PDA

View Full Version : How to Remain Safe from KRACK Wi-Fi Vulnerability



rhoodyrin
10-20-2017, 09:21 AM
KRACK Wifi Vulnerability, discovered by a research which leads hackers to easily decrypt the data on your router (If that hacker is in the router's range).

My suggestion to IoT device users that. please avoid connecting to Wireless networks. Instead, try to use cellular data while accessing the internet which is a secure option for now.
Apple has already released the fix in their latest iOS version. (Not official)
Microsoft has also released their fix patch and those users who have the updated version of windows are completely secure.
Many router companies have started releasing their fix patches as well. Like T-P Link.
You all should contact your wireless network provider to provide you a fix patch.
Here's a short guide I found today on How to Protect Yourself From KRACK WiFi Vulnerability (https://www.purevpn.com/blog/how-to-overcome-krack-wifi-vulnerability/) which may help you.
If anyone finds some useful stuff about this, please do share.
Austin.

mrplow
10-20-2017, 10:00 AM
Thanks for the post, the issue is certainly worth highlighting to people.

Here's a few additions:
Most IoT devices don't have a cellular option being primarily designed for home Wi-Fi environments.

You're correct that Apple has released a fix into it's beta stream for iOS, MacOS and TVOS. No formal word from Google re:Android.
Microsoft incorporated a fix into it's 10/10 security patching for Windows

Risk:
While vulnerabilities in WPA2 are a big concern, as with all things you need to look at the risk rather than just the vulnerability.
Until all your home Wi-Fi devices are updated or patched any interaction using WPA2 is vulnerable. However, you'd need someone in range of your network, suitably equipped for the attack and with malicious intent. As such, the actual risk of your home network being targeted and exploited is fairly low. WPA2 should still be used and is still the strongest, home use, protocol available to most.

The larger risk is public networks, think coffee shops, shopping centres (malls) etc. At these points, a man in the middle attack becomes more worthwhile for the would-be perpetrator in that they can easily reach multiple targets. Especially if you start to look at public wifi near government buildings, legal institutions etc. As far as public wi-fi goes I'd suggest avoiding use of these, well, always to be honest. They've always been fairly vulnerable to compromise.

The Register (https://www.theregister.co.uk/2017/10/16/wpa2_krack_attack_security_wifi_wireless/)has some solid, clickbait-free info and links onto other helpful stuff regarding router updates etc.

VPN's aren't a silver bullet solution but they provide a level of protection and they're something I'd recommend when you have to use public wi-fi, regardless of this new threat.
You also need to look out for HTTPS secured websites. One of the most obvious attacks once wifi connectivity is compromised is to prevent https traffic. Without this you're potentially sending login credentials etc in plain, easily captured and read format

harryb2448
10-20-2017, 05:19 PM
Good response mrplow.

If one MUST use public wifdi make sure the firewall is turned on at least!

hughvane
10-20-2017, 10:53 PM
Interesting reading, but nowhere did I see mention of the use of ethernet cables, or hard-wiring into pubic routers - if feasible. Are we discussing the use of laptops, or smartphones?

To elaborate, I live in a small town, where there is very little likelihood of someone trying to hack my WPA2 wireless network, but I've still changed to wired ethernet/internet for the foreseeable future.

Coincidentally, where does one acquire the patch that Apple has issued for MacOS, and which OS version?

harryb2448
10-20-2017, 10:55 PM
Either or m,ate, either or.

P.S.Looking for 18 start tonight. Any offers mate?

Rod Sprague
10-21-2017, 01:27 AM
There is one step that is easy for everyone and that is to add the extension HTTPS Everywhere:
HTTPS Everywhere is a Firefox, Chrome, and Opera extension that encrypts your communications with many major websites, making your browsing more secure.
Also Facebook and Twitter have recently added HTTPS Always as an option in settings which is off by default.
Another good argument for a VPN most of which will allow the addition of a mobile device under the same account.
My BIG problem is going to be my Telkomsel provided modem/router, here in Indonesia they provide a Chinese made ZTE device which they insist on me using. They will not accept a 3rd party device so I am dependant on them getting around to applying the patch.

lclev
10-21-2017, 10:24 AM
I am wondering if Apple will provide a patch for the Airport Time Capsule.

Lisa

mrplow
10-21-2017, 04:03 PM
I am wondering if Apple will provide a patch for the Airport Time Capsule.

Lisa

I would expect so, but only if vulnerable. Not all devices are depending on the way the standard has been implemented.

mrplow
10-21-2017, 04:08 PM
Interesting reading, but nowhere did I see mention of the use of ethernet cables, or hard-wiring into pubic routers - if feasible. Are we discussing the use of laptops, or smartphones?

To elaborate, I live in a small town, where there is very little likelihood of someone trying to hack my WPA2 wireless network, but I've still changed to wired ethernet/internet for the foreseeable future.

Coincidentally, where does one acquire the patch that Apple has issued for MacOS, and which OS version?

I didn’t mention Ethernet purposefully so as not to muddy the waters further but yes, it will obviously negate a wireless vulnerability providing every wireless device in use can use Ethernet.

As for the Apple patches they are in the current public betas. So you can wait for the full release on enroll on the beta program.

Cr00zng
10-29-2017, 11:01 AM
There is one step that is easy for everyone and that is to add the extension HTTPS Everywhere:
HTTPS Everywhere is a Firefox, Chrome, and Opera extension that encrypts your communications with many major websites, making your browsing more secure.
Also Facebook and Twitter have recently added HTTPS Always as an option in settings which is off by default.
Another good argument for a VPN most of which will allow the addition of a mobile device under the same account.
My BIG problem is going to be my Telkomsel provided modem/router, here in Indonesia they provide a Chinese made ZTE device which they insist on me using. They will not accept a 3rd party device so I am dependant on them getting around to applying the patch.
I wouldn't put that much faith in to SSL. If the client is exploited with the KRACK-attack and the hacker uses SSLScript, collecting account passwords is trivial:


https://www.youtube.com/watch?v=Oh4WURZoR98