WPA2: Broken with KRACK. This is a core protocol-level flaw in WPA2 wi-fi

Discussion in 'Business & Enterprise Computing' started by CordlezToaster, Oct 16, 2017.

  1. [MadHatteR]

    [MadHatteR] Member

    Joined:
    Jun 12, 2006
    Messages:
    125
    Location:
    Eastern Subs, Melbourne
    I'm not sure which announcement the page is referring to for that, this stackexchange post explains it like so source:

    On the other page the author emphasises patching clients over APs:

    In related news, LineageOS has patched: https://review.lineageos.org/#/q/project:LineageOS/android_external_wpa_supplicant_8
    Presumably this will be rolled out in the weekly automated build

    Regular Android devices will need to contain the November 6, 2017 security update (Settings => About => Security Patch Level) for the fix
    It appears Apple patches for iOS, MacOS, WatchOS and TVOS will be rolled out around the same time, as the patches are currently in beta testing

    EDIT: Explanation added
     
    Last edited: Oct 17, 2017
  2. Doc-of-FC

    Doc-of-FC Member

    Joined:
    Aug 30, 2001
    Messages:
    3,353
    Location:
    Canberra
    Indeed

    Ref: https://www.krackattacks.com/
     
  3. stebie

    stebie Member

    Joined:
    Oct 21, 2003
    Messages:
    235
    Location:
    Western Subs, VIC
    Thanks, I did see that - I'm questioning the statement on the IBM page. Obviously only needing to update routers/APs would be the preferred workaround here, but unfortunately it's not (appearing to be) the case.

    Hopefully IBM will amend their page as to not provide a false sense of security by continuing to advocate updating one or the other mitigates attacks. I assume they've misinterpreted the same section you've quoted.
     
  4. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    38,738
    Location:
    Brisbane
    We're UBNT users here. Our WiFi network is treated as hostile anyway, and if you want access to production from WiFi, you MUST VPN across, no exceptions.

    We previously had two WiFi networks, one for staff, one for clients. Without fail, staff would hand over their RADIUS/AD credentials to clients every fucking time. So I shitcanned that approach due to meatware weaknesses, and enforced the VPN approach. Bonus is that we can test VPN accounts on site too, which means we've reduced the "user testing the VPN from home/overseas for the first time ever" problems to zero.

    Anyways, back to the access points, I don't think I'm going to rush to patch those. They auto-patch from the stable repos daily as it is, so I'll wait for the firmware to make it to that level naturally. KRACK all sounds a bit academic at this point, and again the VPN mitigation protects us well enough (I never really trusted WPA2 to begin with anyway).
     
  5. Gunna

    Gunna Member

    Joined:
    Dec 25, 2001
    Messages:
    7,293
    Location:
    Brisbane
    So how do you force VPN only access? Only allow those ports on that SSID?
     
    Last edited: Oct 17, 2017
  6. Rubberband

    Rubberband Member

    Joined:
    Jun 27, 2001
    Messages:
    6,750
    Location:
    Doreen, 3754
    The lack of a thumbs up option required me to have to post this :thumbup:.
     
  7. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    38,738
    Location:
    Brisbane
    WiFi access drops you in a separate network, firewalled off from everything else. You get basic Internet out (although you're forced to use our OpenDNS-powered DNS caches, which does things like blocks nasty sites, DNS domains registered hours ago, and other stuff to protect users from themselves).

    The only listening port back to our business side is our VPN server, which lets people initiate a VPN connection. The process for connecting is identical for users on any other public IP address (home, overseas, free WiFi in a cafe, whatever) as it is on our WiFi network.

    No VPN, no production access. You can't even ask DNS for addresses of stuff inside our network, as the WiFi facing DNS caches only look out to publicly resolvable stuff (you get new internal DNS servers pushed to you if and only if you authenticated and connect to the VPN).
     
    Last edited: Oct 18, 2017
  8. cvidler

    cvidler Member

    Joined:
    Jun 29, 2001
    Messages:
    12,652
    Location:
    Canberra
    You're obviously not understanding the whole 'in the middle' part. Sniffing packets on the wire, even decrypting them, is a side-channel attack, not 'in the middle'

    With this wifi exploit, I can get on, mess with non-TLS/VPN packets - e.g. DNS, ARP, etc. you're captive portal redirect, examine it myself by just pointing a browser at it, find your red tag, and proxy your users through my unencrypted proxy.
     
  9. cvidler

    cvidler Member

    Joined:
    Jun 29, 2001
    Messages:
    12,652
    Location:
    Canberra
    captive portals are easy, I always bypass them when at hotels/conferences. fuck your extortionately priced wifi.
     
  10. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    13,673
    And now where we are back where we started... how do you use this attack to get network access in the first place?

    You can de-auth my user, and get them to connect to your Rogue AP, great. but you still need them to do something stupid, to get credentials to get 'on' my network.
     
  11. tobes

    tobes Member

    Joined:
    Dec 23, 2001
    Messages:
    3,586
    Location:
    Melbourne
    How do you do that?
     
  12. cvidler

    cvidler Member

    Joined:
    Jun 29, 2001
    Messages:
    12,652
    Location:
    Canberra
    detailing it would be against forum rules.

    but suffice to say.
    - I haven't found one that will kill any active connections.
    - VPN.
     
  13. ex4n

    ex4n Member

    Joined:
    Oct 5, 2011
    Messages:
    2,185
    Location:
    Perth
    I have found a workaround for the issue, details below.

    [​IMG]
     
    cvidler likes this.
  14. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    13,673
    Thats a cop out if ever I heard one.

    The most common way is to find a port that allows you to communicate on the internet at large, and then setup something 'somewhere else' that you can proxy traffic through on that unrestricted port. (DNS is a common one).

    A captive portal done right is almost like an SSL VPN, until you auth, you literally don't have an internet connection.
     
  15. Doc-of-FC

    Doc-of-FC Member

    Joined:
    Aug 30, 2001
    Messages:
    3,353
    Location:
    Canberra
    aircap-ng + [macchanger / obtain someones credentials]

    every CP wifi network i've encountered are open encryption anyway, may as well be shouting your credentials to anyone listening.

    ubiquiti with guest OTP are the way to go.
     
  16. AntikytheraBB

    AntikytheraBB Member

    Joined:
    Oct 12, 2014
    Messages:
    208
    Location:
    Oakleigh East, 3166
    Microsoft says Windows is patched. Well my HTC phone can only run Win 8.1 and the last patch Optus pushed for it was Dec 2014 so it seems like i'm screwed. Damnit I liked this phone.
     
  17. nicholasporison

    nicholasporison Member

    Joined:
    Aug 12, 2016
    Messages:
    180
    Location:
    Melbourne(Vic), Australia
    Only Raspberry Pi, Meraki & DD-WRT have fixed it.

    You can check the updated status of companies who have released the update, in the process, or have no clue from here.
     
  18. Gunna

    Gunna Member

    Joined:
    Dec 25, 2001
    Messages:
    7,293
    Location:
    Brisbane
    Ubiquiti released an update on the day the news broke.
     
  19. Doc-of-FC

    Doc-of-FC Member

    Joined:
    Aug 30, 2001
    Messages:
    3,353
    Location:
    Canberra
    your link has Cisco having a tick, most of my in use Aironet APs don't have any new firmware available, still TBD.
     
  20. sammy_b0i

    sammy_b0i Laugh it up, fuzzball!

    Joined:
    Jun 29, 2005
    Messages:
    3,650
    Location:
    ACT 2913
    Xirrus is expecting a patch on 30/10 and they were made aware early like everyone else... zzzzzz
     

Share This Page

Advertisement: