G W Posted October 16, 2017 Posted October 16, 2017 We discovered serious weaknesses in WPA2, a protocol that secures all modern protected Wi-Fi networks. An attacker within range of a victim can exploit these weaknesses using key reinstallation attacks (KRACKs). Concretely, attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted. This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites. Full Article Here: https://www.krackattacks.com Sent from my SM-G955U1 using Tapatalk
paulbates Posted October 16, 2017 Posted October 16, 2017 Like heartbleed a few years back, I would consider a risk management mindset before panicking over this one. Yes, the Severity is high, but the probability of some internet boogey man parking in my driveway to hack specific un-patched devices my house is near zero. They would have to pick my house out of the ~125 million houses in the US and be willing to be seen visibly, openly by my many neighbors. This exploit was discovered in the lab several months ago, and the announcement was suppressed to allow the time to patch it. MS released fixes in its October updates, and Apple has fixes in beta for Mac and ios. Google has promised fixes in the next few weeks. The Holy OS Trinity will be inoculated before this experiment escapes the lab in a real world exploitable way. Embedded Linux devices: iot could be problematic some day, but keep in mind the attacker has to be in wifi range of the device, sitting on the front porch or on back deck in my case. (Very akin to insteon exploits.. the attacker has to be very, very close)... and they have to know about me, the app stack in my linux iot devices and what they stand to gain from exploiting them. Would it really be worth it? No. Apartment/Condo dwellers are potentially more exposed as their wifi is more accessible. As always, any public network (airport, hotel, coffee shop) remain significantly most risky as no WPA is involved (as they always have been every time they are connected to with no VPN) I'm glad the good guys found this one. Paul
MWareman Posted October 17, 2017 Posted October 17, 2017 Everything Paul said. I worry about devices like the Insteon Hub, SmartThings Hub, Nest, Foscam cameras, cheap Chinese LED controllers, connected fridges, etc etc (insert any IOT with embedded WiFi) where the needed update may be many months, years or never... ISY is not affected because it has no embedded WiFi.
G W Posted October 17, 2017 Author Posted October 17, 2017 I'm not worried. Sent from my Nexus 6P using Tapatalk
Scottmichaelj Posted October 17, 2017 Posted October 17, 2017 Everything Paul said. I worry about devices like the Insteon Hub, SmartThings Hub, Nest, Foscam cameras, cheap Chinese LED controllers, connected fridges, etc etc (insert any IOT with embedded WiFi) where the needed update may be many months, years or never... ISY is not affected because it has no embedded WiFi. Everything Paul & Michael said. This is also a reason I am really enjoy having pfsense as my router. It allows so much customization its crazy. Admittedly the more advanced settings are over my head but each day I learn more and more. Plus theres a great forum and lots of YouTube videos. LEDs talking to China? Not on my watch!
G W Posted October 17, 2017 Author Posted October 17, 2017 Yeah. What Scott said. Sent from my Nexus 6P using Tapatalk
elvisimprsntr Posted October 17, 2017 Posted October 17, 2017 Here is the most comprehensive list I’ve come across listing how vendors are doing. Apple, pfSense, LEDE, DDWRT are already testing patches. I’m already running iOS 11.1b3 which includes the patches. What is most alarming is companies like Google and Amazon are still in the evaluation phase. What have they been doing for 3 months? https://www.bleepingcomputer.com/news/security/list-of-firmware-and-driver-updates-for-krack-wpa2-vulnerability/
Xathros Posted October 17, 2017 Posted October 17, 2017 What is most alarming is companies like Google and Amazon are still in the evaluation phase. What have they been doing for 3 months? Shopping... Amazon needed groceries and Google needed new HTC phones.
elvisimprsntr Posted October 17, 2017 Posted October 17, 2017 Let me take a guess. The terms of service likely state there is no expressed or implied warranty, and/or has an arbitration clause, thus no financial incentive or threat of class action lawsuit. CFO: What’s the potential company liability and threat to my bonus? CIO: None CFO: Good, don’t spend any resources on it. Apple on the other hand prides itself on protecting consumer privacy as they deem it a market advantage.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.