Serious hack of the WPA, WPA2 Encryption systems

transmaster

AK Subscriber
Subscriber
Called KRACK" -- which stands for Key Reinstallation Attack. This was published yesterday but the vendors were properly informed 2 months ago. Patches are rapidly coming out right now. I am going to wait until I hear Steve Gibson’s report on it today on his Security Now podcast for an explanation as to what the exploit is, and how it works. My concern is with my AirPort Extreme WiFi it is subject to this exploit Apple does not make it anymore and there is no word on a patch for it and the other Airport routers. It might be time to go to a MASH router system, and Google makes a really good ones. We will wait and see.
 
Called KRACK" -- which stands for Key Reinstallation Attack. This was published yesterday but the vendors were properly informed 2 months ago. Patches are rapidly coming out right now. I am going to wait until I hear Steve Gibson’s report on it today on his Security Now podcast for an explanation as to what the exploit is, and how it works. My concern is with my AirPort Extreme WiFi it is subject to this exploit Apple does not make it anymore and there is no word on a patch for it and the other Airport routers. It might be time to go to a MASH router system, and Google makes a really good ones. We will wait and see.
iMore does not believe that the Airports need a patch:

https://www.imore.com/krack-wpa2-wi-fi-exploit-already-fixed-ios-macos-tvos-watchos-betas
 
OK Steve Gibson just said the press, as usual, is reporting the KRACK exploit as being worse then it actually is. Steve explained in his usual detail that it is not the access point that is the proplem but the client/supplicant device. Apple and Microsoft never had the problem because of they way they coded the four way encryption handshake that is the issue. It is the device that connects using the Wifi router not the router that is at issue. Unless your router has a client function you are OK, Steve explained how simple it is to fix the problem. Check into Security Now # 633 for the details.
 
Steve Gidson demonstrated how easy it will be to patch this problem to prevent the nonce values from generating a encryption key of zeros.
 
Has there been any info on whether Apple is going to offer a patch for older units running ios10?
I know they've moved on from it, but it's not that old.

More and more I think that public wifi is just gross. I don't use it, and turn off bluetooth, when I'm out and about.
The only place I use it is an hour a week at the university, when my kid is at dance class. Even that I'm starting to wonder about.
 
KrisM - Apple does not support ANY OS they have abandoned. For example, a few years ago there was a JAVA flaw that they fixed in the most recent version of their OS but left alone the version that was 3 weeks old. Apple only wants your money and only cares about what is recent.

MS did put out a patch for Win 7, 8.0/8.1 and 10. XP Pro has not been supported for a year or two as it is an outdated OS (if you paid for extended XP support I think you got a patch).
Kinda figured that, but it would be nice of they offered up patches on at least ios10.

Maybe it's just me, but this kind of thing is a bit of potential PR nightmare for them.
Yeah, we all know they're about the latest and greatest and want to sell you new product. Do I expect them to offer patches to the old Touch I have that runs ios6(?)? No. But not supporting an OS that is a few weeks or a month from being current looks bad.

Don't get me started on android.
I've got an older Acer tablet, and I can't even figure out what version of it it uses, never mind trying to upgrade the software, lol.
 
It wasn't back then and it won't be now. If they were MS, well that is a horse of a different colour. If MW was Apple and did what Apple did to their loyalist, MS would be out of business.

I mean, The older OS X still do not have a newer kernel and the kernel had a hole in it for 17 yrs and only was recently patched (like 6 months ago).OS X uses the BSD kernel.
Fair enough.

I often wonder, when it comes to this stuff, do they even consider the people who use their products, but aren't a loyalist, or a sheeple that lines up at midnight for the newest gadget?
I get it that old device users shouldn't expect to get ios11, or it's new features. Time moves on.
But the optics of an OS that was current up until a month ago not being supported security-wise is skanky to this non-fanboy Apple user.
How much time, money, and resources would it really take to patch ios10? What kind of good PR would come out of it if they did?

Not ranting or anything here, just pondering.
The 'optics' of things seems to be a bit of theme around here lately, lol.
 
Get a VPN account and set up properly with a trustworthy supplier. That will cover a lot of the exposure. An exploiter can come in and sniff away, but won't be able to get everything he wants.

https: connections are also well into the safe zone.

You want to eliminate the potential for "man in the middle" exploits.

I'm curious about WIFI extenders. My gut is telling me "Warning." The extender is getting wired LAN connection tomorrow.

I just spent the entire night setting up most of my connected devices with VPN connections. Strangely, I had to update the video drivers on my Win7-Pro machine before the VPN client would run. What a pain. Hackers suck. I needed VPN connections for my streamer boxes anyway (I have 3), and my wife's ipad. I need some sleep.

Enjoy,
Rich P
 
Last edited:
A repeater/extender is seen by the router as a client, is it not?

If so It's possibly vulnerable if that is the case.

If someone is a network engineer or a network admin please correct me if this is incorrect.

Edit: oh to hell with it, if the router uses WPA2 update It's firmware if there is one available, and like with the client side devices keep checking for one to become available. So update everything that is on a WPA network.
 
Last edited:
Has there been any info on whether Apple is going to offer a patch for older units running ios10?
I know they've moved on from it, but it's not that old.

More and more I think that public wifi is just gross. I don't use it, and turn off bluetooth, when I'm out and about.
The only place I use it is an hour a week at the university, when my kid is at dance class. Even that I'm starting to wonder about.
According to a link in the article posted above:

  • The attack realistically doesn’t work against Windows or iOS devices. The Group vuln is there, but it’s not near enough to actually do anything of interest.
  • There is currently no publicly available code out there to attack this in the real world — you would need an incredibly high skill set and to be at the Wi-Fi base station to attack this.
  • Android is the issue, which is why the research paper concentrates on it. The issue with Android is people largely don’t patch.
https://doublepulsar.com/regarding-krack-attacks-wpa2-flaw-bf1caa7ec7a0
 
It can, it is just the most common attack method doesn't work. So, saying it doesn't work on Apple is not true. If you were right, why would Apple actually test a patch for this problem? It is beta right now. IT IS A BIG DEAL.
I am not saying anything. The article that makes the statement was linked in the ZDNet link YOU posted above:

“In general, Windows and newer versions of iOS are unaffected, but the bug can have a serious impact on Android 6.0 Marshmallow and newer.”
 
Last edited:
KrisM - Apple does not support ANY OS they have abandoned. For example, a few years ago there was a JAVA flaw that they fixed in the most recent version of their OS but left alone the version that was 3 weeks old. Apple only wants your money and only cares about what is recent.

MS did put out a patch for Win 7, 8.0/8.1 and 10. XP Pro has not been supported for a year or two as it is an outdated OS (if you paid for extended XP support I think you got a patch).
Not accurate for Macs. Apple has updated for security flaws in prior versions of Mac OS. Here is an example:

https://www.intego.com/mac-security...-sierra-10-12-5-and-more-with-security-fixes/

It is true that they have not released security updates for older iOS firmware.
 
Back
Top Bottom