Did you update your router for the WPA2/PSK KRACK nonce re-use attack yet?

On 2017-10-16, J.O. Aho wrote:
It's more important to update the client than the server.

Is this something that MS can push an update out for to fix, or does the
wifi chip vendor need to fix device firmware or device driver?

--
-----------------------------------------------------------------------------
Roger Blake (Posts from Google Groups killfiled due to excess spam.)

NSA sedition and treason -- http://www.DeathToNSAthugs.com
Don't talk to cops! -- http://www.DontTalkToCops.com
Badges don't grant extra rights -- http://www.CopBlock.org
-----------------------------------------------------------------------------

He who is J.O. Aho said on Mon, 16 Oct 2017 21:08:48 +0200:

They do use a tool commonly used in man-in-the-middle attacks, to strip
away the tls and send the content to the client machine unencrypted. As
they did explain in the video, many don't check in their mobile devices
that they have tls communication or not and those they will be able to
carry out the attack to see the the login credentials in this example.

This has nothing to do with KRACK itself.

Thanks for explaining *how* they manage to unencrypt *some* encrypted web
sites but not others, as I wasn't sure how they did that.

I was wrong in assuming it was the KRACK attack, which seems to be that
they simply hijack the third of the four handshakes, usually from the
client side, and force it to be resent where in some cases, it's resent as
all zeroes where in other cases it's just resent as a known nonce.

Is that a decent summary or can you summarize the attack mode better?

He who is William Unruh said on Mon, 16 Oct 2017 19:58:55 -0000 (UTC):

It seems that the reason Windows is more resistant is because they did
not no impliment the full spec for WPA2.

Thanks for explaining that as this nonce stuff has certain unexpected
nuances.

However, we have to be a bit careful with any early conclusions such as
mine yesterday (before the paper came out) that routers were originally
involved more so than clients, which turns out, as noted, to be not the
case - the mobile device and desktop clients are the weak link here.

However, all conclusions from the paper at the moment are preliminary
because the paper was sent for review on the 19th May where the authors
found out more information afterward that's not in the paper, but it *does*
seem that some OS'es (e.g., MacOS & Android 6+ & Ubuntu, for example) are
apparently far more acutely affected than are the Windows based WPA1 and
WPA1 implementations (or the iOS implementation).

harry newton wrote:
He who is Bill Bradshaw said on Mon, 16 Oct 2017 09:23:19 -0800:

It appears if you do not use or have WiFi and WPS enabled you should
be secure from this. Since I have both disabled I assume I am safe
because I use neither.

More so than routers, mostly all known wifi "clients" are affected (e.g.,
all consumer smartphones and computers) that use either WPA or WPA2
(enterprise or personal), and even against networks that just use AES.

Some encrypted web sites are also affected, such as Match.com (as shown in
the aforementioned video).

So you're right that it's not a big deal that there is no encryption in all
these cases because the the man in the middle has to be nearby.

Ubuntu just pushed out a patch today.

sudo apt-get update && sudo apt-get -y upgrade

and you are good to go.

--
Take care,

Jonathan
-------------------
LITTLE WORKS STUDIO
http://www.LittleWorksStudio.com

He who is Jonathan N. Little said on Mon, 16 Oct 2017 18:13:09 -0400:

Ubuntu just pushed out a patch today.

sudo apt-get update && sudo apt-get -y upgrade

and you are good to go.

We have to be careful about "a patch" since there are actually multiple
vulnerabilities, although perhaps one patch fixes all.

Ubiquiti released this today for example...where my rooftop radios can pick
up the signals from over a million people, so, that many people can attack
me.

"You are mostly covered if you are running v8.4.0 (AC series) or v6.0.7 (M
series). We will fully resolve the issue with v8.4.2/v6.1.2 (betas aimed
for the end of this week). Furthermore, our proprietary airMAX protocol
makes simple attacks more difficult to carry out.

