KRACK attach – bad, but the sky isn’t falling

Topic

New Reply

Overnight, interest in the so-called KRACK attack (“Key Reinstallation attack”) hit fever proportions. The details just hit. You can read the disclosu
[See the full post at: KRACK attach – bad, but the sky isn’t falling]

Reply | Quote

Replies

Would hiding the SSID broadcast for a WiFi network help with preventing attacks? I heard that suggestion last night on IRC and I was hoping that could be a viable solution until the patches for my devices get released (I have a Samsung Galaxy Grand Prime and Samsung hasn’t released any patches for it since March… thanks Samsung for looking out for my security!)

Reply | Quote

Not broadcasting the SSID can help some in hiding your router from the average user. There are some side effects.

On my Netgear router, not broadcasting the SSID disables WPS (which in itself is insecure, so that may be good to some people). Another side effect is that some devices can’t cope with not seeing the SSID and may be unable to connect. I have an old (1st generation) Kindle, the one with the manual keyboard, and it has to see an SSID.

Reply | Quote

As @PKCano says, hiding your SSID only protects you from outright amateurs. The recommendation that you hide your SSID to prevent KRACK is about as well-informed as the recommendation to update your antivirus software to protect against Stuxnet, WannaCry or Petya. It won’t do a thing, and the person who recommended it should be drawn and quartered.

Follow Kevin and Cimpanu’s recommendations – install fixes to your router(s) when they’re available – and don’t worry about it.

Oh. And tell your friends. There’s so much BS being shoveled at the moment, it’s embarrassing.

3 users thanked author for this post.

SueW, NetDef, Jan K.

Reply | Quote

Hiding the SSID is a very bad idea. I’m mad that “experts” (not users) still recommends that. It can in fact make you less secure, as when it is hidden, Windows will periodically check for the hidden network saved and could give hints to hackers about putting a honey pot for you.

Even Microsoft recommends against it. Look at this 2008 article:

https://blogs.technet.microsoft.com/networking/2008/02/08/non-broadcast-wireless-ssids-why-hidden-wireless-networks-are-a-bad-idea/

1 user thanked author for this post.

Jan K.

Reply | Quote

Glad sky’s not falling. If it were am I right to think that using ethernet cable from modem OR using VPN would protect?

Reply | Quote

ht wrote:

Glad sky’s not falling. If it were am I right to think that using ethernet cable from modem OR using VPN would protect?

Wired connections:  protected (from this hack)

VPN: Likely protected, depending on the quality of your VPN provider and connection method.

~ Group "Weekend" ~

1 user thanked author for this post.

ht

Reply | Quote

Essentially, to guarantee security, a key should only be installed and used once. Unfortunately, we found this is not guaranteed by the WPA2 protocol. By manipulating cryptographic handshakes, we can abuse this weakness in practice.

Need to change the Wifi password/key daily.?

Reply | Quote

Changing the password won’t help.  The key that can be intercepted isn’t the one you type in when you want to associate with the network for the first time– that one can’t be discovered via the exploit.  It’s a key you never see that can be discovered.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

Reply | Quote

DoublePulsar also reports that the issue is patchable on both the client and host side.  What they don’t say is whether it needs to be patched on both to prevent the exploit, or if either side being patched would prevent it… or whether the patch needs to be in Windows or in the driver for the wifi card.  In Linux, most such drivers are part of the kernel package, so updating the kernel brings all of the new drivers with it, but Windows, of course, is not like that.

 

 

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

Reply | Quote

Sky’s not falling today because there’s no script kiddy tool available yet for this hack.  Consider this our advance warning – we have some time during which we should try to prepare our systems for the surge.

Sometime in the near future we will see this break out into the wild.  And as speculated in my other post last night, it looks like almost everything that uses Wi-Fi will need updates. If you are an admin for a secure environment, this needs to be a priority before the actual storm hits.  AP’s first then all devices on your network.

Bleeping computer has posted a nice running list of major players that have released or announced forthcoming updates, or not.  Great page to check against your devices.  Might want to bookmark it — they will be updating it as more patches are announced.

https://www.bleepingcomputer.com/news/security/list-of-firmware-and-driver-updates-for-krack-wpa2-vulnerability/

One sore point (from that list) is Android.  Google has not yet patched, and even if they do many of us will be unable to get the patch until our carriers accept the firmware update and deliver it.  For many phone models this may take months, if ever.

I’m also concerned about Intel – there are an amazing number of Wi-Fi/Bluetooth modules from them in almost all modern business class laptops.

