[aklug] KRACK attack on WiFi at the protocol level (*all* clients affected)

Christopher Howard christopher at alaskasi.com
Tue Oct 17 15:11:33 AKDT 2017


If you get into the Q&A section at krackattacks.com, the researchers
claim that "*both* the client and AP must be patched to defend against
all attacks", though an unpatched AP and a patched client will still be
able to talk to each other, and the other way around.

On Mon, 2017-10-16 at 09:07 -0800, Christopher Howard wrote:
> On think I am trying to get clear on is if it is enough, to protect a
> client/ap interaction, to have just the client patched, or if both
> the
> client and ap must be patched. It kind of sounded like (from the
> krack
> web page) that it could be just one or the other, but it wasn't clear
> to me.
> 
> I was able to patch my librecmc router this morning, and run updates
> on
> my Debian clients, so I'm feeling pretty good at home. But more
> concerning is the dd-wrt and linksys (proprietary) systems in my
> workplace - getting patched firmware builds is proving more
> challenging. So am wondering if it is good enough at present to just
> run updates on all the clients, or if I should be sending out
> frightening emails around the office about our wifi infrastructure
> being insecure.
> 
> On Mon, 2017-10-16 at 07:39 -0800, Royce Williams wrote:
> > Good question. That is my current (limited) understanding, yes.
> > 
> > On Mon, Oct 16, 2017 at 7:37 AM, Christopher Howard
> > <christopher at alaskasi.com> wrote:
> > > Does the server/router side stuff needs to be patched as well? I
> > > saw a
> > > hostapd security patch in master branch of the librecmc git repo
> > > this
> > > morning, so I patched my router. But am wondering about all the
> > > dd-
> > > wrt/open-wrt routers out there that perhaps never get security
> > > updates...
> > > 
> > > On Mon, 2017-10-16 at 06:23 -0800, Royce Williams wrote:
> > > > Flaw with the protocol itself - so *anything* speaking Wi-Fi
> > > > will
> > > > need
> > > > to be patched, including the long tail of legacy, EOL, and
> > > > cheap
> > > > IoT
> > > > gear that will likely never be patched. Assume all Wi-Fi
> > > > networks
> > > > are
> > > > observable until then (core mitigations is to use a VPN). Long
> > > > term,
> > > > recommend adding to RFPs for any gear (not just wireless) to
> > > > ensure
> > > > updates for X period of time.
> > > > 
> > > > Main announcement:
> > > >     https://www.krackattacks.com/
> > > > 
> > > > Paper with background:
> > > >     https://papers.mathyvanhoef.com/ccs2017.pdf
> > > > 
> > > > I will assemble what I know here:
> > > >     http://www.techsolvency.com/story-so-far/krackattack/
> > > > 
> > > > Other good meta-threads and summaries, keep an eye on these:
> > > >     https://github.com/kristate/krackinfo
> > > >     https://www.reddit.com/r/sysadmin/comments/76lj5q/this_is_a
> > > > _c
> > > > ore_
> > > > protocollevel_flaw_in_wpa2_wifi/
> > > > 
> > > > 
> > > > Per-vendor stuff:
> > > > 
> > > > Aruba:
> > > >     http://community.arubanetworks.com/t5/Wireless-Access/Core-
> > > > le
> > > > vel-
> > > > protocol-flaw-in-WPA2/td-p/310038
> > > >     http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-00
> > > > 7_
> > > > FAQ_
> > > > Rev-1.pdfhttp://www.arubanetworks.com/support-services/security
> > > > -
> > > > bulletins/
> > > > 
> > > > wpa_supplicant:
> > > >     https://w1.fi/cgit/hostap/commit/
> > > > 
> > > > 
> > > > News:
> > > > 
> > > > https://arstechnica.com/information-technology/2017/10/severe-f
> > > > la
> > > > w-in
> > > > -wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/
> > > > https://www.alexhudson.com/2017/10/15/wpa2-broken-krack-now/
> > > > 
> > > > 
> > > > CVEs:
> > > > 
> > > > CWE-323
> > > > CVE-2017-13077
> > > > CVE-2017-13078
> > > > CVE-2017-13079
> > > > CVE-2017-13080
> > > > CVE-2017-13081
> > > > CVE-2017-13082
> > > > CVE-2017-13083
> > > > CVE-2017-13084
> > > > CVE-2017-13085
> > > > CVE-2017-13086
> > > > CVE-2017-13087
> > > > 
> > > > Royce
> > > > _______________________________________________
> > > > aklug mailing list
> > > > aklug at aklug.org
> > > > https://lists.aklug.org/mailman/listinfo/aklug
> > > 
> > > --
> > > Christopher Howard
> > > Enterprise Solutions Manager
> > > Alaska Satellite Internet
> > > 3239 La Ree Way
> > > Fairbanks, Alaska 99709
> > > 1-888-396-5623
> > > https://alaskasatelliteinternet.com
> > > personal web site: https://qlfiles.net
> > > https://emailselfdefense.fsf.org/en/
> > > 
> > > 
-- 
Christopher Howard
Enterprise Solutions Manager
Alaska Satellite Internet
3239 La Ree Way
Fairbanks, Alaska 99709
1-888-396-5623
https://alaskasatelliteinternet.com
personal web site: https://qlfiles.net
https://emailselfdefense.fsf.org/en/


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part
URL: <http://lists.aklug.org/pipermail/aklug/attachments/20171017/150617c6/attachment.asc>


More information about the aklug mailing list