Will be fully fixed with v8.4.2/v6.1.2:
CVE-2017-13077: reinstallation of the pairwise key in the Four-way
handshake
CVE-2017-13078: reinstallation of the group key in the Four-way handshake
CVE-2017-13079: reinstallation of the integrity group key in the Four-way
handshake
CVE-2017-13080: reinstallation of the group key in the Group Key handshake
CVE-2017-13081: reinstallation of the integrity group key in the Group Key
handshake
Unaffected:
CVE-2017-13082: accepting a retransmitted Fast BSS Transition Reassociation
Request and reinstalling the pairwise key while processing it
CVE-2017-13084: reinstallation of the STK key in the PeerKey handshake
CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS)
PeerKey (TPK) key in the TDLS handshake
CVE-2017-13087: reinstallation of the group key (GTK) when processing a
Wireless Network Management (WNM) Sleep Mode Response frame
CVE-2017-13088: reinstallation of the integrity group key (IGTK) when
processing a Wireless Network Management (WNM) Sleep Mode Response frame"

Roger Blake wrote:
On 2017-10-16, J.O. Aho wrote:
It's more important to update the client than the server.

Is this something that MS can push an update out for to fix, or does the
wifi chip vendor need to fix device firmware or device driver?


Fixed on Patch Tuesday. Good luck collecting
detailed proof though.

https://social.technet.microsoft.com...0itprosecurity

There's a Wifi architecture diagram here. This is so
you can see the degrees of freedom allowed.

https://docs.microsoft.com/en-us/win...e-architecture

I'd wait for some "expert" opinion. I'd accept the
opinion of the Microsoft staffer who wrote the patch :-)
Anyone else, not so much.

Paul

Paul wrote:
Roger Blake wrote:
On 2017-10-16, J.O. Aho wrote:
It's more important to update the client than the server.

Is this something that MS can push an update out for to fix, or does the
wifi chip vendor need to fix device firmware or device driver?


Fixed on Patch Tuesday. Good luck collecting
detailed proof though.

https://social.technet.microsoft.com...0itprosecurity


There's a Wifi architecture diagram here. This is so
you can see the degrees of freedom allowed.

https://docs.microsoft.com/en-us/win...e-architecture


I'd wait for some "expert" opinion. I'd accept the
opinion of the Microsoft staffer who wrote the patch :-)
Anyone else, not so much.

Paul

Microsoft CVE Notice

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-13080
qpWhen did Microsoft release the security updates to address this
vulnerability?
Microsoft released security updates on October 10, 2017 as part of Update
Tuesday to resolve this vulnerability in all affected editions of Windows.
Customers who have Windows Update enabled and who applied the latest
security updates are protected automatically. The Security Update Guide was
updated on October 16, 2017 to provide full disclosure on this vulnerability
in accordance with a multi-vendor coordinated disclosure.
/qp

Also, if using a NetGear router see....
https://kb.netgear.com/000049498/Security-Advisory-for-WPA-2-Vulnerabilities-PSV-2017-2826-PSV-2017-2836-PSV-2017-2837
/qp
NETGEAR is aware of WPA-2 security vulnerabilities that affect NETGEAR
products that connect to WiFi networks as clients. These vulnerabilities are
potentially exploitable under the following conditions:
•Your devices are only vulnerable if an attacker is in physical proximity to
and within wireless range of your network.
•****Routers and gateways are only affected when in bridge mode**** (which
is not enabled by default and not used by most customers). A WPA-2 handshake
is initiated by a router in bridge mode only when connecting or reconnecting
to a router
/qp


--
...winston
msft mvp windows experience 2007-2016, insider mvp 2016-2018

He who is harry newton said on Mon, 16 Oct 2017 22:03:42 +-0000 (UTC):

Thanks for explaining that as this nonce stuff has certain unexpected
nuances.

Here's every patch for KRACK Wi-Fi vulnerability available right now
http://www.zdnet.com/article/here-is-every-patch-for-krack-wi-fi-attack-available-right-now/

Apple: The iPhone and iPad maker confirmed to sister-site CNET that fixes
for iOS, macOS, watchOS and tvOS are in beta, and will be rolling it out in
a software update in a few weeks.

MORE SECURITY NEWS

WPA2 security flaw puts almost every Wi-Fi device at risk of hijack,
eavesdropping
Homeland Security orders federal agencies to start encrypting sites, emails
+IAs-OnePlus dials back data collection after users protest
These fake tax documents spread jRAT malware
Arris: a spokesperson said the company is "committed to the security of our
devices and safeguarding the millions of subscribers who use them," and is
"evaluating" its portfolio. The company did not say when it will release
any patches.