~ Group "Weekend" ~

4 users thanked author for this post.

ht, HiFlyer, SueW, MrBrian

Reply | Quote

Verge reports that Microsoft has stated they already fixed this in a recent patch.

https://www.theverge.com/2017/10/16/16481818/wi-fi-attack-response-security-patches

If true, (details direct from MS are coming later today) then I was wrong that this might require firmware updates to Windows devices.

~ Group "Weekend" ~

2 users thanked author for this post.

ryegrass, Microfix

Reply | Quote

MS has released their notes on the WPA2 Krack hack.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-13080

Appears they patched this last week (October 2017 Patch Tuesday) but posted the article today in compliance with the industries disclosure schedule.

Reading this I am getting the distinct feeling that we should still install updated drivers for Wi-Fi adaptors on windows machines.

Does this security update fully address these vulnerabilities on Microsoft Platforms, or do I need to perform any additional steps to be fully protected?

The provided security updates address the reported vulnerabilities; however, when affected Windows based systems enter a connected standby mode in low power situations, the vulnerable functionality may be offloaded to installed Wi-Fi hardware. To fully address potential vulnerabilities, you are also encouraged to contact your Wi-Fi hardware vendor to obtain updated device drivers.

Fun!

~ Group "Weekend" ~

3 users thanked author for this post.

AlexEiffel, Microfix, MrBrian

Reply | Quote

Maybe another reason to not use the connected standby mode…

On my desktop, there is a setting in the BIOS to be compliant with low power standards for saving the planet or something. I don’t remember the exact name and it is turned off by default, but it has the interesting effect of disabling any capability to automatically turn on the computer when it is off by having a trigger to get updates or receive a magic packet from the network to wake the computer, which basically is when I want it off, it is really off!

Reply | Quote

Correct me if I’m wrong:

Insofar as PC’s and laptops are concerned, a firmware update for the wireless router AND drivers/ firmware for the wireless network card connecting to the router are needed for all devices from respective manufacturers?

If so, this could take a while, especially if there are different manufacturers involved

Smartphones, tablets, Smart TV’s, Smart meters, Sonos etc…this list is bigger than first impressions.

If debian is good enough for NASA...

Reply | Quote

Yes both AP’s and client devices will need updates.

The list is huge.  And a large number of devices will never get updates.

I’m seeing notes here and there on various forums that the access points are not really the problem (although they should be patched when possible asap) . . .  it’s client devices that will be hit the worst.

I am thinking that turning WiFi off on a smartphone when you are walking/driving around might be a very good idea until you get a fix.

And as for the unknown masses of IoT devices . . .  this is pretty horrible to contemplate.  Such a mixed bag of unsupported things, and odd manufacturers that never provide fixes, and several I can think of that don’t even provide a method to update.

~ Group "Weekend" ~

1 user thanked author for this post.

Microfix

Reply | Quote

IoT devices may potentially be the worst depending on after sales support/ web support. Instinctively I gave IoT a wide berth

If debian is good enough for NASA...

Reply | Quote

From How the KRACK attack destroys nearly all Wi-Fi security:

“While Windows and iOS devices are immune to one flavor of the attack, they are susceptible to others. And all major operating systems are vulnerable to at least one form of the KRACK attack. And in an addendum posted today, the researchers noted that things are worse than they appeared at the time the paper was written:”

2 users thanked author for this post.

Microfix, NetDef

Reply | Quote

Microsoft has already fixed the Wi-Fi attack vulnerability

See also the October 16, 2017 entries at https://portal.msrc.microsoft.com/en-us/security-guidance.

1 user thanked author for this post.

Microfix

Reply | Quote

Aha! Do these fixes pertain to the patches that are currently on MS-Defcon 1?

i.e.

10/16/2017 Windows 8.1 for x64-based system (Security only) kb4041687

‘Security updates to Microsoft Windows Search Component, Windows kernel-mode drivers, Microsoft Graphics Component, Internet Explorer, Windows kernel, Windows Wireless Networking, Windows Storage and Filesystems, Microsoft Windows DNS, Windows Server, Microsoft JET Database Engine, and the Windows SMB Server.’

If debian is good enough for NASA...

Reply | Quote

Yes – it does appear that the Krak attack fixes were bundled in the Windows 10 October Cumulative updates, e.g. kb4041676

see: https://www.bleepingcomputer.com/news/security/microsoft-quietly-patched-the-krack-wpa2-vulnerability-last-week/

So – since the Woody recommendation is currently not to apply these patches, what do we do??

Chris.

Reply | Quote

Woody’s is quite aware of these circumstances, and the DEFCON number is still 1. He weighs the risks and changes the DEFCON number accordingly. The go-ahead is DEFCON 3 or above, and at the time, Woody also publishes instructions on updating – what to do and what to watch out for.

