Wpa2 - krack


 

JKalchik

TVWBB Gold Member
Without getting into all of the nerdy details.... some rather serious down 'n dirty details about a WPA2 vulnerability are now out there. In short, WPA2 is *NOT* secure, at least nowhere near as secure as previously thought.

Update your access point's firmware as soon as your vendor has a patchset available.
 
Yeah it is pretty awful, but there are going to be changes needed on both the client and AP side from what it sounded like. They were clearly just waiting for v14 release to announce this because I'm going to have to do a maintenance release. I haven't really gotten all the details as to what needs to be done, because wpa_supplicant (client) needed to be fixed but how can you address such a large security problem in a way that doesn't break compatibility? We use wpad-mini as our supplicant so it will have to be patched as well.

EDIT: Yup, will have to put out a new v14 release with updated packages to avoid key reinstallation in fast BSS translation handshake. Look for that tomorrow!
 
Last edited:
I'm getting the distinct impression as well that client side updates will be required as well. So, what does this mean?

It's means that all of your uncontrolled devices need to be segregated off on their own isolated network. Anything that won't or can't be updated to mitigate this vulnerability needs to be isolated off so that those devices don't see your critical traffic.

For FSCK'S SAKE, how'd this vulnerability make it this far? WPA2 has been considered to be relatively secure for how long? And this is a fundamental flaw in implementation that made it through rigorous proof.

Okay, rant off.
 
What's cool is Espressif have released updates to their SDK to address it in their IoT chips: the ESP8266 and ESP32 (among others). In the back of my mind I thought they might just ignore the issue entirely, but was amazed to see they had a fix on 0-day. Doubtful that the actual IoT device manufacturers will make new firrmwares for their devices, but at least I can fix my ESP devices!

I'm still waiting on a firmware update for my high-end wifi thermostat that has had a wide open flaw in it for a year and a half so I doubt it is going to get a fix. I love that my air conditioner requires this proprietary part to operate properly (due to the variable speed compressor and fan protocols), it costs close to $1000 for the part if you break one, and the manufacturer can't be bothered to address the security holes that allow pretty much anyone to override my setpoint.
 
Bryan, that's pretty much exactly why I do not have any remote controls of any sort on my HVAC. There's a complete lack of security around access. Under no circumstances should home networks ever be considered to be anything other than a public network. And geofencing scares the daylights out of me for several reasons. If I ever do put some remote controls on my HVAC, it more than likely be a homebrew on an rPi (and abso-freakin'-lutely not dependent on an external service.)

Back to WPA2 KRACK.... yes, I know that it's a flaw in the implementation of the 4 way handshake. That doesn't get around the fact that this has been spread through how many different systems & vendors? I don't believe for a second that this is the first time this has been discovered. Somebody else has to have figured this out, and been exploiting it.
 
I guess it depends on the vendor, but I would argue against "There's a complete lack of security around access" with regards to things like the Nest, Ecobee and other thermostats and similar products. I consider myself to be pretty security conscious and I'm not losing any sleep over my Nest thermostat and smoke detectors in the house. That being said, I wouldn't hesitate to remove them ASAP if there was a major exploit found. For now, I find the value they provide outweighs any unfounded concern.

Things like the Amazon Echo and Google Home are a little more concerning to me, having an always-on microphone seems like a bigger risk for the value they provide.
 
In theory it should be in the snapshot, but I haven't even flashed the image to an SD card to test it so definitely beware of that. I am working on the 8192cu wifi driver issues and hope to bundle those for a v15 release.

If someone does test the snapshot, let me know if it works at all!
 
I tried the snapshot but the Login page is bugged:

/usr/lib/lua/luci/dispatcher.lua:354: Access Violation
The page at 'admin/lm/home/' has no parent node so the access to this location has been denied.
This is a software bug, please report this message at https://github.com/openwrt/luci/issues
stack traceback:
[C]: in function 'assert'
/usr/lib/lua/luci/dispatcher.lua:354: in function 'dispatch'
/usr/lib/lua/luci/dispatcher.lua:121: in function </usr/lib/lua/luci/dispatcher.lua:120>
 
Dang, well that's not encouraging. I'll post back here when I have an update but I am sort of in the middle of the wifi driver thing still so I don't want to drop that.
 
On the luci page they suggest to run the httpd as root or as bit suid user as workaround, but I honestly doubt that's a good idea :D
It's not really a solution.
 
This should be working now in the snapshot, along with fixes for the Access Violation error and system status bug (snapshot only). The fix is in package hostapd-common 2017-08-24-c2d4f2eb-3 and wpad-mini 2017-08-24-c2d4f2eb-3
 
The only thing they can get is our temperature.
I think media have blown up this way to far.
Patch you PC, mobiles and if it needs the router.
Dont worry be happy smokin
 

 

Back
Top