Krack WiFi vuln

21
Found 16th Oct 2017
Start running round like corporal out of dad's army cos we're all doomed. Anything using WiFi is hackable, from home routers to phone hotspots and unless you have kit where the manufacturer will patch it, you/we/me are ******! VPN companies are going to make a lot of money. I've switched mine on permanent like.
Community Updates
Misc
Top comments
I just really wish I knew what the hell you were going on about so I could worry! Oh well, back to cleaning the bathroom...
Oh christ someone's tin foil hat has fallen off.
21 Comments
I just really wish I knew what the hell you were going on about so I could worry! Oh well, back to cleaning the bathroom...
Oh christ someone's tin foil hat has fallen off.
@myjess

"Start running round like corporal out of dad's army cos we're all doomed. Anything using WiFi is hackable, from home routers to phone hotspots and unless you have kit where the manufacturer will patch it, you/we/me are ******! VPN companies are going to make a lot of money. I've switched mine on permanent like..."

Private Frazer said "We're (all) doomed".
Lance Corporal Jones said "Don't Panic".

Wi-Fi is crackable (& always has been).
Public Wi-Fi "hotspots" should be avoided if you value your privacy... but that should be obvious!

We've discussed it in previous threads, & we are most likely to discuss it again.
theregister.co.uk/201…ss/ Can't see this being a major issue for home unless you get people war-driving again - "The only main limitation is that an attacker needs to be within range of a victim to exploit these weaknesses" . Could be a big problem for public WIFI but do you ever trust public for anything really sensitive.
A VPN won't help.
Original Poster
catbeans5 m ago

A VPN won't help.

A vpn will help if its vpn on your device. I agree, wont help at all if vpn is on the router.

Thanks to the guy correcting me about dads army. Still love that show so much.
Between this a Blueborne it seriously makes me reconsider having an Android phone (Moto G2) despite being on Marshmallow and still supported with security patches by Google knowing that the Android ecosystem doesn't allow you to get security updates unless the manufacturer of the phone choses to give you them.

Everything's hackable flaws will always be found, it's the security updates that are needed to make things secure again, they're one of the most important aspects of staying secure in a connected world, I wouldn't use an OS on a computer that wasn't able to be updated maybe I shouldn't use one on a phone that can't be either.

(And I'll stop anyone before they say Pixel is the solution cause it's not, the Android One program is partly a solution but they're not sold in the UK)
Edited by: "redflash" 16th Oct 2017
redflash19 m ago

Between this a Blueborne it seriously makes me reconsider having an …Between this a Blueborne it seriously makes me reconsider having an Android phone (Moto G2) despite being on Marshmallow and still supported with security patches by Google knowing that the Android ecosystem doesn't allow you to get security updates unless the manufacturer of the phone choses to give you them.Everything's hackable flaws will always be found, it's the security updates that are needed to make things secure again, they're one of the most important aspects of staying secure in a connected world, I wouldn't use an OS on a computer that wasn't able to be updated maybe I shouldn't use one on a phone that can't be either.(And I'll stop anyone before they say Pixel is the solution cause it's not, the Android One program is partly a solution but they're not sold in the UK)



iPhones are just as vulnerable to this and get exploited all the time.
catbeans23 m ago

iPhones are just as vulnerable to this and get exploited all the time.


Every single device is vulnerable until they get patched the difference is at least iOS, Windows and many other OSs will be patched in a prompt manner, the state of the Android ecosystem means millions of actively used devices won't be updated despite the fact Google will patch it in AOSP probably within the month.

There needs to be solid Android One options in the UK for people like me who want Android but don't want to be at risk on security when every new exploit is found.
I have nothing to hide on my phone
Destard3 m ago

I have nothing to hide on my phone



I think you are missing the point.
myjess2 h, 30 m ago

A vpn will help if its vpn on your device. I agree, wont help at all if …A vpn will help if its vpn on your device. I agree, wont help at all if vpn is on the router.Thanks to the guy correcting me about dads army. Still love that show so much.


A VPN on your device will not help. Do you know how networks even work? The traffic from a VPN still goes via your WiFi to the router so the traffic can still be read. Even if it is in an encrypted tunnel, even https is targetable so you are truly never safe.

to be fair this has been around for a long time anyway, I remember reading something on Linux where you can capture the handshakes and replay them again the router to get it to authenticate the device without a WiFi passcode
Edited by: "mds1256" 16th Oct 2017
catbeans2 h, 32 m ago

iPhones are just as vulnerable to this and get exploited all the time.