1 user thanked author for this post.

SueW

Reply | Quote

For Group B users installing Monthly Security Only Updates (which I understand are NOT cumulative), if we were to forego installing any month’s security package, doesn’t it mean that our system will be inadequately patched against known security vulnerabilities ?

Microsoft doesn’t update the Monthly Security Only Updates (non-cumulative) after their initial release. I notice that their respective SHA-1 file hashes always remain identical even months later.

So for instance, if Oct 2017’s patches never reach DEFCON 3 or above, & we don’t install this Oct 2017 Security Only package, won’t our system remain vulnerable to KRACK-WPA2 in the long run ?

Reply | Quote

anonymous wrote:

For Group B users installing Monthly Security Only Updates (which I understand are NOT cumulative), if we were to forego installing any month’s security package, doesn’t it mean that our system will be inadequately patched against known security vulnerabilities ?

The security-only patches are NOT cumulative. If you do not install the patch, you do not install the security fixes it contains. The system will not be patched against the vulnerabilities it corrects.

anonymous wrote:

So for instance, if Oct 2017’s patches never reach DEFCON 3 or above,

The DEFCON number is an indicator of when to WAIT and when to PROCEED. It is kept at 1-2 to tell you that the problems are not known yet. Sometime before the next Patch Tuesday, Woody will feel like he knows where the pitfalls are and give the go-ahead with DEFCON 3-5. At some point, you will be able to install the update.

IF you then choose not to install the update, your computer will remain vulnerable to the security fixes contained in the update.

Reply | Quote

@PKCano — Thanks for the above clarification.

1) I seem to recall that Sep 2017 patches only attained a max of DEFCON 2 here before Oct 2017’s patches arrived. This seems also the case for some other months as well. Hence the query.

Assuming Sep 2017’s patch status did reach DEFCON 3 or above, but was overwritten by the new DEFCON status for Oct 2017’s Patch Tuesday releases, perhaps the DEFCON indicator at the top of this website can be expanded for better clarity — such as showing not just the current month’s status, but also the last 1 or 2 months’ statuses.

For instance:
Oct 2017: MS-DEFCON 2
Sep 2017: MS-DEFCON 3
Aug 2017: MS-DEFCON 3

 

2) I’ve read through the Group B: Monthly Security Only update advisory (Win 7 & 8.1) several times over several months. The advisory emphasizes that the monthly security only packages must be installed in chronological order, but to date, doesn’t mention the consequences (if any) if the packages were installed in non-chronological order.

For example, what might posssibly happen if we intentionally skip (or accidentally forgot to) install, say, Sep &/or Oct 2017’s Security Only package(s), proceed to install Nov 2017’s Security Only package, & then subsequently install Sep &/or Oct 2017’s package(s) ?

Is Win OS or some programs going to become non-functional, or would the installed security packages be rendered ineffective ?

When Windows Updates were previously offered as individual “modular” patches, I understand that it wasn’t mandatory to install them by the monthly order, or even in any particular sequence — unless certain patches were prerequisites for something else.

For the current system of “rolled-up” monthly security update packages, I can’t seem to find any official MS documentation suggesting that the preceding month’s package is a prerequisite (or similar) for the current month’s package.

Reply | Quote

anonymous wrote:

) I seem to recall that Sep 2017 patches only attained a max of DEFCON 2 here before Oct 2017’s patches arrived.

September patches were at DEFCON 3 on Sept 29th
Oct patches were at DEFCON 2 on the morning of Oct 10th.
Once patches have reached DEFCON 3, you can install them any time because the problems are known. In other words, DEFCON 1-2 only applies to THIS month’s patches and doesn’t stop you from installing anything from previous months.

anonymous wrote:

2) I’ve read through the Group B: Monthly Security Only update advisory (Win 7 & 8.1) several times over several months. The advisory emphasizes that the monthly security only packages must be installed in chronological order,

Since the Security-only patches are NOT cumulative, you can install them in any order, but it is best to do so in chronological order if you can. If you miss one, you can go ahead and install it when you can. The IE11 Cumulative Update must also be installed, and you only need the latest one since it IS cumulative.

Reply | Quote

“The advisory emphasizes that the monthly security only packages must be installed in chronological order, but to date, doesn’t mention the consequences (if any) if the packages were installed in non-chronological order.”

As far as I know, they can be installed in any order without any negative consequences.

