KRACK (WPA2 WiFi Vulnerability)

A

afasoas

Suspended / Banned
Messages
893
Edit My Images
No
A WiFi Vulnerability was disclosed today which probably affects everyone - https://www.krackattacks.com/

You will need check whether your WiFi equipment is affected (android, anything running Linux, MacOS, access points, routers, Smart TVs and more) and make sure that the appropriate updates mitigating the risks have been applied to that equipment.

There's a growing list here:
http://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=228519&SearchOrder=4

It's my understanding that both wireless access points and client devices (phones, laptops etc.) need to be patched to mitigate the vulnerability. So be careful with public Wi-Fi hotspots etc.

The vulnerability was disclosed to manufacturers in August so patches should be appearing imminently.
 
Last edited by a moderator:
My main computer is also on Ethernet. Don’t do any internet banking on WiFi or mobile data either.

Also your router shouldn’t be accessible over WiFi either as that would reduce opportunity for mischief.

It’s been the case for ages that you could sniff WiFi and work out the passcode if it was too short.
 
My router maker is not listed on the above website, though I am unsure about the chipset in it..............I think it is Broadcom?

Off to check what the manufacturers site has to say about it???

PS yep, Broadcom chipset but no mention that I can see yet about patching this vulnerability!

Edit ~ possibly in common with many I run my main PC on wired ethernet but we have various WiFi connected products inclduing smartphones (android of varying builds), smart TV, FireStick, iPad, Win10 laptop, wireless laser printer etc

So what risks are present or potential in such a mixed OS bunch of WiFi connected kit???
 
Last edited:
"Do I need to turn off my wireless networks?
No you do not need to start turning off all your wireless networks. As stated in the Wi-Fi Alliance update, there is no evidence that the vulnerability has been exploited maliciously yet. It is also worth noting that for this attack to be successful an attacker must be in close proximity and it requires a sophisticated attack. Sensitive corporate data is often sent using TLS which will not be affected by this attack.

Out of the 10 vulnerabilities 9 of them are client side, so keeping your clients patched is the best way to protect against the KRACK attack. Vendors have known about these vulnerabilities for a few months now and many have already released patches or will be soon"

https://wlanassociation.org/krack-key-reinstallation-attacks-what-you-need-to-know/

Further reading

https://theruckusroom.ruckuswireless.com/wi-fi/2017/10/16/commonsense-approach-uncommon-problem/
 
srichards said:
Don’t do any internet banking on WiFi or mobile data either.
Click to expand...
I'm the same, nothing of any importance on wifi. / mobile data. Plus I've said that may times when I've been called a Luddite by some of the "Fan boys" on here, that just have to do everything with a mobile phone.
the first device doubles the chances of a hack and there after others greatly increase the risks.
 
I've just checked my router and found that there was a firmware upgrade available. So it has been installed but when I checked with Netgear about this, all it states is that the update "Fixes security issues" and nothing else.
Presumably the update was issued because of the krack attack observations but no acknowledgement is given to this on Netgear's site.
 
I ticketed my router maker and so far they are awaiting the chipset manufacturers response.

Mention was made of 'connected' devices like android phones other android devices, I wonder how long we will have to wait for these to be patched. My Moto G5 last security patch date is January 2017!
 
srichards said:
My main computer is also on Ethernet. Don’t do any internet banking on WiFi or mobile data either.

Also your router shouldn’t be accessible over WiFi either as that would reduce opportunity for mischief.

It’s been the case for ages that you could sniff WiFi and work out the passcode if it was too short.
Click to expand...
I thought I'd turned off admin access via wi-fi so I was a bit surprised when I was able to get the admin log-in screen on my tablet. Now I can't find where to turn it off.... :rolleyes:
(Asus RT-AC68U)
 
There was a report on the TV yesterday of a guy who tried to pay for something with his phone app and it was declined.
Tried to phone the bank and phone wasn't working, so assumed it was a phone fault.
Being a weekend he didn't get to the phone shop, but when he did he was told that the sim card had been cancelled and
a new one issued at his request, who ever did it had all the answers and had managed to change password because
the new ones were sent to the phone.
They stopped the card when he gave them paper ID proof and reissued a new one, changing everything, hopefully.
Visit to the bank and he finds someone has tried to transfer £5000 from his account using the mobile app, bank stopped it
under the suspicious transaction heading and tried to contact him via email, which he hadn't checked. Nice to know it was the same
bank I use, they did it to me once and a quick phone call cleared it, annoying though it was I was pleased they did check
It seems this is getting more common, fraudster collect data from social media sites and use it to get access to all sorts.
Good luck to them if they try mine, most info is false anyway, including my DOB, don't have any banking apps on the phone
and a separate credit card for online stuff, that isn't linked in any way to mu bank account and had a low credit allowance,
despite Tesco continually trying to raise it to silly amounts that I have no use for
 
You must log in or register to reply here.
Back
Top