back to article Release the KRACKen patches: The good, the bad, and the ugly on this WPA2 Wi-Fi drama

WPA2 Wi-Fi users – ie, almost all of us – have had a troubling Monday with the arrival of research demonstrating a critical design flaw in the technology used to secure our wireless networks. A flaw so bad, it can be exploited by nearby miscreants to potentially snoop on people's internet connections over the air. However, don …

  1. thames
    Pint

    Already patched here.

    The patch for Ubuntu appeared on my PC in the middle of the afternoon yesterday (Monday). The update icon appeared in the launcher bar, I clicked on it, and it was done in a few seconds.

    No problems so far, but then I don't have Wifi on this machine either! The one thing that I've got that uses Wifi (a cheap ebook reader) also never seems to get any updates for anything.

    1. gypsythief

      Re: Already patched here.

      Except that as I understand the issue, _everything_ needs patching; not just your laptop (not withstanding "but then I don't have Wifi on this machine either"), but your router also.

      And good luck getting any patches out of Brontosaurus Telecom. This problem ain't going away anytime soon.

      1. Solarflare

        Re: Already patched here.

        If he isn't using WiFi (i.e. he is cabled in) then he isn't going to have much of a problem with this one...

    2. Lord Elpuss Silver badge

      Re: Already patched here.

      "...but then I don't have Wifi on this machine either!"

      Good for you. I'd suggest you're definitely in the minority though...

      1. MyffyW Silver badge

        Re: Already patched here.

        Wish I could say the same. My debian boxen are patched-to-the-teeth as befits my probably-somewhere-on-the-spectrum habit. But that Kindle eBook reader from 2011 probably isn't. You could say "chuck it", or I could say "fuck it" ...

  2. Griffo

    Has to be within range

    TheReg seems to think that having to be within WiFi range is a huge obstacle:

    "For a start, an eavesdropper has to be in wireless range of the target network, and have the time and specialized software to pull off the KRACK technique."

    Well.. sure. But from my house I can see about 15 of my neighbours' networks, and at my office I can see an amazing number. So yeah, only a couple of dozen networks that right now are probably wide open to me breaking. But nothing to see here.. move on.

    1. Charles 9 Silver badge

      Re: Has to be within range

      And that's not counting wardrivers and other dedicated radio hacks that can use directional antennas and other equipment to get longer range and stay out of sight.

      1. An nonymous Cowerd

        Re: Has to be within range

        I have ethically hacked, as in taken over my own wi-fi router and intercepted a client using it, from a Landrover parked >2.5 kilometres away on a hill. Because I was asked to do it, in writing, and then it was publicly published somewhere in IEEE proceedings or similar, never to be seen again. been there done that!

        requirements:

        £99 https://hakshop.com/products/wifi-pineapple or similar

        £99 https://www.wimo.com/download/18686.24.pdf (1MB pdf) to get you >sixty watts EIRP

        tho' many wardrivers, and I know some - they do exist - probably use the ebay £40 Alfa.com.tw adapters with a 9-dBi vertical (the wardrivers that I know have toured my area, and done a slurp on all open/WEP/WPS APs, plotted them on OS maps or equivalent, and $Deity alone knows what they are up to)

        1. big_D Silver badge

          Re: Has to be within range

          But at the end of the day, this is unlikely to happen to the vast majority of home networks.

          Business networks are another thing altogether.

          Because of the physical proximity and the effort involved, think of this as more of a phishing attack, as opposed to a normal spam attack.

          This doesn't belittle the impact of the problem, but, at least at first, I would expect this attack to be limited in scope to targets that have something to lose. Your average home router probably has much easier to exploit, un-patched remote access vulnerabilities anyway.

          1. Wayland Bronze badge

            Re: Has to be within range

            Murder does not happen to the vast majority of people but it's still serious. It will happen where there is a good reason to do it.

    2. Lysenko

      Re: Has to be within range

      If you (as an attacker) are going to procure special equipment (as this attack requires) and physically locate yourself in the vicinity of the target then you could also physically tap the ADSL lines[1] which has the added advantage of not showing up in any of the target's logs. More prosaically, since you're physically in the vicinity, you could just look for open windows and burgle the target.

