Is there anything at all we can do to protect ourselves until our router gets patched?
From the earlier thread [1] I gleamed that maybe a MAC filter could help, but it sounds like that's not going to help much because MAC addresses can be easily spoofed.
The article here recommends sticking to sites with HTTPS, which isn't really something we always have control over, and isn't something we can realistically expect our non-technical WiFi users to be able to strictly adhere to.
VPNs were also suggested, but again, mandating that everybody on our WiFi must connect through a VPN is rather impractical, and I'm personally not sure which VPN providers are supposed to be trustworthy to begin with.
If people here have other suggestions, I'd love to hear them.
> Is there anything at all we can do to protect ourselves until our router gets patched?
Only use secure transports over wireless connections. Which many including myself have been recommending for years anyway.
Properly configured HTTPS (i.e. servers with good protocol/cypher/key options preferably with HSTS too) should be sufficient so as a user you can make sure you limit what you access over wireless. Luckily HTTPS is becoming very common both for actual web-sites/-applications and other services that use it as a transport (TFS for instance). As a service admin, protect your users by mandating HTTPS.
Similarly, SSH and protocols wrapped in it are safe. RDP should be good too if correctly configured.
If you are using "plain" or broken protocols over wireless (for example, file access via SMB/samba): stop unless the content being accessed is public anyway. This may affect many in office environments. If you are responsible for running a network make sure no traffic via unprotected protocols goes over network legs with wireless access points.
DNS is generally not secure which could a concern for this if spoofing attacks are successful (so far only inspection/eavesdropping attacks have been proven?) as that would allow DNS poisoning. HTTPS and friends still protect your content here if your users use them properly (i.e. they never ignore certificate warnings), though if you are paranoid about privacy (which some people need to be) an outsider knowing what DNS lookups you make could be enough of a concern.
In fact, using secure traffic and/or VPNs is the least important of worries, as an end user I can be taught to use these mechanisms for communication. The real issue here is that, if I understand correctly, all of a sudden the technical infrastructure of any relevant IT operation is exposed. As an IT manager this would be my worst nightmare: if I am running a WPA2 network, I need to make sure that there is no in-the-clear communication going on on these particular network segments.
> I'm personally not sure which VPN providers are supposed to be trustworthy to begin with.
You can host your own internal VPN, it's just to ensure the traffic over wifi is secure. If you are a corporation you probably have a VPN already, for people outside the office to access the internal network. Then just setup rules so wifi clients can only access the VPN server (however yes, it is easier said that done for most home users).
> The article here recommends sticking to sites with HTTPS, which isn't really something we always have control over, and isn't something we can realistically expect our non-technical WiFi users to be able to strictly adhere to.
Luckily most major websites/applications you'll use will have HTTPS and HSTS enabled.
Assuming you're running an IT department for something serious, you could theoretically get a sophisticated enough router (like a Pineapple) you can force all unencrypted traffic through it to an internal CA that you manually install on all clients. Then just do the opposite of a protocol downgrade attack, lol.
> I'm personally not sure which VPN providers are supposed to be trustworthy to begin with.
I can recommend Mullvad[1] which takes none of your information for registration, and which ticks all the right boxes on That One Privacy Site's VPN comparison chart[2].
Quite a few clients lack WPA2 Enterprise capabilities, especially in the home network sector (hey, playstation, I'm looking at you), making this a no-go for a sizable chunk of the population.
I rent an apartment with double brick walls everywhere. I cannot install cabling in the wall, or really anywhere it's not a severe trip hazard. For the most part, this is fine, because almost every device I own that requires internet access has wifi. (The few that don't, like my NAS, can live next to my networking equipment.)
Your suggestion would have meant that I couldn't connect my Playstation to the Internet, which is a little bit silly, especially given that my scenario is not an uncommon one.
Powerline adapters are pretty cheap nowadays and fast enough. I get synchronous 200mbps over a pair of TP-Link gigabit ones in a place with really poor quality wiring, and they come with power pass-through so I don't even lose a power socket.
I do use a powerline adapter and it works but I'm afraid that there aren't too many eyes looking at them - what if they have a big flaw and it stays dark?
There's no way these adaptors aren't vulnerable, given the nature of them. In my opinion. Extracting the signal from the mains and feeding it into GNU Radio for demodulation, then subsequent attack, would be an interesting exercise.
CAT5 and duct tape are your friend. I have the same problem and it’s quite easy to manipulate it around and behind things without problems. One section of cable I have is 19m to span a 3m floor.
We have to do this because I live in crowded London and WiFi barely works when you have 40 other networks next to you.
It's certainly not aesthetically pleasing, although there is some mileage in that department with printed duct tapes, but it works which is the main thing. To be honest with careful routing it's only taped down in one place in a corner. You wouldn't know there were any cables running around unless you look very carefully.
Try telling your landlord to install cabling everywhere. I'm in the lucky position that I had cabling installed when they wired my apartment, but I'm aware that I'm the exception.
Oh, sure that's not the solution - I don't connect my laptop to cables everywhere I carry it. It's still nice to have wires strung because that allows me to connect all stationary equipment to a cable (IPTV receiver, apple TV, TV, Playstation, VOIP, etc.) and position Wifi APs where they're needed. Cables still provide the best and most stable network, despite all advances in Wifi tech. I can absolutely recommend doing this if you have the opportunity. The cost is negligible if you're about to (re)do the electrical wires.
Not only does it not need it, but the difference between gaming on Wi-Fi and gaming on Ethernet is immense. For any competitive game, Wi-Fi is a no-go to begin with.
