• Last Updated:
  • Nov 11th, 2017 8:05 pm
Tags:
None
Deal Fanatic
User avatar
Nov 21, 2002
7033 posts
943 upvotes
Winnipeg
ES_Revenge wrote:
Oct 21st, 2017 7:15 pm
That's it in a nutshell and the reality is even if you're susceptible to this vulnerability the chances of you actually getting hacked in this fashion is really very very small. The only people that will be putting anything into the landfills over this are tin foil hatters (of which we know there are many on RFD but in the real world there are very few).

Think about how many people have WPS enabled on their routers given:
1. It is still enabled by default on many of these devices even long after it's a known rather gaping security hole?
2. Most people don't understand how big a security flaw WPS is and they actually foolishly think it's just some easy way to connect devices and use it in that fashion?

And WPS basically lets any real hacker into your network with a degree of ease given how long it's been known about and how many people have it enabled as described above.

As for KRQACK and hosting cp servers (I'm guessing that means child porn servers?) not sure this is really an avenue for that. KRACK allows wireless traffic to be intercepted, it doesn't allow access to your network, right? For that, the WPS avenue would be much more straightforward and effective. KRACK on the other hand would be better for stealing information like internet passwords and the like (e.g identity theft) instead of gaining control over your network. And who is really accessing things like banking, finances, critical identity stuff over their standalone devices like Android boxes, Rokus, etc? On their phones yes but then I've always thought this a bad idea personally and do all that on my laptop, though granted I don't even ever use wifi on my phone (I'm always on mobile data).

Bottom line is "hackers gonna hack" and unless you want to be known for wearing foil hats of various designs, you've probably got multiple "security issues" in the way you use computers and devices daily. Sure do what you can to minimise these, but there's really no reason to go overboard.
Your missing more of the problem. Its PoS devices at retail and client side I-ot thats the worst issue. Smart devices. Your smart garage door opener your home wifi cameras, plugs door locks. Any that don't get updated that can entitle a smart crook to compromise your premises quite easily. It takes staking out the house to another level.

The list goes on this is a big problem and will be around for years because its installed everywhere I bet we will see very cheap unupdated stock being unloaded real soon. Basically it can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos and so on. its unknown the full extent of what could be done. The full extent will come come down to hacker creativity.which no one knows. Thats why fixing both client and backend is so crucial, no weak link in the chain.



The United States Computer Emergency Readiness Team (Cert) issued a warning in response to the vulnerability.

“The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection and others,” the alert says, detailing a number of potential attacks. It adds that, since the vulnerability is in the protocol itself, rather than any specific device or software, “most or all correct implementations of the standard will be affected”
Deal Addict
User avatar
Sep 10, 2005
3104 posts
491 upvotes
GTA
ceredon wrote:
Oct 21st, 2017 9:36 am
I heard Rogers has been telling people that their modems aren’t affected by Krack.

Do they intentionally hire the absolute dumbest people? I get that they aren’t a technology company but can’t they hire someone that has a clue? Even on a contract basis. They don’t always have to hire monkeys.
For the majority of home users, the client devices are the issue, not the modem/router. Unless their modems have client functionality, they're not technically wrong.
Deal Fanatic
Sep 28, 2010
9870 posts
2321 upvotes
Irregular Heptagon
Dave98 wrote:
Oct 22nd, 2017 12:01 am
For the majority of home users, the client devices are the issue, not the modem/router. Unless their modems have client functionality, they're not technically wrong.
I looked into it more and they are likely right and I was unnecessarily harsh. I was wrong. The access point can definitely be a problem but only if it implements a specific fast roaming protocol, from what I’ve read. Rogers kit does not. The other 9 vulnerabilities are indeed client side.
2015 wins: Trip for 2 to NYC with airfare, limo, hotel and insurance ($3700); Maple Leafs tickets($250); 32GB HTC One M9 ($700), Samsung Galaxy Tab 10.1($200), Samsung Galaxy Note 5($850), Aukey 2 port fast car charger($23), Fitbit Flex ($120), Blue Piston Bluetooth Speaker ($30). 2016 wins: nada
Deal Fanatic
User avatar
Nov 21, 2002
7033 posts
943 upvotes
Winnipeg
ceredon wrote:
Oct 22nd, 2017 8:01 am
I looked into it more and they are likely right and I was unnecessarily harsh. I was wrong. The access point can definitely be a problem but only if it implements a specific fast roaming protocol, from what I’ve read. Rogers kit does not. The other 9 vulnerabilities are indeed client side.
It affects all wpa2 but they say its especially easy to crack wifi on Android 6.0 or Linux with wpa_supplicant 2.4 or later without a fix.