Reply | Quote

Looks like Ubuntu based linux distro’s just got fixed:

wpa (2.4-0ubuntu6.2) xenial-security; urgency=medium

* SECURITY UPDATE: Multiple issues in WPA protocol
– debian/patches/2017-1/*.patch: Add patches from Debian stretch
– CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080,
CVE-2017-13081, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087,
CVE-2017-13088

If debian is good enough for NASA...

1 user thanked author for this post.

johnf

Reply | Quote

To sufficiently protect against KRACK is patching the client, the AP [Access Point], or both, required?

Reply | Quote

From https://www.krackattacks.com/: “Finally, although an unpatched client can still connect to a patched AP, and vice versa, both the client and AP must be patched to defend against all attacks!”

2 users thanked author for this post.

AlexEiffel, SueW

Reply | Quote

For those with Intel AMT still enabled, this information is from Intel’s page (INTEL-SA-00101):

• Intel is targeting an updated firmware release to System Manufacturers in early November 2017 to address the identified WPA2 vulnerabilities. Please contact System Manufacturers to ascertain availability of the updated firmware for their impacted systems.

• Until the firmware update is deployed, configuring Active Management Technology in TLS Mode to encrypt manageability network traffic is considered a reasonable mitigation for remote network man-in-the-middle or eavesdropping attacks. (Details here)

AMT = Intel® Active Management Technology

1 user thanked author for this post.

NetDef

Reply | Quote

From WPA2 KRACK Vulnerability, Getting Information (my bolding): “There are 9 vulnerabilities that are client related and 1 that is AP / Infrastructure related. All are implementation issues, meaning software patching can fix them! Of the 9 CVE’s related to clients, ALL can be mitigated with AP / Infrastructure updates as a workaround, but the infrastructure won’t be able to determine if failure is from packet loss issues or attack. The long-term fix is definitely client software patching. The 1 CVE related to AP / Infrastructure is related to 802.11r Fast Transition – if you have it enabled you should patch ASAP. If not, no big deal.”

From https://en.wikipedia.org/wiki/IEEE_802.11r-2008: ‘IEEE 802.11r-2008 or fast BSS transition (FT), also called “fast roaming,” is an amendment to the IEEE 802.11 standard to permit continuous connectivity aboard wireless devices in motion, with fast and secure handoffs from one base station to another managed in a seamless manner.’

1 user thanked author for this post.

AlexEiffel

Reply | Quote

is FT somewhat in consumer grade products? I’ve never heard of this until yesterday.

Reply | Quote

From https://lesterchan.net/blog/2016/12/12/linksys-re7000-max-stream-ac1900-mu-mimo-wi-fi-range-extender/ (my bolding):

“Linksys uses 802.11r to support Seamless Roaming.

It is actually common in most enterprise Access Points (AP) and now it is being brought to consumer products.”

Reply | Quote

Thanks, I’ve checked my equipment and theres nothing like that on my system. I never thought I’d actually have a reason (however small) to be grateful for bare bones ISP provided gear.

Reply | Quote

@MrBrian

Please correct me if I’ve misunderstood your post about this (138351) but, the way I read what you’ve wrote is that if you don’t have anything that uses 802.11r or the like, is that home networks should be at least partially safe as long as all user devices (phones, computers) are patched, is this correct?

EDIT html to text – content may not appear as intended

Reply | Quote

The way I interpret it is that if all clients are patched, then an access point doesn’t need to be patched if it either doesn’t support 802.11r or its 802.11r support is disabled. Caveat for “if all clients are patched”: https://askwoody.com/forums/topic/krack-attach-bad-but-the-sky-isnt-falling/#post-138161.

Reply | Quote

From https://www.krackattacks.com/:

“What if there are no security updates for my router?

Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates. We strongly advise you to contact your vendor for more details. In general though, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming). For ordinary home users, your priority should be updating clients such as laptops and smartphones.”

Reply | Quote

Thank you @MrBrian, I’m the person (138580) that asked about this last night. I can keep my parents and grandparents from worrying now.

Reply | Quote

You’re welcome :).

Note that post #138655 also mentions to disable client functionality.

Reply | Quote

Hi, 138580 again, would you be able to explain what “client functionality” is exactly? The equipment I’m monitoring is just 2 basic modem/router combos with no special features and from what I read a wi-fi repeater is a separate piece of equipment, is that wrong? Or is there another setting I need to look for? the only time any wi-fi is actually used though is at my grandparents when the cousins and grand kids play video games at family gatherings. Sorry for all the questions.

Reply | Quote

“Client functionality” means using the access point in client-like ways, such as this.

Reply | Quote

Thank you for all your help again @MrBrian, Luckily neither of the boxes have any of those functions, so we should be good to go.

1 user thanked author for this post.