      Physical proximity is a big deal in practice. Most attacks that I detect originate with skiddies operating via CN addresses so anything involving visa rules and airfares eliminates the vast majority of potential miscreants at a stroke. In fact (now that I think of it), I can't remember the last time anything suspect resolved to a local (and I mean country, not neighbourhood) address.

      [1] TraceSpan and Broadframe make kit for this, but as with the KRACK technique you could build your own.

    3. Pascal Monett Silver badge

      Re: Has to be within range

      I believe that startup incubators have a bunch of companies that are in range of each other without much choice in the matter.

      I know one which actually only has one WiFi access point for all the freelancers in the vicinity. No cables available.

      Would be like shooting fish in a barrel.

      1. sabroni Silver badge

        Re: Has to be within range

        If the two possibilities are every machine in the world and every machine in wifi range then it's worth mentioning that the second is virtually 0 compared to the first.

    4. Rich 11 Silver badge

      Re: Has to be within range

      But from my house I can see about 15 of my neighbours' networks, and at my office I can see an amazing number.

      I used to be able to see a dozen of my neighbours, until I went around each one and suggested they lower their power output. Now I usually only see four to six, and we're hopefully not interfering with each other so we should get better bandwidth. (Of course it helps that I live in an area of narrow streets and terraced houses with no long gardens, so no-one was inconvenienced by the limited range.)

      1. Anonymous Coward
        Anonymous Coward

        Re: Reducing WiFi power?

        I didn’t know that there was a setting to reduce your WiFi router’s power output. I’ll need to guddle in the settings and have a look for it...?

        1. Wayland Bronze badge

          Re: Reducing WiFi power?

          Some of the newer 802.11 protocols do 'beam shaping' (Ruckus). This allows them to listen and talk in the direction of who they want to talk to. The difference in connection and width is amazing. In the case of a Ruckus Access Point even good old 802.11g is miles better. You can actually reduce the need for boosters and repeaters simply by having the right signal.

      2. Updraft102 Silver badge

        Re: Has to be within range

        I got you both beat! Right now, I have 48 APs showing on inSSIDer on my laptop. I'm in a regular single-family house, not a flat, and still... 48. I mean, that includes mine (one for 5GHz, one for 2.4, one 2.4/guest), but it's still a lot. InSSIDer has been running a while, a few hours maybe, so any network that drifts in and out is listed. When I restart inSSIDer, it shows only 30 or so, but it creeps up and up...

        Of those 48, four are in the 5 Ghz band. (I wonder why my bluetooth audio connection between my laptop and my desktop PC (which has decent speakers, unlike the lappy) sometimes can't seem to find a channel it can use... no, not really.)

    5. Anonymous Coward
      Anonymous Coward

      Re: Has to be within range

      As @Griffo said, Indeed, I can see WiFi networks of all neighbours on my road (without any fancy aerial kit).

      Similarly, at work, with PC and phone, I can see lots of WiFi networks.

      Most pubs, restaurants, coffee shops I can see lots of networks around

      Yes, there will be some isolated areas that you would look suspect, but lots of networks could be "hidden" hacked.

      And lots of chances to "lurk" without being in a vehicle but still not look suspicious, e.g. waiting at a bus stop with cracking software running

      1. big_D Silver badge

        Re: Has to be within range

        At home, I can see 3 other networks, at work I can barely see our own!

        Even on the street in front of the premises, there are no other networks visible.

      2. Wayland Bronze badge

        Re: Has to be within range

        Sitting with a laptop and antenna looks suspicious. Holding a phone looks normal.

    6. jobst

      Re: Has to be within range

      ..... and all those coffee shops and free wifi's!

      1. big_D Silver badge

        Re: Has to be within range

        Many free wifi places have other problems, like no WPA2 anyway, they often use unencrypted links, so the WPA2 problem is irrelevant, the data can be sniffed anyway.

    7. Wayland Bronze badge

      Re: Has to be within range

      Easy to hook into some WiFi from 2 miles away.

    8. Anonymous Coward
      Anonymous Coward

      Re: Has to be within range

      OC'd antenna and I can see over 200 wifi access points from my study, I'm in a small rural town and not near the center of town either.

      It's scary to think of how many are out there. Even seen two with WEP enabled.

  3. This post has been deleted by its author

  4. Field Commander A9

    MAC Filtering

    If my router isn't getting patched any time soon, does enabling MAC filtering protect against this attack?

