Re: [OT] Breaking WPA2 by forcing nonce reuse
On Tue, 17 Oct 2017 08:43:00 +0530
"tv.debian@googlemail.com" <tv.debian@googlemail.com> wrote:
> On 17/10/2017 00:49, Celejar wrote:
> > On Mon, 16 Oct 2017 21:27:30 +0530
> > "tv.debian@googlemail.com" <tv.debian@googlemail.com> wrote:
...
> >> the world. After Bluetooth a few weeks ago, now wpa2 wifi, most of the
> >> wireless consumer electronic have it's base covered and ripe for cracking...
> >
> > It's crucial to understand that there's a huge difference in severity
> > between BlueBorne and and KRACK: the former "allows attackers to take
> > control of devices", and "does not require the targeted device to be
> > paired to the attacker’s device, or even to be set on discoverable
> > mode" (!) [https://www.armis.com/blueborne/], whereas the latter
> > 'simply' breaks WPA2, and can't really hurt you insofar as you're using
> > secure higher level protocols (ssh, SSL/TSL, HTTPS).
> >
> > I don't mean to say that KRACK isn't nevertheless a huge problem,
> > but it doesn't seem to be nearly as serious as BlueBorne, and it isn't
> > going to be catastrophic to anyone not treating WiFi as a really secure
> > protocol. E.g., on my home network, I do use WPA, but I still require
> > SSH and so on for internal communication between my local hosts.
> >
> > Celejar
> >
>
> Agreed, my post was just a quick reaction to an 'OT' labeled thread, not
> a lecture on the respective merits of those vulnerabilities, or an
> attempt to spread F.U.D.. Sorry if it came out this way (not a native
> speaker).
I actually do agree with what you wrote, I was just trying to add a bit
of detail.
> That being said, for a lot of the common use cases having an attacker
> sit on the assumed-to-be secured wifi and able to intercept traffic for
> days, weeks, months maybe since the patching will be as usual "patchy",
> is bad enough. It is not the same as the "bombing the dhcp server and
...
> So using https or better for communications on the local network is a
> good idea, but is it the norm? Many router firmwares or built-in
> webservers from cameras to printers default to http, sometime don't even
> offer https as an option.
Yes, after I sent my mail I realized that my wirelessly networked
printer is going to be a problem. Some printers apparently support
access via SSL/TLS (IPPS), but it looks like mine (Brother
HL-2280DW) does not. And what are the odds that Brother will do a
firmware update to patch WPA for this some 6 years old model ;)
> This isn't as bad as blueborne but it is nonetheless another of the most
> widely used wireless standard being broken in a short time.
Certainly.
> It's patched in most distributions, and in router firmwares like LEDE
> already, was patched in some BSD even before publication, but how long
> before we see a patches for all affected devices?
Never - for many / most Android devices, my printer (probably), etc.
> By the way, since we are security OT'ing, check your RSA keys if you
> used Infineon products to generate it.[1]
>
> [1] https://lwn.net/Articles/736520/rss
Yeah, just saw that on Ars this morning:
https://arstechnica.com/information-technology/2017/10/crypto-failure-cripples-millions-of-high-security-keys-750k-estonian-ids/
Another day, another critical vulnerability ...
Celejar
Reply to: