
Severe flaw in WPA2 protocol leaves Wi-Fi traffic open to eavesdropping - tdrnd
https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/
======
fro0116
Is there anything at all we can do to protect ourselves until our router gets
patched?

From the earlier thread [1] I gleamed that maybe a MAC filter could help, but
it sounds like that's not going to help much because MAC addresses can be
easily spoofed.

The article here recommends sticking to sites with HTTPS, which isn't really
something we always have control over, and isn't something we can
realistically expect our non-technical WiFi users to be able to strictly
adhere to.

VPNs were also suggested, but again, mandating that everybody on our WiFi must
connect through a VPN is rather impractical, and I'm personally not sure which
VPN providers are supposed to be trustworthy to begin with.

If people here have other suggestions, I'd love to hear them.

[1]
[https://news.ycombinator.com/item?id=15478750](https://news.ycombinator.com/item?id=15478750)

~~~
jagermo
Use WPA with RADIUS. If you have a NAS at home, there is a good chance you can
install a radius server on it. Or use a Raspberry Pi:
[http://www.binaryheartbeat.net/2013/12/raspberry-pi-based-
fr...](http://www.binaryheartbeat.net/2013/12/raspberry-pi-based-freeradius-
server.html)

~~~
Xylakant
Quite a few clients lack WPA2 Enterprise capabilities, especially in the home
network sector (hey, playstation, I'm looking at you), making this a no-go for
a sizable chunk of the population.

~~~
Aaargh20318
A playstation is not a portable device, therefore it doesn't need wifi (they
shouldn't even have included a wifi card IMO)

~~~
hug
I rent an apartment with double brick walls everywhere. I cannot install
cabling in the wall, or really anywhere it's not a severe trip hazard. For the
most part, this is fine, because almost every device I own that requires
internet access has wifi. (The few that don't, like my NAS, can live next to
my networking equipment.)

Your suggestion would have meant that I couldn't connect my Playstation to the
Internet, which is a little bit silly, especially given that my scenario is
not an uncommon one.

~~~
davidsong
Powerline adapters are pretty cheap nowadays and fast enough. I get
synchronous 200mbps over a pair of TP-Link gigabit ones in a place with really
poor quality wiring, and they come with power pass-through so I don't even
lose a power socket.

~~~
egeozcan
I do use a powerline adapter and it works but I'm afraid that there aren't too
many eyes looking at them - what if they have a big flaw and it stays dark?

~~~
tomfanning
There's no way these adaptors aren't vulnerable, given the nature of them. In
my opinion. Extracting the signal from the mains and feeding it into GNU Radio
for demodulation, then subsequent attack, would be an interesting exercise.

~~~
ptr
Why is that? AFAIK, the data is encrypted.

------
d33
Nice to see some mainstream news coverage! I had been calling for WPA3 for
quite a long time... [0] Could you help me push that further?

[0]: [https://github.com/d33tah/call-for-wpa3](https://github.com/d33tah/call-
for-wpa3)

~~~
pfranz
I'm also amazed that the coffee shop use-case has remained a terrible,
frustrating hack (no way to encrypt without a password and no formal support
for EULA/login screen). Like you, I figured in the 20 years since 802.11
they'd consider it a use-case worthy of first-party support--especially since
every 3 or 4 years there's a new standard everyone adopts (a, c, g, n, and
ac).

~~~
TazeTSchnitzel
I continue to be astonished there is no support for passwordless encryption
(open hotspots with no password needed to connect, but with some sort of
automatically-negotiated encryption). Dropping encryption should not be
required for a good user experience on open hotspots.

------
cpressland
So it looks like Ubiquiti UniFi firmware version 3.9.3.7537 patches against
this - which was released to Beta testers ~two hours ago on their community
site.

I wonder if this is also going to require client side patching from the OS
vendors.

~~~
lucaspiller
How do I download it? Their forums link to this page:

[https://community.ubnt.com/t5/UniFi-Beta-
Blog/FIRMWARE-3-9-3...](https://community.ubnt.com/t5/UniFi-Beta-
Blog/FIRMWARE-3-9-3-7537-for-UAP-USW-has-been-released/ba-p/2098382)

But I get an 'Access Denied' error when visiting it (I am logged in).

~~~
mjcl
I believe you need to sign up for their beta program at

[https://account.ubnt.com/manage/settings](https://account.ubnt.com/manage/settings)

------
acdha
It’ll be interesting to see what the mitigation options will be like given the
massive install base of routers which are barely supported and WiFi gadgets
which aren’t supported at all. There are some interesting wormable scenarios
(e.g. apartment building with an attack combining this & things like those
recent Broadcom exploits) which could be avoided if ISPs can push patches to a
large percentage of their customers.

------
epaga
One important additional piece of information: "As Hudson notes, the attacker
would have to be on the same base station as the victim, which restricts any
attack's impact somewhat."

[https://www.theregister.co.uk/2017/10/16/wpa2_inscure_kracka...](https://www.theregister.co.uk/2017/10/16/wpa2_inscure_krackattack/?mt=1508136351680)

~~~
PinguTS
What is so important about that fact?

It is basic knowledge, that in a radio based system, like Wifi, Bluetooth,
ZigBee, … you need to be near the source. That is called physics.

With some techniques you may passively can monitor radio waves, but for active
attacks you will always need to be close by. That is called physics in general
and specifically electromagnetic waves.

~~~
mlu
/r/iamverysmart

------
Viper007Bond
See also:
[https://news.ycombinator.com/item?id=15478750](https://news.ycombinator.com/item?id=15478750)

------
microcolonel
My home network is a fiction, all of the clients on it are either wired to the
VPN host (except the smartphone, which just doesn't have access to most of my
network), or connect through VPN even when I'm home. This only really became
efficient enough to be viable for me with WireGuard.

~~~
bleke
Every time i start to think about similar architecture I start thinink why
nobody come with idea that to add Wi-Fi support dump pipe mode (direct L2 mode
if i'm right) and all security/packet droping handled by higher layer; like
direct OpenVPN packets on air and everything handled by software. Ofcourse it
will hurt some performance but security you can have few sacrifices.

------
empressplay
Am I understanding this correctly that you still need to authenticate with the
router before using the exploit? If so, I thought it was already prudent to
assume that unencrypted traffic (by the client) was effectively visible to
everyone else connected over the same Wi-Fi base station?

Or is this a way to break the Wi-Fi password and connect without it?

~~~
pmontra
It's more than connecting without the password

> attackers will be able to eavesdrop on nearby Wi-Fi traffic as it passes
> between computers and access points. It might also mean it's possible to
> forge Dynamic Host Configuration Protocol settings, opening the door to
> hacks involving users' domain name service.

Basically they can see all your traffic and modify it. Your LAN becomes the
Internet over an open AP and you don't know which servers you're connecting
to.

------
Canada
I'm looking forward to learning the details of these weaknesses. I'm sure they
will be with us for many years. That said, I'm not hugely concerned for myself
because I already already assume whatever LAN I use might be malicious. We're
living in a world where many name brand ISPs are openly hostile to
subscribers.

------
greggman
I wonder if apple's privacy stance will get them to update their discontinued
airport extremes.

~~~
Corrado
I was thinking the same thing. If they don't it might be time to replace my
Airport Extreme. I love it and it works flawlessly, but if they don't provide
updates it's worse than not having WiFi at all.

~~~
tvararu
Airport routers are not vulnerable to this exploit.

macOS and iOS computers have been issued patches to mitigate the issue on
vulnerable networks.

Source: [https://m.imore.com/krack-wpa2-wi-fi-exploit-already-
fixed-i...](https://m.imore.com/krack-wpa2-wi-fi-exploit-already-fixed-ios-
macos-tvos-watchos-betas)

------
tinix
Some good details can be found here on the hostapd security disclosure page:
[https://w1.fi/security/2017-1/wpa-packet-number-reuse-
with-r...](https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-
replayed-messages.txt)

~~~
tinix
Welp, the main site is live now with more details, and the paper...

[https://www.krackattacks.com/](https://www.krackattacks.com/)

[https://papers.mathyvanhoef.com/ccs2017.pdf](https://papers.mathyvanhoef.com/ccs2017.pdf)

------
Integer
The patches are out for your Mikrotik devices:
[https://forum.mikrotik.com/viewtopic.php?f=21&t=126695](https://forum.mikrotik.com/viewtopic.php?f=21&t=126695)

------
pedrocr
Doesn't everyone simply assume all networks are hostile, even your home LAN?
This makes DoS very easy but if you're worried about eavesdropping from this
you have much bigger problems.

------
tryingagainbro
Do you guys think NSA or another country NSA knew, and exploited this? It's
amazing how many years it took for this flaw to be found, despite being widely
used. How many engineers looked at this over the years, thousands?

memo to self: Assume that nothing is really secure, so behave.

~~~
gcp
Apparently the relevant specs are behind a paywall, so almost no-one who
understood security properly looked at it.

This was rather obvious from WEP, no?

~~~
zingmars
I dunno, I'm fairly sure that the 3 letter agencies do understand security
fairly well :)

------
staunch
Wireless is a pretty huge attack vector that has always worried me. I think
I'm going to order some powerline networking gear and switch to that, since I
don't have hardwired ethernet. Seems cheap enough.

------
janci
How the attacked device can talk to the AP after its keys / nonces have been
altered? Does not it lose it's connection, manifesting to the user that
something shady is going on?

------
NamTaf
The page seems live now, I was only getting a domain test before:
[https://www.krackattacks.com](https://www.krackattacks.com)

------
h1d
Was this intentionally left in the protocol since the beginning or was it that
hard to find for everyone over the years?

------
hoodoof
This is not good.

------
scott_karana
Looks like a dupe of
[https://news.ycombinator.com/item?id=15478750](https://news.ycombinator.com/item?id=15478750)

~~~
cpach
Not really a dupe. There is additional information in the Ars Technica article
that isn’t available in the research paper.