Aruba: Aruba has been quick off the mark with a security advisory and
patches available for download for ArubaOS, Aruba Instant, Clarity Engine
and other software impacted by the bug.

AVM: This company may not be taking the issue seriously enough, as due to
its "limited attack vector," despite being aware of the issue, will not be
issuing security fixes "unless necessary."

Cisco: The company is currently investigating exactly which products are
impacted by KRACK, but says that "multiple Cisco wireless products are
affected by these vulnerabilities."

"Cisco is aware of the industry-wide vulnerabilities affecting Wi-Fi
Protected Access protocol standards," a Cisco spokesperson told ZDNet.
"When issues such as this arise, we put the security of our customers first
and ensure they have the information they need to best protect their
networks. Cisco PSIRT has issued a security advisory to provide relevant
detail about the issue, noting which Cisco products may be affected and
subsequently may require customer attention.

"Fixes are already available for select Cisco products, and we will
continue publishing additional software fixes for affected products as they
become available," the spokesperson said.

In other words, some patches are available, but others are pending the
investigation.

Espressif Systems: The Chinese vendor has begun patching its chipsets,
namely ESP-IDF and ESP8266 versions, with Arduino ESP32 next on the cards
for a fix.

Fortinet: At the time of writing there was no official advisory, but based
on Fortinet's support forum, it appears that FortiAP 5.6.1 is no longer
vulnerable to most of the CVEs linked to the attack, but the latest branch,
5.4.3, may still be impacted. Firmware updates are expected.

FreeBSD Project: There is no official response at the time of writing.

Google: Google told sister-site CNET that the company is "aware of the
issue, and we will be patching any affected devices in the coming weeks."

HostAP: The Linux driver provider has issued several patches in response to
the disclosure.

Intel: Intel has released a security advisory listing updated Wi-Fi drives
and patches for affected chipsets, as well as Intel Active Management
Technology, which is used by system manufacturers.

Linux: As noted on Charged, a patch is a patch is already available and
Debian builds can patch now, while OpenBSD was fixed back in July.

Netgear: Netgear has released fixes for some router hardware. The full list
can be found here.

Microsoft: While Windows machines are generally considered safe, the
Redmond giant isn't taking any chances and has released a security fix
available through automatic updates.

MikroTik: The vendor has already released patches that fix the
vulnerabilities.

OpenBSD: Patches are now available. (The *******s allowed a diff to be
performed by the bad guys!)

Ubiquiti Networks: A new firmware release, version 3.9.3.7537, protects
users against the attack.

Wi-Fi Alliance: The group is offering a tool to detect KRACK for members
and requires testing for the bug for new members.

Wi-Fi Standard: A fix is available for vendors but not directly for end
users.

At the time of writing, neither Toshiba and Samsung responded to our
requests for comment. If that changes, we will update the story.

On 2017-10-16, harry newton wrote:
This nonce KRACK vulnerability is in *everything*, including smart phones
(iOS & Android) and computers (Mac/Windows/Linux) and routers
(Netgear/Cisco/TPLink) ....

Yet there are still people who think the "Internet of Things" is a good idea.

Huge numbers of cheap wifi-connected devices, many poorly-designed, most of
them likely never receiving security updates. What could possibly go wrong?

--
-----------------------------------------------------------------------------
Roger Blake (Posts from Google Groups killfiled due to excess spam.)

NSA sedition and treason -- http://www.DeathToNSAthugs.com
Don't talk to cops! -- http://www.DontTalkToCops.com
Badges don't grant extra rights -- http://www.CopBlock.org
-----------------------------------------------------------------------------

He who is Roger Blake said on Tue, 17 Oct 2017 01:03:46 -0000 (UTC):

Huge numbers of cheap wifi-connected devices, many poorly-designed, most of
them likely never receiving security updates. What could possibly go wrong?

Well, much more information is out today than yesterday, where it appears
that this situation was handled well since May of this year.

The one open-source fiasco was the anomaly of OpenBSD, which the authors
vowed to never let happen again.

Otherwise, the proprietary solutions were all fixed (or being fixed) in the
way that'd you'd expect.

The problem is in all WiFi WPA1 and WPA2 implementations, but mostly in
Linux and Android "clients" and less so in iOS and Windows clients.