The iPhone 5s a 2013 device still gets software updates from apple, see if your nexus 4 gets Oreo...people can call apple for many things but their security is pretty decent for things like this!
redflash2 h, 19 m ago

Every single device is vulnerable until they get patched the difference is …Every single device is vulnerable until they get patched the difference is at least iOS, Windows and many other OSs will be patched in a prompt manner, the state of the Android ecosystem means millions of actively used devices won't be updated despite the fact Google will patch it in AOSP probably within the month.There needs to be solid Android One options in the UK for people like me who want Android but don't want to be at risk on security when every new exploit is found.



Dannyrobbo10 m ago

The iPhone 5s a 2013 device still gets software updates from apple, see if …The iPhone 5s a 2013 device still gets software updates from apple, see if your nexus 4 gets Oreo...people can call apple for many things but their security is pretty decent for things like this!



The iPhone have loads of exploits that haven't been patched and many others patched many months later. I'm not knocking apple, but they aren't as up on it as people make out.
catbeans24 m ago

The iPhone have loads of exploits that haven't been patched and many …The iPhone have loads of exploits that haven't been patched and many others patched many months later. I'm not knocking apple, but they aren't as up on it as people make out.


I agree Apple have a lot to learn with patching vulnerabilities even on macOS, but at least they have the mechanism in place to actually update them if push came to shove. Even my Lumia 435 bought 2 and a half years ago for £10 from a deal on this site gets its updates when needed and is guaranteed security updates until October 2018
catbeans1 h, 11 m ago

The iPhone have loads of exploits that haven't been patched and many …The iPhone have loads of exploits that haven't been patched and many others patched many months later. I'm not knocking apple, but they aren't as up on it as people make out.



A large exploit like this will be patched quickly, unless you are on native android it’s unlikely you will ever get a patch. As far as mobile devices go they do lead the way with updates.

though their Mac lineup suffers more than windows does.
Original Poster
mds12562 h, 40 m ago

A VPN on your device will not help. Do you know how networks even work? …A VPN on your device will not help. Do you know how networks even work? The traffic from a VPN still goes via your WiFi to the router so the traffic can still be read. Even if it is in an encrypted tunnel, even https is targetable so you are truly never safe.to be fair this has been around for a long time anyway, I remember reading something on Linux where you can capture the handshakes and replay them again the router to get it to authenticate the device without a WiFi passcode

vpn will tunnel from the device to the exit point, how is anyone going to read anything but encrypted vpn traffic if they try a mim attack?
myjess29 m ago

vpn will tunnel from the device to the exit point, how is anyone going to …vpn will tunnel from the device to the exit point, how is anyone going to read anything but encrypted vpn traffic if they try a mim attack?


The traffic still goes via WiFi so can be targeted although a bit tougher but is not impossible. Also if your device vpn is constantly switched on, on your device then what about your other smart devices e.g. your TV, your smart watch, your thermostat, your WiFi music system, your network storage system, your router. They can all be hacked too
A quick update, Microsoft rolled out the security update on the 10th of October. Apple have the fix in the latest beta of iOS but that’ll not be out for a few weeks. The pixel range will get it on the 6th of November.
myjess6 m ago

Be good to be able to buy a cheap patched AP hardwired to the router and …Be good to be able to buy a cheap patched AP hardwired to the router and urn the router wifi off until BT etc roll out firmware updates, but still have to stay away from public points.Anyone know if someone has developed an app yet that tests your wifi, or is that in itself tantamount to hacking?



I think you can get around this by turning the AP broadcast off on your WiFi. it would greatly reduce the chance.
mds12563 h, 39 m ago

The traffic still goes via WiFi so can be targeted although a bit tougher …The traffic still goes via WiFi so can be targeted although a bit tougher but is not impossible. Also if your device vpn is constantly switched on, on your device then what about your other smart devices e.g. your TV, your smart watch, your thermostat, your WiFi music system, your network storage system, your router. They can all be hacked too



A bit tougher! Really? An encrypted VPN tunnel is, by design, secure against MITM attacks, so you can safely use it on an open wifi access point. Even if the attacker used this exploit to capture the client side of the encrypted VPN stream he'd also then need to discover a flaw in the VPN software/ encryption, which tend to get patched quickly if a flaw is found (unlike old android phones), and would be further hampered by one way wifi access.

Smart watches typically use bluetooth rather than wifi, maybe someone will discover a similar flaw in bluetooth, maybe not.

Routers are apparently only vulnerable if they can and are being used in wifi client mode eg as a relay, rather than just as a normal access point. Which also means patches for you router won't make devices connecting to it secure.

Wifi enabled tvs, thermostats, wifi plugs, wifi ip cameras, android phones (and smartmeters I'd guess) are all vulnerable, and many devices simply won't ever be fixed
Edited by: "melted" 17th Oct 2017
Post a comment
Avatar
@
    Text

    Top Discussions

    Top Discussions

    Top Merchants