Re: [OT] Breaking WPA2 by forcing nonce reuse
On Tue 17 Oct 2017 at 10:57:15 -0400, Celejar wrote:
> On Tue, 17 Oct 2017 08:43:00 +0530
> "tv.debian@googlemail.com" <tv.debian@googlemail.com> wrote:
>
> > So using https or better for communications on the local network is a
> > good idea, but is it the norm? Many router firmwares or built-in
> > webservers from cameras to printers default to http, sometime don't even
> > offer https as an option.
>
> Yes, after I sent my mail I realized that my wirelessly networked
> printer is going to be a problem. Some printers apparently support
> access via SSL/TLS (IPPS), but it looks like mine (Brother
> HL-2280DW) does not. And what are the odds that Brother will do a
> firmware update to patch WPA for this some 6 years old model ;)
I, and you, probably, are not dealing with printing confidential
documents. Those entities which are should be more concerned.
Remember, good though the research might be, there is as yet no
published POC and the ideas behind it do not appear particulary
easy to implement. I'm not expecting anyone with the necessary
equipment to be sitting in a car outside my house any time soon.
If I got concerned (and HP did nothing about it) I wonder whether
running arp would do anything to discover what is essentially a
MitM situation?
> > This isn't as bad as blueborne but it is nonetheless another of the most
> > widely used wireless standard being broken in a short time.
>
> Certainly.
>
> > It's patched in most distributions, and in router firmwares like LEDE
> > already, was patched in some BSD even before publication, but how long
> > before we see a patches for all affected devices?
>
> Never - for many / most Android devices, my printer (probably), etc.
A timely fix arrives in Debian. Users who update are once again safe.
What more could you ask for? What can you say apart from "thanks"?
--
Brian.
Reply to: