KRACK security hole in WPA2 - VM fixes incoming?
 

Keeping in mind today's big story:

https://www.windowscentral.com/krack

https://www.windowscentral.com/vendo...-vulnerability

Any news about the Superhubs? I have a Superhub 2, does anyone know:

1) What's the Netgear model number, so we can get some idea of our exposure?

2) If VM are going to address this for all current cable router models on their network?

Essentially, until this is resolved we have no wifi. Not great. Especially as VM have control of this and are about to crack open a nice fee increase for themselves. Hoping VM will see an opportunity here to pay us back for our generosity in giving them a bonus whilst our salaries are whittled away with below inflation rate pay offers. :angel:

Re: KRACK security hole in WPA2 - VM fixes incoming?
 

Netgear were made aware of the issue 50 days ago.

The CGN-series I can't see any announcements for. Up to VM to deal with its customers on this one.

Re: KRACK security hole in WPA2 - VM fixes incoming?
 

Problem is, calling the support or fault line is not going to help. They will not have anything to say if VM have made no announcements and will likely not be in a position to call up the Virgin WPA2-collapse Rapid Response Team :rolleyes:. Anyone here able to send up a flare to VM? We at least need to know which generation routers are going to be updated so we can call up and get a replacement if necessary so we can switch the wifi back on one day.

Re: KRACK security hole in WPA2 - VM fixes incoming?
 

It's intensely paranoid to switch the wireless off. It's quite unlikely that someone with the necessary software and time is sitting outside your home right now trying to decrypt your WiFi traffic.

http://www.theregister.co.uk/2017/10...acken_patches/

Last I heard patches will be across the board. Clients can also be patched. If either of them are patched the attacks no longer work.

Either way as the article says if you've some shady hoodie outside your home tapping away on a laptop you likely have bigger things to be concerned by than your wireless traffic being eavesdropped on.

Re: KRACK security hole in WPA2 - VM fixes incoming?
 

Just thinking about this some more.

I appreciate what the link you provided indicates however you should be aware that there is no public exploit code as yet and this is not something that we're going to see people 'war dialing' to exploit. It is a targeted attack from someone physically close, it's not exploitable over the Internet.

Keep it in context. I am quite sure you have some far more major security issues with the software, etc, you use. If you are concerned do upgrade all devices you can - the patch for clients ensures they don't allow the attacks to work.

If I or anyone else remotely educated really wanted to get at your Internet traffic there's not a whole lot you can do about it, this flaw being fixed or not, other than not use WiFi ever and use end to end encryption on everything. You weren't paranoid to the point where you disabled WiFi before this, don't be now.

It's the classic case of 'How many enemies do you actually have?!'. Unless a nation state or a major company with few morals has a reason to be interested in you, in which case to do this they'd need your home address anyway and there were all kinds of ways they could've compromised you, you're probably fine.

Keep calm and WiFi on.

Re: KRACK security hole in WPA2 - VM fixes incoming?
 

Ingi's right, even if someone was remotely interested in you and wished to carry out this sort of attack there's no easy way.

First they would have to be experienced enough with Linux for carrying out penetration attacks.

Second the would have to source the software/script to perform the attack.

Third they would have to be close enough to your WiFi to pick up a strong enough signal.

Finally, let's say they've met all those requirements. If you use HTTPS, TLS, SSL (I think) or a VPN, all they would end up with is a load of encrypted material which would take that long to decrypt it would be virtually useless by the time they succeeded and were drawing their pensions.

Reports like this are not really intended for residential internet users but are intended to alert IT professionals that the vulnerability exists so that they can push out the necessary patch throughout the company they work for which is the most likely place this exploit would be of use.

Microsoft pushed out a patch on the 10th in one of it's regular update cycles, I believe it has also been pushed out to Android devices and most (if not all) router producers before it was made public.

Unfortunately clickbait sites and MSM as always blow it out of all proportion.

Re: KRACK security hole in WPA2 - VM fixes incoming?
 

Probably more of an issue for a casual user is if they live in flats and have a neighbour who likes to dabble with these things.

