Microsoft Has Already Fixed the Wi-Fi Attack Vulnerability; Android Will Be Patched Within Weeks (theverge.com) 136
Microsoft says it has already fixed the problem for customers running supported versions of Windows. From a report: "We have released a security update to address this issue," says a Microsoft spokesperson in a statement to The Verge. "Customers who apply the update, or have automatic updates enabled, will be protected. We continue to encourage customers to turn on automatic updates to help ensure they are protected." Microsoft is planning to publish details of the update later today. While it looks like Android and Linux devices are affected by the worst part of the vulnerabilities, allowing attackers to manipulate websites, Google has promised a fix for affected devices "in the coming weeks." Google's own Pixel devices will be the first to receive fixes with security patch level of November 6, 2017, but most other handsets are still well behind even the latest updates. Security researchers claim 41 percent of Android devices are vulnerable to an "exceptionally devastating" variant of the Wi-Fi attack that involves manipulating traffic, and it will take time to patch older devices.
Re: Um, fuck off (Score:3, Insightful)
Grow up. The article links to the previous Slashdot story from earlier today and is still on the front page. The previous article links to a research paper explaining the vulnerability. For anyone who has looked at the front page this morning or even bothered to examine the links in the summary, it's blatantly obvious which vulnerability is being discussed here. Here's hoping you're modded -1 flamebait. You deserve it.
Re: (Score:3)
And don't forget that the front page shows the most recent submissions first.
Thank you. This is actually what happened here.
As some of us have jobs and don't live in our mom's basements we tend to read the news after we're done and what do we get? This masterpiece of editorial work.
Re: (Score:2)
Can't get to the link in the 8th word of the submission? How do you have a job with an attention span that short?
Or if you actually have a useful attention span, how do you have a job with time management skills so poor that you spend more time posting about not being spoon fed then clicking a link?
Re: Um, fuck off (Score:2)
Re:Um, fuck off (Score:5, Informative)
This is a high profile issue at the moment. I realize looking back at it in a few weeks may be worth that kind of comment, but there's been multiple slashdot articles on it today, and every tech news site is buzzing about it.
To fill your rage though,
The following Common Vulnerabilities and Exposures (CVE) identifiers were assigned to track which products are affected by specific instantiations of our key reinstallation attack:
CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake.
CVE-2017-13078: Reinstallation of the group key (GTK) in the 4-way handshake.
CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the 4-way handshake.
CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake.
CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake.
CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it.
CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.
CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
Note that each CVE identifier represents a specific instantiation of a key reinstallation attack. This means each CVE ID describes a specific protocol vulnerability, and therefore many vendors are affected by each individual CVE ID. You can also read vulnerability note VU#228519 of CERT/CC for additional details on which products are known to be affected.
Re: Um, fuck off (Score:1)
How do I patch my Nexus 5? It's running the default Android, but I don't see an update available. When will this fix be available for Nexus phones?
Re: (Score:2)
3rd party firmware is your only option at this point.
Re: (Score:1)
https://forum.xda-developers.com/google-nexus-5/orig-development/rom-cm14-1-nexus-5-hammerhead-t3510548
https://download.lineageos.org/hammerhead
https://twrp.me/devices/lgnexus5.html
https://forum.xda-developers.com/google-nexus-5/general/noob-read-adb-fastboot-how-hep-t2807273
Linux patches out already - well ubuntu/debian (Score:2, Informative)
wpa (2.1-0ubuntu1.5) trusty-security; urgency=medium
* SECURITY UPDATE: Multiple issues in WPA protocol
- debian/patches/2017-1/*.patch: Add patches from Debian jessie
- CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080,
CVE-2017-13081, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087,
CVE-2017-13088
* SECURITY UPDATE: Denial of se
Re: (Score:2)
The delay and ineptness from various vendors to not provide updates is probably what will hurt the Android environment the most in the long run.
Early days of MS-DOS had actually different computers that weren't compatible with each other when it came to hardware and each required its own version of MS-DOS. Android is in the same seat.
Re: (Score:1)
I remember CP/M getting customized by the harware maker, but not MS-DOS.
Re: (Score:2)
Before the IBM bios was clean room reverse engineered, every vendors version of MS DOS was different. Tandy and DEC were two examples.