But older doesn't mean your safe.Everything is vulnerable to atleast one way of attack.
Deal Addict
User avatar
Mar 15, 2004
3671 posts
183 upvotes
d3van wrote:
Oct 19th, 2017 3:36 pm
With this vulnerability, it means that hackers within range of your wifi network can successfully connect to your network. WPA2, which is the encryption designed to keep your network secure and keep others out of your network, has been proven vulnerable. So if someone is in-range and your AP and devices aren't patched up, they can read the traffic and potentially gain complete access to your wifi network.
I read more about this to try and understand the impact of this vulnerability on private WiFi networks like in your home. From what I understand, you are only vulnerable if this situation happens while you are at home:

1. Suppose your SSID is apple.
2. Hacker sits on your driveway and creates a open hotspot with the same SSID apple.
3. Your WiFi device i.e phone or computer needs to reconnect to your WiFi network, but it somehow reconnects to the hacker's WiFi hotspot and not your actual WiFi network.
4. You start doing non encrypted activities on your WiFi device. Hacker has all your info.

So really, your private WiFi network is not at risk unless #3 happens and you for some reason typed your WiFi password during #4, and that's when the hacker proceeds to connect to your WiFi private network.

Does anyone else have this understanding when it comes to private WiFi networks?

It just doesn't make sense to me that someone can just sit on your driveway and read all your traffic just because they are in range but not connected to your WiFi network. I mean if this is the case, this means I can just go to the office of some major corporation and see everything every employee is doing because I am in range but not connected to their private WiFi network?
Member
User avatar
Aug 29, 2001
271 posts
65 upvotes
Toronto
you don't need be connected to receive a copy of the radio signal that is travelling through the open air
weather or not you can understand the signal is the key here (pun intended)
Deal Guru
User avatar
Nov 5, 2001
10741 posts
1273 upvotes
Edmonton
awestruck wrote:
Oct 24th, 2017 8:47 am
I read more about this to try and understand the impact of this vulnerability on private WiFi networks like in your home. From what I understand, you are only vulnerable if this situation happens while you are at home:

1. Suppose your SSID is apple.
2. Hacker sits on your driveway and creates a open hotspot with the same SSID apple.
3. Your WiFi device i.e phone or computer needs to reconnect to your WiFi network, but it somehow reconnects to the hacker's WiFi hotspot and not your actual WiFi network.
4. You start doing non encrypted activities on your WiFi device. Hacker has all your info.

So really, your private WiFi network is not at risk unless #3 happens and you for some reason typed your WiFi password during #4, and that's when the hacker proceeds to connect to your WiFi private network.

Does anyone else have this understanding when it comes to private WiFi networks?

It just doesn't make sense to me that someone can just sit on your driveway and read all your traffic just because they are in range but not connected to your WiFi network. I mean if this is the case, this means I can just go to the office of some major corporation and see everything every employee is doing because I am in range but not connected to their private WiFi network?
Read that statement again and let it sink in. Then you will start to realize the seriousness of this flaw.

There are groups that just wardrive all day cataloging vulnerable networks and sift thru the data and cherry pick potential lucrative targets to hack.
Member
Dec 7, 2015
412 posts
78 upvotes
Ottawa, ON
As I understand the Ars article on this, Google decided that instead of ensuring the security is in the OS, they pushed the security requirements on every programmer. Based on my experience managing programmers over a couple of decades, this is a very bad plan (consider how many security leaks are already in programs/devices etc).
Deal Addict
Feb 29, 2012
2662 posts
1389 upvotes
Richmond
To put things in perspective, I was worrying that my devices might have this unpatched KRACK vulnerability - then I discovered this week that my Cisco router has a far worse unpatched vulnerability: every time you change the SSID in the user interface, the WiFi network becomes open and unsecured even though the router continues to report that it is secured! We're fighting a losing battle against crappy coding quality here that's far worse than obscure vulnerabilties. :rolleyes:
Deal Fanatic
Apr 20, 2011
7437 posts
2398 upvotes
ON
Patched my router (Asus) Nov 1st. Good on that end, at least.
willilumplump wrote:
Nov 11th, 2017 2:13 am
As I understand the Ars article on this, Google decided that instead of ensuring the security is in the OS, they pushed the security requirements on every programmer. Based on my experience managing programmers over a couple of decades, this is a very bad plan (consider how many security leaks are already in programs/devices etc).
I read the article as saying the opposite - they built up from the start keeping in mind that you'd be connecting to wifi that's not secure, and assumed nothing was safe. So all core services are encrypted, regardless of the network you connect to.
At the end of the day, it's always up to individual devs to ensure their application is secure. If you install an app that's not secure, the OS can't really help you if someone wants in. Just like browsing HTTP vs HTTPS. They can set HTTPS to be default, but if the server doesn't support it, you're in the clear for anyone to jump in on.
Short of building dedicated VPN tunnels for all traffic (which is a thing google has/is doing, but only on their own products - nexus/pixel), that's pretty much all that could be done. What more did you have in mind?
Member
Dec 7, 2015
412 posts
78 upvotes
Ottawa, ON
You and I read the same info and come to two different conclusions. However, you then say:
aqnd wrote:
Nov 11th, 2017 3:26 pm
At the end of the day, it's always up to individual devs to ensure their application is secure.
My point is that Google's design decision forces this. The programmer must ensure that the security is built into his app. That is a failed strategy. It would be better if the whole thing was designed with more security in the first place.

Top