There's people that still enjoy a good old-fashioned single player game, but would love to get patches via the internet. Wifi is perfectly fine for that, even sneakernet would be, but the playstation doesn't support that.
My laptop pulls 280 Mbps according to fast.com. Switching to wired gives me 700 Mbps so I guess the difference is between a forty minute wait and a 15 minute wait, but either way it's fast enough that I'll take the convenience of not having to lay cables.
I imagine everyone else feels the same way: mostly limited by the upstream. If I had 100 Mbps Internet, there'd be no difference, for instance.
You fail to account for the shitty wifi chipset in the PS4, no way you're getting 280Mbps over wifi on a PS4. Even wired downloads max out at around 300Mbit, even though I easily get 900+ mbit on e.g. a speed test.
That assumes you get 300Mbps internet. A common max in Germany is 50Mbps, many people are still stuck with 16Mbps. 100Mbps and more are comparatively rare. Wifi speed is not the restricting factor, even with the PS4s chipset.
Sounds like a shitty situation for Germans, but here stateside cable ISPs have been offering 100+Mbps plans for a few years, and Telcos like Verizon ran fiber to quite a bit of their footprint. Gigabit is increasingly available, especially in urban areas.
The attack works against both WPA1 and WPA2, against personal and enterprise networks, and against any cipher suite being used (WPA-TKIP, AES-CCMP, and GCMP).
I'm also amazed that the coffee shop use-case has remained a terrible, frustrating hack (no way to encrypt without a password and no formal support for EULA/login screen). Like you, I figured in the 20 years since 802.11 they'd consider it a use-case worthy of first-party support--especially since every 3 or 4 years there's a new standard everyone adopts (a, c, g, n, and ac).
I continue to be astonished there is no support for passwordless encryption (open hotspots with no password needed to connect, but with some sort of automatically-negotiated encryption). Dropping encryption should not be required for a good user experience on open hotspots.
So it looks like Ubiquiti UniFi firmware version 3.9.3.7537 patches against this - which was released to Beta testers ~two hours ago on their community site.
I wonder if this is also going to require client side patching from the OS vendors.
It’ll be interesting to see what the mitigation options will be like given the massive install base of routers which are barely supported and WiFi gadgets which aren’t supported at all. There are some interesting wormable scenarios (e.g. apartment building with an attack combining this & things like those recent Broadcom exploits) which could be avoided if ISPs can push patches to a large percentage of their customers.
One important additional piece of information: "As Hudson notes, the attacker would have to be on the same base station as the victim, which restricts any attack's impact somewhat."
It is basic knowledge, that in a radio based system, like Wifi, Bluetooth, ZigBee, … you need to be near the source. That is called physics.
With some techniques you may passively can monitor radio waves, but for active attacks you will always need to be close by. That is called physics in general and specifically electromagnetic waves.
My home network is a fiction, all of the clients on it are either wired to the VPN host (except the smartphone, which just doesn't have access to most of my network), or connect through VPN even when I'm home. This only really became efficient enough to be viable for me with WireGuard.
Every time i start to think about similar architecture I start thinink why nobody come with idea that to add Wi-Fi support dump pipe mode (direct L2 mode if i'm right) and all security/packet droping handled by higher layer; like direct OpenVPN packets on air and everything handled by software. Ofcourse it will hurt some performance but security you can have few sacrifices.
Am I understanding this correctly that you still need to authenticate with the router before using the exploit? If so, I thought it was already prudent to assume that unencrypted traffic (by the client) was effectively visible to everyone else connected over the same Wi-Fi base station?
Or is this a way to break the Wi-Fi password and connect without it?
> attackers will be able to eavesdrop on nearby Wi-Fi traffic as it passes between computers and access points. It might also mean it's possible to forge Dynamic Host Configuration Protocol settings, opening the door to hacks involving users' domain name service.
Basically they can see all your traffic and modify it. Your LAN becomes the Internet over an open AP and you don't know which servers you're connecting to.
I'm looking forward to learning the details of these weaknesses. I'm sure they will be with us for many years. That said, I'm not hugely concerned for myself because I already already assume whatever LAN I use might be malicious. We're living in a world where many name brand ISPs are openly hostile to subscribers.
I was thinking the same thing. If they don't it might be time to replace my Airport Extreme. I love it and it works flawlessly, but if they don't provide updates it's worse than not having WiFi at all.
Doesn't everyone simply assume all networks are hostile, even your home LAN? This makes DoS very easy but if you're worried about eavesdropping from this you have much bigger problems.
Do you guys think NSA or another country NSA knew, and exploited this? It's amazing how many years it took for this flaw to be found, despite being widely used. How many engineers looked at this over the years, thousands?
memo to self: Assume that nothing is really secure, so behave.
Wireless is a pretty huge attack vector that has always worried me. I think I'm going to order some powerline networking gear and switch to that, since I don't have hardwired ethernet. Seems cheap enough.
How the attacked device can talk to the AP after its keys / nonces have been altered? Does not it lose it's connection, manifesting to the user that something shady is going on?
From the earlier thread [1] I gleamed that maybe a MAC filter could help, but it sounds like that's not going to help much because MAC addresses can be easily spoofed.
The article here recommends sticking to sites with HTTPS, which isn't really something we always have control over, and isn't something we can realistically expect our non-technical WiFi users to be able to strictly adhere to.
VPNs were also suggested, but again, mandating that everybody on our WiFi must connect through a VPN is rather impractical, and I'm personally not sure which VPN providers are supposed to be trustworthy to begin with.
If people here have other suggestions, I'd love to hear them.
[1] https://news.ycombinator.com/item?id=15478750