Re: (Score:2)
Re: What devices need to be patched? (Score:1)
Re: (Score:3)
you can patch the issue on either side of the setup and this attack will fail so
P client and P router = no attack
N client and P router = no attack
P client and N router = no attack
N client and N router = PAWNED
Re: (Score:2)
N client and Evil Router = PAWNED.
Re: (Score:2)
Router? Huh? What do routers have to do with this?
On the off chance that you seriously don't know what's going on here: for the general public, all boxes that connect them to the internet are "routers." This is not too surprising since a high proportion of home devices do perform routing functions. The percentage of the general public that understands what a wireless access point is is very small.
Re: What devices need to be patched? (Score:2)
Re: Gee, thanks Mr. Google (Score:2)
Re: (Score:1)
This is a trolling effort worthy of the legendary posters of yore!
+5 Inciteful
Re: MS just gets stuff done. (Score:2)
allowing attackers to manipulate websites?? (Score:1)
A WiFi attack allows one to manipulate a website? That escalated quickly.
Oh, just /. editors' normal approval of bunk write-ups.
Re: (Score:1)
A WiFi attack allows one to manipulate a website? That escalated quickly.
Oh, just /. editors' normal approval of bunk write-ups.
It's actually possibly correct, assuming a non-HTTPS website.
Which means it's correct but not at all likely.
Re: (Score:1)
That would be "manipulate traffic to and or from a website" not "manipulate a website".
Re: allowing attackers to manipulate websites?? (Score:1)
Re: (Score:1)
That's not manipulating a website. That's manipulating the traffic.
Re: (Score:2)
Even if the site's content submission forms are protect
Re: (Score:1)
Modified traffic. Not a modified website.
Re: (Score:2)
Re: (Score:1)
No. The website remains the same. The content, as seen by the user, may be altered. Large difference. If credentials are compromised, that's a separate issue.
Re: (Score:2)
This vulnerability opens up the user's session to being hijacked in a way that alters the content being submitted to any non-HTTPS website. That content could be forum posts or article comments. It could mean any URL posted in a comment could be changed to point at a pharma scam website. The user's browser could receive javascript injection that starts comment-spamming (as the user) a forum or wordpress site in the background.
Packet-level ma
Re: (Score:1)
Your examples are marvelous. They're also irrelevant to my point. The website is not altered.
Re: (Score:2)
Already released patch or new patch as of today? (Score:2)
The article wasn't quite clear? Made it sound like it was all, already taken care of... but didn't quite specify when that patch was released?
Re: (Score:3)
So Microsoft "patched" this by not properly implementing the phase 3 handshake re-transmit as it's required in spec of 802.11i from the start.
Windows rejects retransmit requests, causing the attack to fail.
Re:Already released patch or new patch as of today (Score:5, Insightful)
Sounds like a good fix to me. Instead of accepting retransmits, it's safer to restart the entire handshake.
Re:Already released patch or new patch as of today (Score:4, Interesting)
"The key negotiation process needs to allow for the possibility of radio interference, so it permits the access point to re-send the message that is step three of the handshake. If an attacker sends a copy of this message, the client device will be tricked into reverting back to the original encryption key and initialization vector used at the start of the session. The client's next transmissions will have been encrypted with the same key as earlier transmissions, even though that key was only meant for a single use. That allows for a key reuse attack, which doesn't directly expose the underlying encryption key but does make it relatively easy to decrypt the data that was encrypted, especially if something is known about the structure of the messages that were both encrypted with the same key. IP packet headers, in turn, provide exactly that."
Yes, if the phase 3 handshake re-transmit required by the specification inherently enables a key reuse attack, then the flaw is not in the implementation, but the specification itself, and security would dictate that one refuse to enable that portion of the specification. Losing the ability to initialize a connection in a high RFI environment, which most installations attempt to avoid and mitigate, is an inconvenience. Having your traffic snooped is quite a bit more of an issue.
Re:Access Points (Score:5, Insightful)
Worse, how many millions of Android handsets will never see this patch?
Re: (Score:2)
Re: (Score:2)
How many have anything on them worth attacking?
CPU cycles is one commodity. People tend to use the same password for multiple sites, so finding the one social network that sends it unencrypted is paydirt for someone who will take it and attempt it on other sites.