This flaw allows someone who couldn't crack your wifi password to listen in on the traffic anyway. Luckily most sites that allow you to login are https by default now so the traffic logged would be encrypted anyway. Cableforum doesn't do this so in the logged traffic your username and password for here would be easily visible.

I would expect an android exploit could come out sooner from individuals trying to exploit this as it's much easier to code due to almost a blank encryption key that can be forced.

VPN's encrypt the traffic so nice and safe, until you have to start wondering on what machine the RSA keys were made because of another recent problem found in hardware which is probably more of an issue than this WIFI problem. https://www.bleepingcomputer.com/new...dors-affected/

Re: KRACK security hole in WPA2 - VM fixes incoming?
 

If a public VPN nice and safe until it reaches them, they can then do as they please with the data. TL;DR don't use public VPNs unless you have a really good reason.

The Infineon TPM issue is far more serious but involves horrid to understand things like large prime numbers with structures that permit factorisation far more quickly than would be possible with a general number field sieve. Doesn't quite have the same punch as KRACK. ;)

Re: KRACK security hole in WPA2 - VM fixes incoming?
 

KRACK's main implication is for client devices not the AP.

You need updates for all your wifi enabled toothbrushes or fridges, not your VM superhub.

Good luck with that!!

Re: KRACK security hole in WPA2 - VM fixes incoming?
 

Came here to say this, clients need updating as much as routers do.

I turn mine off after everytime I use it.. It is not good to be exposed to RF for no reason...

I unplug the modem when Im done.......

Re: KRACK security hole in WPA2 - VM fixes incoming?
 

You got lead lined walls to keep out all the other sources of RF?
:dozey:

Re: KRACK security hole in WPA2 - VM fixes incoming?
 

Yeah me too, I also turn off my electricity at the breaker box at night, just because :)*

*Not really!

Re: KRACK security hole in WPA2 - VM fixes incoming?
 

If your router is being use a just a router then the router does not need updating.

If the router is being used as a repeater then you have a problem as this is acting as a client and is affected by the 3rd hand shake with the resetting of the nonce.

Don't believe superhub can be used as a repeater itself so it should be safe.

The issue is with the client devices, and Android 6 has a really bad flaw with the key resetting and that needs to be patched.

But yeah, to do this you need to have a man in the middle device acting like the wifi device and dropping the 3rd hand shake. It isn't something I would thought would be overly used as just sitting outside a open wifi network achieves the same thing and does not require all this messing around.

Re: KRACK security hole in WPA2 - VM fixes incoming?
 

[citation needed]

Re: KRACK security hole in WPA2 - VM fixes incoming?
 

Well if its bad, we are all in trouble.

No and you have a point but every little bit helps...

Re: KRACK security hole in WPA2 - VM fixes incoming?
 

I think you're vastly underestimating the sheer amount of RF radiation around the place.

Re: KRACK security hole in WPA2 - VM fixes incoming?
 

They may not be that noticeable. There is a small car park just behind my garden, and when I first got a Wifi router (admittedly before I found out about encrypted Wifi), I found a lot of strange M.A.C. addresses in the access logs. There were also a lot of unsecured Wifi networks in the neighbourhood, and we tended to get a lot of lorries staying overnight in the carpark. Then, one by one, the residents (myself included) locked down our networks, and the Lorrys stopped appearing.

Re: KRACK security hole in WPA2 - VM fixes incoming?
 

I'm in real trouble, then.

I have a Three femtocell downstairs, along with a wireless router pumping out a 40 MHz wide signal in the 2.4 GHz band, an 80 MHz wide signal in the 5 GHz band and a 2.16 GHz wide channel in the 60 GHz range.

There's also an access point upstairs pumping out 20 MHz of 2.4 GHz band and another 80 MHz of 5 GHz band.

Lastly 2 x IoT networks using LORA, ZigBee or similar.

Those are just the producers of RF inside that are intended to produce it. Obviously there'll be a bunch of other stuff producing it, such as all client devices and indeed the monitor I'm looking at right now.

