WPA2 May have been cracked, release on the actual security flaw to be released soon. - Sensationalist Headlines

FreeBSD patched this three months ago.

[QUOTE=choco cookie;52784582]WPA2 was already weak security. That's why you have VPNs, network security policies, etc. Nobody depends on WPA2 to keep them safe. It's easy to catch the wifi password and get in. Just force someone to resync and record their handshake and crack their wifi password. But if you have policies and VPNs then connecting to the wifi won't do you much good still. "Cracking" WPA2 just means it'll take less time to get in, but there's still all the modern hurdles of actually getting any access that a hacker would have to get through to connect. This is all from an enterprise standpoint though.[/QUOTE] WPA2-AES is still very secure wireless security. A WPA2-AES access point with a strong key is still unbroken, and the protocol is still mathematically proven to be sound. Since this is an attack against the implementation, when clients get patched, WPA2 is still secure. To think cracking WPA2 is trivial right now is naive. People have good reason to put their trust in it. It's built on sound crypto and security properties. We can't just use VPNs for everything. At some point the traffic must hit a LAN, and most all LAN protocols don't have the ability to use secondary transport layer encryption and rely on the security of the network.

So for the web stuff this is only an issue if you're not using https right? Are sockets vulnerable?

[QUOTE=mdeceiver79;52784659]So for the web stuff this is only an issue if you're not using https right? Are sockets vulnerable?[/QUOTE] The attack can theoretically decrypt any packet travelling from an unpatched client. It would be similar to someone tapping into a cable between you and your router. Anything not using its own encryption would be vulnerable until the client is patched.

Every IoT device getting fucked in one fell swoop would've been spectacular to witness

That's pretty good news that it's something that can easily be patched. If your router manufacturer doesnt deliver you a patch honestly that's a good sign that you should jump ship, since it's just likely they have other gaps too. Or at the very least, there might be open-source firmware you can use instead with the patches.

Another vulnerability disclosed: [media]https://twitter.com/dangoodin001/status/919798487776034817[/media] :hypeisnotreal:

[QUOTE=Fourier;52784840]Another vulnerability disclosed: [media]https://twitter.com/dangoodin001/status/919798487776034817[/media] :hypeisnotreal:[/QUOTE] Holy shit. Does this fuck up SSL security big time?

I don't know, not security expert. I just know RSA is used big time by banks and mayor electronic systems.

[QUOTE=Fourier;52784840]Another vulnerability disclosed: [media]https://twitter.com/dangoodin001/status/919798487776034817[/media] :hypeisnotreal:[/QUOTE] That sounds like another GNU-random-like issue, or someone made a bad implementation of the standard.

SEems to be that an arstechnia article says it's mainly effected by infenion chips and libraries: [url]https://arstechnica.com/information-technology/2017/10/crypto-failure-cripples-millions-of-high-security-keys-750k-estonian-ids/[/url] [quote]To boost performance, the Infineon library constructs the keys' underlying prime numbers in a way that makes them prone to a process known as factorization, which exposes the secret numbers underpinning their security. When generated properly, an RSA key with 2048 bits should require several quadrillion years—or hundreds of thousands of times the age of the universe—to be factorized with a general-purpose computer. Factorizing a 2048-bit RSA key generated with the faulty Infineon library, by contrast, takes a maximum of 100 years, and on average only half that. Keys with 1024 bits take a maximum of only three months.[/quote] But [b]very[/b] bad news for 1024 bit keys: [quote]The factorization can be dramatically accelerated by spreading the load onto multiple computers. While costs and times vary for each vulnerable key, the worst case for a 2048-bit one would require no more than 17 days and $40,300 using a 1,000-instance machine on Amazon Web Service and [b]$76 and 45 minutes to factorize an affected 1024-bit key[/b]. On average, it would require half the cost and time to factorize the affected keys. All that's required is passing the public key through an extension of what's known as Coppersmith's Attack.[/quote]

Oh fuck. I hope they make WPA3 soon then or whatever will be able to replace it.

[QUOTE=TheNerdPest14;52784930]Oh fuck. I hope they make WPA3 soon then or whatever will be able to replace it.[/QUOTE] They can patch the fault in this crack though, some people already have so that should secure it again.

How do I know if I have a Uni-Fi system?

[QUOTE=TheNerdPest14;52784930]Oh fuck. I hope they make WPA3 soon then or whatever will be able to replace it.[/QUOTE] This is what I fear from sensationalised headlines. You shouldn't lose faith in WPA2. There's a big chance you are not as vulnerable as you think. If you were, once patched, it's still as secure as ever. [editline]16th October 2017[/editline] [QUOTE=TheNerdPest14;52785057]How do I know if I have a Uni-Fi system?[/QUOTE] You most likely don't. Uni-Fi is a product line made by Ubiquiti networks for enterprise wireless.

