WiFi Vulnerabilities

[PaulB]

I came across this article today on the BBC site. Does anyone have any further information on this?

[StuartR]

Here is some more information for you...

https://www.krackattacks.com/

Bottom line is that you should update the patches on every device that has a WiFi adapter as soon as the patches come out.

[HansV]

There are no implementations in the wild yet, so hopefully, the flaw can be repaired in time.

More info:
KRACK attacks
Regarding Krack Attacks — WPA2 flaw

[Rudi]

    
A bit more useful info to know about...

[Jay Freedman]

Something I haven't seen in any of the articles about KRACK is whether a WiFi-connected printer is vulnerable. I do notice that none of the major printer manufacturers appear in the lists of companies that have released or promised updates.

Because my printer sits only half a meter from my router, I'm going to reconnect it by Ethernet until I either get an update or read that it isn't vulnerable.

[StuartR]

Since the defect is in the protocol, EVERY device that uses WPA to connect to WiFi is vulnerable. If you are sending confidential data to a WiFi printer then it could be compromised by someone who is close enough to inject and trace WiFi packets.

[Jay Freedman]

Thanks, Stuart.

[StuartR]

I am pretty sure that if ALL of your clients are patched then you will be OK, even if there is no patch for the router, but I may be wrong.

[Jay Freedman]

We have two Windows desktops connected with Ethernet cable, and two Windows 10 (patched) desktops and a Windows 10 (patched) laptop on WiFi, so those are OK. But besides the printer, my phone (an LG on Android 7.0) and a tablet (Samsung Galaxy Tab A on Android 6.0) are on WiFi, and none of them find any patches. The router provided by my ISP (made by Actiontec) has no patch, and the manufacturer hasn't responded about whether they'll provide one.

I'll have to hope there aren't any bad actors cruising our neighborhood looking for vulnerable networks.

[Jay Freedman]

Following up on one point, it seems my router doesn't need patching. Quoting a knowledgeable poster named Shady Bimmer in the thread https://www.dslreports.com/forum/r31659 ... nerability,

The handshake vulnerabilities may only be addressed by client-side updates. Any updates on APs would only be for:

• Their STA (client-side) functionality such as in mesh or with wireless uplinks
• Their 802.11r implementation. This would be an AP-only fix for APs supporting BSS fast transition

In detail, the handshake vulnerabilities specifically leverage a replay attack of the 3rd message of the 4-way handshake. This happens only in the direction to the client and takes advantage specifically of a weakness in the client-side implementation. There is nothing on the AP side that may be done to change this.

That just leaves the phone, the tablet, and maybe the printer to be updated.

[HansV]

Google has promised a patch for Android (I assume at least versions 7 and 8, hopefully also for version 6) for November 6, 2017. But unfortunately, when this patch will reach your phone depends on its manufacturer. Some brands are notoriously slow at rolling out Android updates...