Re: (Score:2)
Won't make a bit of difference if the access points are still vulnerable.
This seems to be more of an attack on clients (e.g. laptops, tablets, phones) rather than access points.
Interestingly, this vulnerability does not expose a network's WPA2 passphrase.
Re: (Score:2)
Wrong.
If you patch a client that client is safe.
If you patch an AP all clients using that AP are safe.
Re: (Score:3)
If you patch a client that client is safe.
If you patch an AP all clients using that AP are safe.
Wrong. There is no possible AP only patch that renders clients safe.
Android updates suck (Score:5, Insightful)
So now most Android devices are, and will continue to be, vulnerable to both BlueBourne and WPA2 KRACK, meaning that essentially they are wide open to anyone pilfering whatever they want off the device itself and as they communicate over the air. With most manufacturers abandoning updates in 3 years or sooner, and for the small pool of supported devices having very infrequent updates available, many times 3-6 months behind the curve, why do we allow this kind of chronic insecurity?
It's insane that we allow businesses to behave like this: Give everyone computing devices they use to run their lives - healthcare, credit, banking, social, BYOD work, etc. and leave them open like Swiss cheese.
Re: (Score:3, Insightful)
So, what you're telling me is that all of the affected customers will not be receiving updates, and they'll have to buy a new device?
What a tragedy. By which I mean, the refusal to provide updates will result in greatly increased sales.
Re: (Score:3)
This is one of the primary reasons I use iOS. Apple, for all their other negatives, DO support their products pretty well. I know I can expect a good 5 years of updates for my iThing.
I'm more pissed off at the entire industry as a whole, because we are literally in a situation where consumers have no choice other than to pick the vendor that pisses them off the least. There are literally NO good vendors. They either make crap products, don't support their products, use their products to steal your person
Re: (Score:2)
No modpoints, but have a "hear, hear"!
Re: (Score:2)
I have an old iPad 2 (I think) that won't accept any more updates. It'd be nice if Apple made a special update for old devices just for this, since it completely destroys security.
Re: (Score:2)
But Apple won't port the fix back to previous versions of iOS for devices that can run the latest. I don't want to install iOS 11 because it doesn't offer me anything I want. It'll just slow things down until 11.1 comes out when they have had a chance to work on performance. But there's no way for me to get the security updates to 10 if I want to stay on that version. So now when the patch comes out for iOS 11 I'll have to "upgrade" to 11 just because I use my devices outside of the house.
At least Apple doe
Re: (Score:2)
The problem is the damn carriers. They delay the manufacturer patches while they do their own "testing" and tweaking (i.e. installing software you can't uninstall), sometimes for months. Apple was able to strongarm the carriers into conceding control over software updates on iPhones. None of the Android manufacturers has enough marketing clout to do the
Re: (Score:2)
As an end user I really don't care where the problem is. If there's a serious vulnerability, I expect it to be fixed. I don't care if it's Google, the manufacturer, the carrier, or a leprechaun. At the end of the day, if I have an Apple device that is 5 years old, I *will* get an update. If my device is older than that, I may still get an update if the issue is serious enough.
In the android world, it's a crap shoot. Hell, it was only a couple of years ago or so when the big makers (Samsung, LG, I forge
Re: (Score:2)
Maybe. I believe the media exploit from a year or two ago on Android was patched on phones assumed abandoned by OEMs.
Sadly, for many customers they rely on the goodwill of their OEM and telco to provide serious patches. I expect shops like Samsung, Lenovo/Moto, LG, Sony, and HTC to patch pretty much any phone sold in the past 3 years or so.
Budget buyers, no-name brands, etc are most likely going to be hacked constantly until they replace the phone. KRACK is bad but WPA-AES means they can't inject data and
Re: (Score:2)
>"Maybe. I believe the media exploit from a year or two ago on Android was patched on phones assumed abandoned by OEMs. "Budget buyers, no-name brands, etc are most likely going to be hacked constantly until..."
What about Google's OWN DEVICES? I have a Nexus 5 which I bought in Feb 2014 when they were still very new. I haven't had a single update since Dec 2016. The phone works fine, it does what I want, but it will never be patched.