MrBrian

Reply | Quote

From https://twitter.com/campuscodi/status/920954179249610752: “KRACK attack proof-of-concept code published online […]”

Reply | Quote

(Decide whether these adds are worthwhile to your discussion.)

https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/

and

https://lifehacker.com/5940565/why-you-should-start-using-a-vpn-and-how-to-choose-the-best-one-for-your-needs

Wife and I are way behind the times compared to most of you guys.  I use my Alienware desktop hardwired for a specific online multiplayer flight sim combat scenario out of Europe been playing for years and mod my machine with updated hardware until some day I will buy another more current gaming machine.  My wife uses my router’s server wi-fi app for her Android hand-held to play her games and e-mails throughout the house.  We don’t do wi-fi outside the house… yet.

We don’t do any money matters online, anywhere, related to our banking institution.  We do the online money transactions another way.

Reply | Quote

From https://www.krackattacks.com/ (my bolding):

“Is it sufficient to patch only the access point? Or to patch only clients?

Currently, all vulnerable devices should be patched. In other words, patching the AP will not prevent attacks against vulnerable clients. Similarly, patching all clients will not prevent attacks against vulnerable access points. Note that only access points that support the Fast BSS Transition handshake (802.11r) can be vulnerable.

That said, we are working on access points modifications that do prevent attacks against vulnerable clients. These modifications are different from the security patches for vulnerable access points! So unless your access point vendor explicitly mentions that their patches prevent attacks against clients, you must also patch clients.“

Reply | Quote

@MrBrian

Shouldn’t this part be in bold as well? “Note that only access points that support the Fast BSS Transition handshake (802.11r) can be vulnerable.”

Reply | Quote

That is important also, but the bolded part contradicts some other things that I read.

Reply | Quote

Ok, that makes sense. I guess I was just worried that people will miss that part if they don’t know if their system has that or not.

Reply | Quote

PKCano wrote:
September patches were at DEFCON 3 on Sept 29th
Oct patches were at DEFCON 2 on the morning of Oct 10th

Thanks for the info. Good to know that Sep 2017’s patches did at least reach DEFCON 3 status at end Sep 2017.

However, posts about such DEFCON status updates are easy to miss (or get lost in KB-induced jigsaw fog), since there are usually multiple unrelated posts here per day, & the posts’s respective URLs also lack the month indicator (ref: “… /2017/ms-defcon-3-get-patched …”, “… /2017/ms-defcon-2-check-to-see …” of the above-supplied links).

For instance, after my query (published 19 Oct 2017), at least 2 other users as of 21 & 22 Oct 2017 appear to be still waiting for Sep 2017’s patches to hit DEFCON 3. See replies #139781 & #139805:

“2017-09 […]  what the current recommendation for patching is”
“wait until we are at MS-DEFCON 3 or higher and then apply them”

 

As such, one might perhaps like to reconsider adopting my previous suggestion about displaying the DEFCON status appended with the corresponding current & immediate-preceding months upfront at the DEFCON indicator at the top of this website.

And/or: Introduce an additional “DEFCON Update” tag to the bottom of posts regarding DEFCON status updates, so that users can click straight to them. Currently, all DEFCON updates are tagged only as “Windows Patches/Security“, & there are a lot of such posts to sieve through.

In this current bewildering & risk-fraught ecosystem of Windows Updates/Patches, any help in improving the clarity of information would be most appreciated. Thanks !

Reply | Quote

PKCano wrote:
Since the Security-only patches are NOT cumulative, you can install them in any order, but it is best to do so in chronological order if you can. If you miss one, you can go ahead and install it when you can.

MrBrian wrote:
As far as I know, they can be installed in any order without any negative consequences.

 

Thanks to both for the reassuring clarification.

As such, might it be better to reword the info shown at the Group B advisory to state something along the lines of: “For full protection, all of the Monthly Security Only patches should be installed. It is preferable (although not strictly necessary) to install them in chronological order.” ?

The current info in the said advisory is as follows, noting especially the part highlighted in bold.

“Group B” Security-Only patches are not cumulative. In order to be protected, you must install all of them. Every. Single. One. By hand. More than that, you have to install them in chronological order — the October patch, followed by the November patch, followed by the December patch, and so on.

The emphasis as implied by the phrase “More than that” , & accentuated by the  belaboring expression (X month, followed by Y month, & so on) imparts the impression that that this step is most critical part about security patching — failing which … this is where the confusion begins, because no adverse consequences are stated, & the recommended chronological method is also contrary to how Windows Updates/ patching are usually carried out.

1 user thanked author for this post.

MrBrian

Reply | Quote