Likewise less so in "routers" not set up as "bridges" (where,
unfortunately, almost all the many routers in my home are almost all set up
as bridges or as stations - all of which are vulnerable).

I guess, when the smoke clears, the problem will be the unsupported
devices, of which Android may be a significant set as may be some of the
older routers and access points.

On 10/16/17 23:53, harry newton wrote:
He who is J.O. Aho said on Mon, 16 Oct 2017 21:08:48 +0200:

They do use a tool commonly used in man-in-the-middle attacks, to strip
away the tls and send the content to the client machine unencrypted. As
they did explain in the video, many don't check in their mobile devices
that they have tls communication or not and those they will be able to
carry out the attack to see the the login credentials in this example.

This has nothing to do with KRACK itself.

Thanks for explaining *how* they manage to unencrypt *some* encrypted web
sites but not others, as I wasn't sure how they did that.

You can think of it like

[client]-----[MITM HTTP-service]---[MITM client]---[HTTPS Site]

or if you want to keep encryption

[client]-----[MITM HTTPS-service]---[MITM client]---[HTTPS Site]

In the first case the client connect to the Man-in-the-middle (MITM)
over http, MITM then resends the data over HTTPS to the site the client
tried to connect to.

In the second example the MITM do allow the client to connect with
HTTPS, the certificate which the MITM has will not be the same as on the
site, so if the client don't verify the certificate, then the attack works.

If you want to read more in detail and better explained how MITM works,
please take a look at:
https://www.owasp.org/index.php/Man-...-middle_attack


I was wrong in assuming it was the KRACK attack, which seems to be that
they simply hijack the third of the four handshakes, usually from the
client side, and force it to be resent where in some cases, it's resent as
all zeroes where in other cases it's just resent as a known nonce.

Is that a decent summary or can you summarize the attack mode better?

I wouldn't say it's hijacked, as you can resend the third request
without knowing the first request. The request is sent to the client and
on the client side, if you have followed the specification and cleared
out the key already, then a zero-key used.
I think they did explain this well on the video.

--

//Aho

On 10/16/17 23:31, Roger Blake wrote:
On 2017-10-16, J.O. Aho wrote:
It's more important to update the client than the server.

Is this something that MS can push an update out for to fix, or does the
wifi chip vendor need to fix device firmware or device driver?


No, not the chip vendor, the manufacturer of the device, for example to
get a fix for your phone, the phone manufacturer has to push out a fix,
then your phone operator may have a custom firmware for your phone, then
you may be vulnerable a lot longer.
When it comes to your wifi, the Access point is usually not a client, so
it's not as vulnerable to the issue. It's important to get updates to
your devices that connects to wifi.

On 2017-10-17, J.O. Aho wrote:
On 10/16/17 23:31, Roger Blake wrote:
On 2017-10-16, J.O. Aho wrote:
It's more important to update the client than the server.

Is this something that MS can push an update out for to fix, or does the
wifi chip vendor need to fix device firmware or device driver?


No, not the chip vendor, the manufacturer of the device, for example to
get a fix for your phone, the phone manufacturer has to push out a fix,
then your phone operator may have a custom firmware for your phone, then
you may be vulnerable a lot longer.

As I understand it on Android, it uses wpa_supplicant to make the WPA2
connection, and what is needed is to push an updated wpa_supplicant
onto the phone (and presumably something similar for IOS).
I do not think it has anything to do with the firmware.



When it comes to your wifi, the Access point is usually not a client, so
it's not as vulnerable to the issue. It's important to get updates to
your devices that connects to wifi.

On 17-Oct-17 1:17 AM, harry newton wrote:
He who is harry newton said on Mon, 16 Oct 2017 22:03:42 +-0000 (UTC):

Thanks for explaining that as this nonce stuff has certain unexpected
nuances.

Here's every patch for KRACK Wi-Fi vulnerability available right now
http://www.zdnet.com/article/here-is-every-patch-for-krack-wi-fi-attack-available-right-now/


Apple: The iPhone and iPad maker confirmed to sister-site CNET that fixes
for iOS, macOS, watchOS and tvOS are in beta, and will be rolling it out in
a software update in a few weeks.

