme.  You can change it at the bottom.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
21 hours ago, paddy-stone said:

Might sound stupid here (probably). But what if you don't broadcast your SSID?

easily found

Join the Appleitionist cause! See spoiler below for answers to common questions that shouldn't be common!

Spoiler

Q: Do I have a virus?!
A: If you didn't click a sketchy email, haven't left your computer physically open to attack, haven't downloaded anything sketchy/free, know that your software hasn't been exploited in a new hack, then the answer is: probably not.

 

Q: What email/VPN should I use?
A: Proton mail and VPN are the best for email and VPNs respectively. (They're free in a good way)

 

Q: How can I stay anonymous on the (deep/dark) webzz???....

A: By learning how to de-anonymize everyone else; if you can do that, then you know what to do for yourself.

 

Q: What Linux distro is best for x y z?

A: Lubuntu for things with little processing power, Ubuntu for normal PCs, and if you need to do anything else then it's best if you do the research yourself.

 

Q: Why is my Linux giving me x y z error?

A: Have you not googled it? Are you sure StackOverflow doesn't have an answer? Does the error tell you what's wrong? If the answer is no to all of those, message me.

 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted (edited)

Great, none of my AP's got any update, and only one of them has openwrt support... :dry:(both tplink, wa901nd(v3 if my memory serves me correctly) and AP500) I guess its time to look for a new AP....

 

/EDIT

Just gone through all of my wifi equipment. None of them received any updates. Okay, TP-Link added to my black-list....

Edited by jagdtigger
Link to comment
Share on other sites
Link to post
Share on other sites
Posted
Quote

Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates.

Looks like no new routers needed, just need updates on your devices

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

Here are some of the current articles released by Ars technica, on this issue.  

 

https://arstechnica.com/information-technology/2017/10/crypto-failure-cripples-millions-of-high-security-keys-750k-estonian-ids/

 

https://arstechnica.com/information-technology/2017/10/how-the-krack-attack-destroys-nearly-all-wi-fi-security/

 

This is going to last a long time, as most devices currently use WPA2 as the standard crypto these days, and there are many ways this attack can be used.  Guess we are going back to handing off and shipping encrypted USB drives for a while.  

 

Also a bit of further reading will show this actually also can hurt the security of VPN's, as now closed internet can be opened.

 

https://arstechnica.com/information-technology/2015/06/even-with-a-vpn-open-wi-fi-exposes-users/

 

 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

I do have a question. So I read an article about this earlier. It said that AES encryption was in better shape. That, an attacker could only look at the info transmitting. Would that mean they can read the information, such as if I used my network to access my bank? Or is that information still encrypted? I would assume the bank would use HTTPS which should have some level of encryption on it. Might be time to look for a VPN? Only reason I dont use one, is Netflix is assholes if you use one, plus Im not sure on Sony's policy with PS Vue. 

I just want to sit back and watch the world burn. 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
4 minutes ago, pyconaut said:

Also a bit of further reading will show this actually also can hurt the security of VPN's, as now closed internet can be opened.

 

https://arstechnica.com/information-technology/2015/06/even-with-a-vpn-open-wi-fi-exposes-users/

If you use a VPN then everything will still be encrypted. This exploit will strip away the WPA2 encryption, but underneath that you got the IPsec/OpenVPN/whatever encryption from the VPN.

 

There is no need to panic or spread fear.

 

 

1 minute ago, Donut417 said:

I do have a question. So I read an article about this earlier. It said that AES encryption was in better shape. That, an attacker could only look at the info transmitting. Would that mean they can read the information, such as if I used my network to access my bank? Or is that information still encrypted? I would assume the bank would use HTTPS which should have some level of encryption on it. Might be time to look for a VPN? Only reason I dont use one, is Netflix is assholes if you use one, plus Im not sure on Sony's policy with PS Vue. 

No need to worry. Like you said, your bank uses HTTPS and this security hole will only remove the WPA2 encryption.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
25 minutes ago, LAwLz said:

If you use a VPN then everything will still be encrypted. This exploit will strip away the WPA2 encryption, but underneath that you got the IPsec/OpenVPN/whatever encryption from the VPN.

 

There is no need to panic or spread fear.

 

 

No need to worry. Like you said, your bank uses HTTPS and this security hole will only remove the WPA2 encryption.

That's good to know. I will be fine then as all my traffic goes through my VPN provider AND I always use https when available too.

Please quote my post, or put @paddy-stone if you want me to respond to you.

Spoiler
  • PCs:- 
  • Main PC build  https://uk.pcpartpicker.com/list/2K6Q7X
  • ASUS x53e  - i7 2670QM / Sony BD writer x8 / Win 10, Elemetary OS, Ubuntu/ Samsung 830 SSD
  • Lenovo G50 - 8Gb RAM - Samsung 860 Evo 250GB SSD - DVD writer
  •  
  • Displays:-
  • Philips 55 OLED 754 model
  • Panasonic 55" 4k TV
  • LG 29" Ultrawide
  • Philips 24" 1080p monitor as backup
  •  
  • Storage/NAS/Servers:-
  • ESXI/test build  https://uk.pcpartpicker.com/list/4wyR9G
  • Main Server https://uk.pcpartpicker.com/list/3Qftyk
  • Backup server - HP Proliant Gen 8 4 bay NAS running FreeNAS ZFS striped 3x3TiB WD reds
  • HP ProLiant G6 Server SE316M1 Twin Hex Core Intel Xeon E5645 2.40GHz 48GB RAM
  •  
  • Gaming/Tablets etc:-
  • Xbox One S 500GB + 2TB HDD
  • PS4
  • Nvidia Shield TV
  • Xiaomi/Pocafone F2 pro 8GB/256GB
  • Xiaomi Redmi Note 4

 

  • Unused Hardware currently :-
  • 4670K MSI mobo 16GB ram
  • i7 6700K  b250 mobo
  • Zotac GTX 1060 6GB Amp! edition
  • Zotac GTX 1050 mini

 

 

Link to comment
Share on other sites
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Tech News

×