Threat to WiFi WPA2 Now Everyday Reality. Neither Android nor iOS have solutions

Discussion in 'Off-topic' started by user3, Oct 24, 2017.

  1. user3

    user3 Guest

    From a Riseup.net security update. Personal Note: Riseup is an email provider I use, along with RiseupBlack on my Linux desktop. Use Linux (Debian or Arch) and free yourself from “Defective by Design” operating systems.

    Wi-Fi Advisory
    ===================================================

    There is a new class of attacks against Wi-Fi networks. Most Wifi
    networks these days use a technology called WPA2 to protect the network
    from eavesdropping. Researchers found a way to break this.

    These attacks allow an adversary within Wi-Fi range to read your network
    traffic and potentially to also send your device nefarious traffic,
    depending on what device you are using.

    Who does this affect?
    ---------------------------------------------------

    Nearly all Wi-Fi devices and operating systems are vulnerable, to
    varying degrees. This includes nearly all laptops, mobile phones, and
    Wi-Fi connected devices. In particular, most Android and Linux devices
    are highly vulnerable.

    What is the danger?
    ---------------------------------------------------

    There are many attacks that are made possible with this vulnerability.
    For example:

    * An attacker could read your login username and password if not
    transmitted using HTTPS (encrypted browser connection). Riseup requires
    HTTPS on all servers -- but many services do not.

    * An attacker could downgrade your secure HTTPS web browser connection
    to an insecure HTTP connection, depending on the configuration of the
    server (Riseup servers are protected against this).

    * If you click on a link to download a file, an attacker could attach a
    virus to that file while it was in transit to your device (in some
    cases).

    What can I do to protect myself?
    ------------------------------------------------

    If you have an Android device, you should disable Wi-Fi and use your
    telco's data plan whenever possible. When possible, keep Wi-Fi disabled
    until an update becomes available for your device.

    You should update your devices as soon as possible. Unfortunately, there
    are not fixes yet for most operating systems or Wi-Fi access points.

    The use of HTTPS is always a good idea, particularly now. We recommend
    that everyone install the browser extension "HTTPS Everywhere" which
    will automatically switch your browser to use HTTPS when a website
    supports it. The new Wi-Fi attack makes it much easier for an attacker
    to try to downgrade your web browsing to use an insecure connection, and
    the HTTPS Everywhere extension will prevent this for most popular
    websites. See https://www.eff.org/https-everywhere to install this
    extension.

    The use of a personal VPN is always a good idea, particularly now. A
    personal VPN encrypts your traffic to the entire internet, while a
    corporate VPN just encrypts your traffic to the corporate network. To
    read more about Riseup's VPN service, see https://riseup.net/vpn.

    Current update status
    ------------------------------------------------

    Android: There is no fix yet for Android. Devices with Android 6.0 or
    later are highly vulnerable.

    iOS: No update is available yet.

    macOS: No update is available yet.

    Windows: Update is available.

    Ubuntu and Debian Linux: Security patches are available. Run `sudo apt
    update; sudo apt upgrade`.

    Red Hat Linux and Fedora: No fix yet released. See
    https://access.redhat.com/security/cve/cve-2017-13077 for latest status.
    You can keep trying to run `sudo yum update` until you see
    wpa_supplicant get updated.

    Access points and home routers: check the website of the manufacturer.

    More information
    -----------------------------------------------

    For an updated list of the state of security patches to client operating
    systems and AP firmware, see:

    https://www.reddit.com/r/KRaCK/comments/76pjf8/krack_megathread_check_back_often_for_updated/

    https://www.bleepingcomputer.com/ne...-driver-updates-for-krack-wpa2-vulnerability/


    http://www.zdnet.com/article/here-is-every-patch-for-krack-wi-fi-attack-available-right-now/

    For more information on the flaw in WPA2, see:

    https://arstechnica.com/information...l-leaves-wi-fi-traffic-open-to-eavesdropping/
     
    Last edited by a moderator: Oct 24, 2017
  2. Boo Berry

    Boo Berry Moderator + Beta Tester Moderator

    Joined:
    May 30, 2012
    Messages:
    3,995
    KRACK has been patched for Windows and most Linux-based operating systems (Arch Linux FTW!), so check for updates and install all of them. A patch for macOS is still some time away (it's patched in 10.13.1 High Sierra) and I assume a patch for iOS is not that far behind.

    Android is the main issue here as a lot of Android devices won't get any updates (unless you wipe and flash Lineage OS).
     
  3. user3

    user3 Guest

    Exactly. Other options are out there as well to flash Android devices with an open source OS. One still in development that looks interesting - PostmarketOS - uses an image based off Alpine Linux with an XFCE interface.

    Note: An other, larger threat is using a vulnerable device with http-only websites. This is not to say that you’re safe using a patched device over http or using a non-patched device over https. What’s funny is I’ve had an “https-only” rule in my custom safari filters for ~3 weeks now.
     
    Last edited by a moderator: Oct 24, 2017
  4. user3

    user3 Guest


    Also wanted to note that one can always roll your own droid os using Arch or Debian. Arch has a specific instructions list @ https://wiki.archlinux.org/index.php/Android#Building_Android. Though I assume you already know that :)