MORE SECURITY NEWS

WPA2 security flaw puts almost every Wi-Fi device at risk of hijack,
eavesdropping
Homeland Security orders federal agencies to start encrypting sites, emails
+IAs-OnePlus dials back data collection after users protest
These fake tax documents spread jRAT malware
Arris: a spokesperson said the company is "committed to the security of our
devices and safeguarding the millions of subscribers who use them," and is
"evaluating" its portfolio. The company did not say when it will release
any patches.

Aruba: Aruba has been quick off the mark with a security advisory and
patches available for download for ArubaOS, Aruba Instant, Clarity Engine
and other software impacted by the bug.

AVM: This company may not be taking the issue seriously enough, as due to
its "limited attack vector," despite being aware of the issue, will not be
issuing security fixes "unless necessary."

Cisco: The company is currently investigating exactly which products are
impacted by KRACK, but says that "multiple Cisco wireless products are
affected by these vulnerabilities."

"Cisco is aware of the industry-wide vulnerabilities affecting Wi-Fi
Protected Access protocol standards," a Cisco spokesperson told ZDNet.
"When issues such as this arise, we put the security of our customers first
and ensure they have the information they need to best protect their
networks. Cisco PSIRT has issued a security advisory to provide relevant
detail about the issue, noting which Cisco products may be affected and
subsequently may require customer attention.

"Fixes are already available for select Cisco products, and we will
continue publishing additional software fixes for affected products as they
become available," the spokesperson said.

In other words, some patches are available, but others are pending the
investigation.

Espressif Systems: The Chinese vendor has begun patching its chipsets,
namely ESP-IDF and ESP8266 versions, with Arduino ESP32 next on the cards
for a fix.

Fortinet: At the time of writing there was no official advisory, but based
on Fortinet's support forum, it appears that FortiAP 5.6.1 is no longer
vulnerable to most of the CVEs linked to the attack, but the latest branch,
5.4.3, may still be impacted. Firmware updates are expected.

FreeBSD Project: There is no official response at the time of writing.

Google: Google told sister-site CNET that the company is "aware of the
issue, and we will be patching any affected devices in the coming weeks."

HostAP: The Linux driver provider has issued several patches in response to
the disclosure.

Intel: Intel has released a security advisory listing updated Wi-Fi drives
and patches for affected chipsets, as well as Intel Active Management
Technology, which is used by system manufacturers.

Linux: As noted on Charged, a patch is a patch is already available and
Debian builds can patch now, while OpenBSD was fixed back in July.

Netgear: Netgear has released fixes for some router hardware. The full list
can be found here.

Microsoft: While Windows machines are generally considered safe, the
Redmond giant isn't taking any chances and has released a security fix
available through automatic updates.

MikroTik: The vendor has already released patches that fix the
vulnerabilities.

OpenBSD: Patches are now available. (The *******s allowed a diff to be
performed by the bad guys!)

Ubiquiti Networks: A new firmware release, version 3.9.3.7537, protects
users against the attack.

Wi-Fi Alliance: The group is offering a tool to detect KRACK for members
and requires testing for the bug for new members.

Wi-Fi Standard: A fix is available for vendors but not directly for end
users.

At the time of writing, neither Toshiba and Samsung responded to our
requests for comment. If that changes, we will update the story.

Thanks, Harry.

Have you read/watched here?
http://www.techrepublic.com/article/...-whos-at-risk/

--
David B.

He who is David_B said on Tue, 17 Oct 2017 09:04:31 +0100:

Have you read/watched here?
http://www.techrepublic.com/article/...-whos-at-risk/

Nice find.
http://www.techrepublic.com/article/krack-wpa2-protocol-wi-fi-attack-how-it-works-and-whos-at-risk/
KRACK WPA2 protocol Wi-Fi attack: How it works and who's at risk

Salient points:
.. There are 10 CVE identifiers
.. All WPA is likely affected especially Android 6.0+ & Linux/MacOS clients
.. https://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=228519&S earchOrder=4
.. Lynchpin is the 4-way handshake to join a WPA network
.. wpa_supplicant is the Wi-Fi library that handles the 4-way handshake
.. The SSID passphrase is verified & an encryption key is negotiated
.. The client waits for the access point to acknowledge the encryption key
.. The client will receive the encryption key multiple times in that case
.. The client is expected to reinstall that rebroadcast encryption key
.. The client is expected to reset the incremental packet transit nonce
.. The result is a blank (all zero) encryption key