Re: KRACK security hole in WPA2 - VM fixes incoming?
 

There was a feature on last nights Gadget Show. They obtained permission first from a family and managed to hack into their Wi-Fi. Within three hours they could see them, hear them and browse their wedding photos.

They said that to avoid this users should update their password and make sure that all security updates were downloaded:

https://www.my5.tv/the-gadget-show/season-27/episode-5

Re: KRACK security hole in WPA2 - VM fixes incoming?
 

I bought a Fingbox from Amazon, which blocks any new devices connecting without permission.

Any new devices that try and connect, an alert is sent to my phone via the app.

This will then allow me to grant or deny access.

Re: KRACK security hole in WPA2 - VM fixes incoming?
 

Typical media hype. Yes it is possible to do but before you start worrying about it just stop and think.

It took professional penetration testers 3 hrs to eventually get in. These are people who have access to all the latest penetration software and know how to use it.

Next consider who is going to go to that extent just to hack you. Are you that important for a professional hacker to take the time? I mean this in general not specifically at you.

It is a non issue for the majority of users and just serves as a reminder to keep systems updated. Update router password? No, change it from the moment you install it.

Re: KRACK security hole in WPA2 - VM fixes incoming?
 

Even more so now that, apparently, Russia wants to cause problems for us in retaliation for Syria:

https://www.theguardian.com/technolo...cked-your-wifi

Re: KRACK security hole in WPA2 - VM fixes incoming?
 

but by that logic you should make your password password123 how many people are going to try and break your password

you are saying how likely are you to be in range of somebody with the knowledge to do it

I say how many people are around people who can I have 4 neighbours that I can reach from my desk

how long until it's packaged up in something like Backtrack so it's basically press 1 to hack

Re: KRACK security hole in WPA2 - VM fixes incoming?
 

what Pip is trying to say is yes, the means are out there, but what are the chances that

a) somebody with the knowledge

and

b) somebody with the software

and

c) somebody is going to take the time

and

d) going to specifically target you

Unless it is an intentional attack for personal reasons the chances are that you are not worth a hackers time because you will yield little reward. Last time I checked 100,000 people live in Lincoln. Statistically what are the chances that somebody is going to come and sit outside my house for 3 hours and try and crack my password for my Asus router? Even if they managed it they wouldn't get anything of value so it just isn't worth their time. There are bigger fish to fry!

Re: KRACK security hole in WPA2 - VM fixes incoming?
 

More than this, it means they also had a poorly secured security camera or computer with webcam and decent wide area microphone, and NAS with a file share hosting their wedding photos.

A bit tenuous really.

Re: KRACK security hole in WPA2 - VM fixes incoming?
 

Exactly.

BTW for those interested nothing like this will ever be integrated into Backtrack. (Shhh General).

Re: KRACK security hole in WPA2 - VM fixes incoming?
 

the arguments seem to be

a) there's not a lot of people who can boot up linux (if it's not that simple now somebody will package it up so it is soon)

b) somebody with the software (if you're into hacking you will find a software or some variant of it)

c) somebody is going to take the time(I spend hours and hours fiddling with tech I don't see this as a barrier for somebody who like's hacking)

d) going to specifically target you (they are going to target somebody)


so you are comfortable. Playing the odds that the guy who is hacked isn't you
I'm saying it will happen to some people
the more that they leave it the easier it will be to do and the more it will be combined with other attacks and the more common it will become

Re: KRACK security hole in WPA2 - VM fixes incoming?
 

Ok let me put it this way, i am very happy that statistically i am never going to be hacked.

Re: KRACK security hole in WPA2 - VM fixes incoming?
 

Linux is easy to boot up, no need to install it you can do it from a live DVD.

Someone into hacking or pentesting can get the software needed.

There's a world of difference between "fiddling with tech" and writing hack scripts or even using the command line to run readily prepared hack scripts.

Once you've spent the time getting in (if you manage it) what are you going to do? A hacker has to have a reason to hack. Yes there's the "because I can" scenario but once done they don't tend to go any further unless they are looking for something specific on the person or company.