I don't expect updates forever, but mine didn't even get updates for
Re: (Score:2)
If you're nerdy enough, you could get one that satisfies everything but no crapware, and put the Android build of your choice on it.
Re: (Score:2)
>"If you're nerdy enough, you could get one that satisfies everything but no crapware, and put the Android build of your choice on it."
I have given it serious consideration but it seems there was always something majorly wrong- either it would break Netflix or break TiVo, or was missing the Google apps, or was too dangerous, or required a lot of maintenance, etc. And if it was a NEW device, it would void the warranty, which is just too risky on a $400-$800 device.
I suppose I will have to do SOMETHING ev
Re: (Score:2)
If it's new, you will be getting updates anyway. If not, you could try stock Android. That should be pretty safe for running whatever app you want, and it will have the Google stuff. And if you don't want to put the latest OS on an older device I believe Google is good about issuing security patches, so you could go back to Lollipop or Marshmallow without giving up security. I don't know that for 100% though so don't take my word for it.
What percentage of Android will be patched (Score:5, Insightful)
Android Will Be Patched Within Weeks
What percentage of Android will be patched?
The 18% with 7/Nougat or better,
the 50% with 6/Marshmallow or better,
the 78% with 5/Lollipop or better,
the 92% with 4.4/Kitkat or better?
https://developer.android.com/... [android.com]
Re:What percentage of Android will be patched (Score:5, Insightful)
Android Will Be Patched Within Weeks
What percentage of Android will be patched?
The 18% with 7/Nougat or better,
the 50% with 6/Marshmallow or better,
the 78% with 5/Lollipop or better,
the 92% with 4.4/Kitkat or better?
https://developer.android.com/... [android.com]
The .02% with 8/Oreo or better
Re: (Score:2)
As I know from first hand experience (broadpwn), Samsung SGS8 will get its update in one and a half month after stock android received its patch. Samsung SGS7, SGS6 will get it in 3 months. And SGS5 (which was still for sale just a year ago) will go unpatched for so long that the few users that had one, switched to a brand new iphone.
Yup, no more samsung in my company.
Re: (Score:2)
What percentage of Android will be patched?
Those which are rooted and have available drivers so you can recompile them yourself, plus a couple of randomly chosen models running the newest version of Android 9.53.
Re: (Score:2)
Not sure why you're quoting version numbers instead of manufacturer support. This isn't iOS. Most security fixes are backported to earlier versions of Android. E.g. Samsung Galaxy Tab 3 which is now 5 years old had it's most recent security update applied in February this year for both devices running 4.4/Kitkat and those which were optionally upgraded to 5/Lollipop by users.
And that's to say nothing of the many security problems that are resolved in Android by simply updating some application through the p
Re: (Score:2)
Not sure why you're quoting version numbers instead of manufacturer support. This isn't iOS. Most security fixes are backported to earlier versions of Android. E.g. Samsung Galaxy Tab 3 which is now 5 years old had it's most recent security update applied in February this year for both devices running 4.4/Kitkat and those which were optionally upgraded to 5/Lollipop by users.
A Samsung branded device is no assurance of a patch. I have older Galaxy S phones that have not been offered patches in years.
Re: (Score:2)
I have a Galaxy S4, last patch was in March. I have an S5 last patch was 3 weeks ago.
Prior to that there existed no patching framework as it was only introduced in KitKat.
Re: (Score:2)
I have a Galaxy S4, last patch was in March. I have an S5 last patch was 3 weeks ago.
Prior to that there existed no patching framework as it was only introduced in KitKat.
My S4 mini hasn't patched in years.
Re: (Score:2)
Samsung issued security updates to the S4 mini in April this year, and before that November last year. Sounds like your shitty carrier is getting in the way.
Re: (Score:2)
Samsung issued security updates to the S4 mini in April this year, and before that November last year. Sounds like your shitty carrier is getting in the way.
As I said, a Samsung branded device is no assurance of a patch.
Re: (Score:2)
As I said, not Samsung's fault, not Google's fault, and quite critically to the very core of my original post: Nothing at all to do with vendors not updating the Android version.