[QUOTE=Fourier;52784250]"The roof, the roof, the roof is on the fire"[/QUOTE] "we don't need no water, let the motherfucker burn. burn, motherfucker, burn" -network security researchers circa ten years ago, probably

[QUOTE=Gbps;52785081]This is what I fear from sensationalised headlines. You shouldn't lose faith in WPA2. There's a big chance you are not as vulnerable as you think. If you were, once patched, it's still as secure as ever. [editline]16th October 2017[/editline] You most likely don't. Uni-Fi is a product line made by Ubiquiti networks for enterprise wireless.[/QUOTE] Millions of routers won't get patched, though.

[QUOTE=AtomicSans;52785260]Millions of routers won't get patched, though.[/QUOTE] From the site: [quote] [B]What if there are no security updates for my router?[/B] Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates. We strongly advise you to contact your vendor for more details.[/quote] The access points are updating for some of the smaller flaws that are no where near the severity of client attack. Assuming the clients are patched (by typical OS updates), the access point can remain unpatched and remain secure.

Companies that patched it. [url]https://char.gd/blog/2017/wifi-has-been-broken-heres-the-companies-that-have-already-fixed-it[/url]

[QUOTE=Gbps;52785300]From the site: The access points are updating for some of the smaller flaws that are no where near the severity of client attack. Assuming the clients are patched (by typical OS updates), the access point can remain unpatched and remain secure.[/QUOTE] Thanks for the clarification.

MS says they fixed it already in a previous windows update on Oct 10th [URL]https://www.theverge.com/2017/10/16/16481818/wi-fi-attack-response-security-patches[/URL]

[QUOTE=daigennki;52784252]Good thing my cell phone carrier's Wi-Fi hotspots have WPA2-EAP (enterprise WPA2), I use that shit a lot with my laptop when outside. The access point I use at home supports it too. IoT strikes again. [editline]16th October 2017[/editline] Oh fuck, looked into the issue further, apparently enterprise WPA2 is affected too. :worried: We will just have to hope this shit gets fixed, and fast.[/QUOTE] IoT was dumb from the start. No I do not want to send a tweet from my Glade "Wisp & Fresh" Air Freshener

[QUOTE=TheNerdPest14;52785057]How do I know if I have a Uni-Fi system?[/QUOTE] Do you own [url=https://www.ubnt.com/products/#unifi]any of these products[/url]? If not you don't have a unifi system.

[QUOTE=Cabbage;52785521]IoT was dumb from the start. No I do not want to send a tweet from my Glade "Wisp & Fresh" Air Freshener[/QUOTE] IoT can be incredibly useful, the security in some of the products is dumb but IoT itself is great

[QUOTE=Kiwi;52784262]Not a whole lot of companies like to update their old devices. Most people are running old devices supplied by their ISP. Basically at the mercy. You made a good choice those running routers that are either updated regularly or are running custom firmware like DD-WRT and Tomato.[/QUOTE] Or don't use WiFi on one's phone(It uses way too much battery and I don't need it for data plan preservation so I turn it off outright) and have the luxury of space(My home router's range is less than the distance from its transmitter to the nearest area of land that doesn't belong to me, erego, to mooch my wifi and exploit this you'd have to be on my property). I'm sure they'll fix it soon enough, though. Wifi's such a ubiquitous standard that being slow about it is pretty much suicide for corporations. Especially hospitality, retail, and foodservice places that openly advertise free wifi. [editline]17th October 2017[/editline] [QUOTE=djjkxbox;52786146]IoT can be incredibly useful, the security in some of the products is dumb but IoT itself is great[/QUOTE] I fail to see how IoT can benefit me in any way. * Smart fridge? Pfft, my dumb fridge is glitchy enough as it is. And besides, I set it once for each compartment and never touch it for the life of the fridge. If it keeps cold things cold, frozen things frozen, that's all I need. * Smart thermostat? I don't have working central HVAC at all! And even if I did I'd have a window unit in my bedroom still, as my parents seem to think keeping the house at 80 fucking degrees is a good idea. * Smart TV? For someone who barely watches TV at all and only buys it partly because it ensures there's no ridiculous data cap on their DSL and partly because the old folks still veg out in front of the boob toob?! Waste of money. ......and that's all the devices I own that have 'smart' versions. IoT is utterly worthless to me. I fail to see any way it could possibly benefit me and the downsides are astronomical. More expensive devices, more security nightmares, more reasons for them to break/act up, no thank you.

If you are running dd-wrt on your router, build 33525 and newer has the patch for KRACK [url]ftp://ftp.dd-wrt.com/betas/2017/10-17-2017-r33525/[/url] Might want to check the dd-wrt forums though, there might be issues depending on your router.

Hope TP-link gets a fix out soon

[QUOTE=shrinkme;52785316]Companies that patched it. [url]https://char.gd/blog/2017/wifi-has-been-broken-heres-the-companies-that-have-already-fixed-it[/url][/QUOTE] This has been clutch by the way, I have a few clients who aren't on ubiquiti or ruckus and it makes finding fix status much easier.

[QUOTE=djjkxbox;52786146]IoT can be incredibly useful, the security in some of the products is dumb but IoT itself is great[/QUOTE] yes because microwave and toaster DLC's is exactly what we need.

Maybe I should call my ISP and mention to them that their new fiber router shit is really easy to get into... Like the whole login stuff doesn't work. It's the companies default routers and they just installed the stuff around here.