Re: (Score:2)
Re: (Score:2)
>"Not sure why you're quoting version numbers instead of manufacturer support. This isn't iOS. Most security fixes are backported to earlier versions of Android"
Even that doesn't help much as an explanation, either. I am one of the 50% that have Android 6.0.1, but it is on a Nexus 5. Google hasn't pushed a single OS update since Dec 2016, and likely never will. So I won't matter if they push it to older versions of Android, because I still won't get it, even on Google's own device.
Re: (Score:2)
That's not a guarantee. Google has pushed out security updates for devices past it's guaranteed security update window in the past. But all in all you're still talking about a single device. The problem is ultimately one of vendors. In the security and core OS the issue is long solved.
E.g. 2017-09-01 security update which I got on my more than 3 year old Samsung devices has been back ported all the way to KitKat, and I actually own a Tab 3 which still runs KitKat which received a security update earlier thi
Re: (Score:2)
>"The problem is ultimately one of vendors. In the security and core OS the issue is long solved."
My point in all this was the original statement about back-porting it to Android 6. Even Google won't update their own Nexus devices running Android 6 [with other bug and security fixes], so why would any other vendor? Now, I say that, but I suppose it is POSSIBLE Google might update older devices running 6... I don't think we have had a security concern of this magnitude in recent history, so I guess we j
Re: (Score:2)
so why would any other vendor?
What a silly statement. Because not all vendors are the same? I just gave you an example of 2 devices which are almost twice as old running versions of Android far earlier than the Nexus. Don't put Google on some pedestal of perfection that other's can't reach or even exceed.
What google decides to push specifically to the Nexus 5 has nothing to do with what fixes they apply to Android, fixes which they patch all the way to KitKat.
Re: (Score:2)
You're agreeing with him. He said the issue is manufacturer support, not OS version, and that's exactly the problem you described.
Re: (Score:2)
>"You're agreeing with him. He said the issue is manufacturer support, not OS version, and that's exactly the problem you described."
Yeah, I am probably too tired to be replying right now ;)
Re: (Score:2)
Pleasant dreams. :-)
Google has promised a fix for affected devices (Score:2, Insightful)
As a Nexus 5 owner, I'm not holding my breath on that being a true statement.
Did they? (Score:2)
I guess that explains why my Win10 box rebooted by itself two days ago.
Re: (Score:2)
It was the normal second Tuesday of each month from MS. :)
Some details please (Score:3)
Re: (Score:3)
The problem is on the client imho. Basically what you do is replay the authentication packet "as if" the packet got lost and you're just asking for the packet to be re-sent. The client will then re-send predictable data (zeros) which an attacker can thus use to decrypt the key.
It's a bit similar to the apocryphal story about hacking the Enigma, if you send "Heil Hitler" at the end of every message or weather reports, you can guess those portions of a key and by calculating back/forwards you can get a number
Re: (Score:2)
By ignoring any attempt to re-transmit and restarting the entire handshake process from the beginning. Ultimately it will result in a slower connection if something doesn't go perfectly the first go but the security flaw relies on a spec feature that was designed to cope with transmission errors during the negotiation process.
Re: (Score:2)
May be it can start a fresh handshake everytime anyone reports lost packet and requests a retransmission. Assume all retransmission requests are hostile intrusion. Not sure I get it fully even now.
What about all of the other clients? (Score:2)
It's not just the phones, tablets and computers that need to be updated. Since it's clients that need to be patched it's everything that connects to the network. Thermostats, scales, TVs, digital photo frames, ...
"already" is misleading and undeserved. (Score:2)
Unless the patch was deployed before the vulnerability was exposed, the word "already" shouldn't be in the headline.
How do you check? (Score:2)
OK, so how do I check whether a system has been pwned via any of these CVE's before being patched? openBSD provided system updates that essentially leaked the vulnerability, and government agencies have known for at least two months, not to mention everyone that they notified. Of course, we all have complete faith in the fidelity of our beloved United States government and all commercial corporations - they've never let us down.....
Does anyone have utilities that checks all system programs and critical file
Debian too... (Score:2)
Google doin great as always. (Score:1)
Re: (Score:1)
After those weeks it will take for google to patch it, add in several more weeks for the manufacturer and then yet more weeks for the carriers..... if they decide to do it at all.
Re: (Score:2)
Re: (Score:2)
What smartquotes? Those are the most stupid things that ever was invented since they screw up code examples royally.