    1. Charles 9 Silver badge

      Re: MAC Filtering

      No, because they can spoof an existing whitelisted member.

    2. Chronos Silver badge

      Re: MAC Filtering

      Never rely on MAC filtering for anything. MAC spoofing is utterly trivial. That's not to say don't enable MAC filtering and know what's on your network, just don't treat it as a layer in the security onion.

      IPSEC is your friend if you really want to be secure over 802.11. There's the obvious trade-off in CPU cycles and throughput overheads, natch, but you need to define your priorities and compromise accordingly.

      1. xpz393

        Re: MAC Filtering

        Oooh, have an upvote for the "Security Onion", my friend :-)

    3. Dan 55 Silver badge

      Re: MAC Filtering

      No, because MACs are sent in the clear so can be discovered easily.

      1. TRT Silver badge

        Re: MAC Filtering

        MAC spoofing is also an integral part of the attack.

    4. Lord Elpuss Silver badge

      Re: MAC Filtering

      2 dickheads found it necessary to downvote the OP for daring to ask a question. Sigh.

      #despairs

      1. Adam 1 Silver badge

        Re: MAC Filtering

        @LordElpuss

        You must be new here.

  5. Chronos Silver badge

    LEDE

    hostapd in LEDE has been patched in the master branch. This does mean you'll have to build it yourself until the snapshot builds catch up. Yet one more reason, were it needed, to eschew devices which rely on vendor patches.

    1. Charles 9 Silver badge

      Re: LEDE

      The problem becomes when the ONLY devices out there rely on vendor patches because, for example, there are patents involved.

      1. Chronos Silver badge

        Re: LEDE

        I've been saying since forever that patents and standards should be mutually exclusive. Moot point here, though, because WPA/RSN is handled by the host so the binary blobs full of trade secrets used to abstract the hardware (Atheros, Broadcom et al) aren't an issue in this context.

        1. Credas Silver badge

          Re: LEDE

          I've been saying since forever that patents and standards should be mutually exclusive.

          Great idea, but who's going to do the hard work in the absence of a future source of income from patent licensing?

          1. Chronos Silver badge

            Re: LEDE

            Credas wrote: Great idea, but who's going to do the hard work in the absence of a future source of income from patent licensing?

            I didn't say it was a perfect solution; those only exist in the minds of idealists. There are some advances, however, that we could do without. Let us first define progress: Taking the best of what you have. And ruining it.

            It's somewhat confusing that we have one law which prohibits monopolies and another that encourages them in very specific niches. It's almost as if it was designed by two different committees. Oh, wait...

          2. Doctor Syntax Silver badge

            Re: LEDE

            "Great idea, but who's going to do the hard work in the absence of a future source of income from patent licensing?"

            Hardware manufacturers. They have a mutual interest in cooperating. Take, for instance, the humble electricity plugs and sockets. You will expect your house to be wired with whatever is your local standard. Likewise you'll expect any appliances to be equipped to plug into that. Anyone trying to sell non-standard items is going to have a small market.

            If public standards require no patents, as opposed to FRAND patents* then manufacturers who want to be able to sell stuff have to accept that they have a choice between not protecting their stuff with patents and not selling it.

            Somewhere along the line we seem to have missed out ensuring that public interest is looked after.

            * FRAND is supposed to stop disputes. It hasn't worked.

            1. Charles 9 Silver badge

              Re: LEDE

              "Hardware manufacturers. They have a mutual interest in cooperating."

              Not necessarily. If a market is mature or has significant government involvement, like plugs with their legally-binding safety standards, then yes, the manufacturers find it's best to come to terms.

              BUT if a market is competitive, like it is in the SoC markets, then they DON'T want to cooperate because they're instead out to conquer. THEY want to become the standard-bearer instead of The Enemy. And governments usually don't set a standard until the smoke has cleared for fear of being chided for doing it wrong and wasting taxpayer money and possibly getting voted out.

              "Somewhere along the line we seem to have missed out ensuring that public interest is looked after."

              Of course not. The first priority of any business is to make money. Otherwise, it has no real reason for existing. All else is secondary, and part of the aim is to manipulate governments to maintain the status quo. If a government moves to mandate businesses cater to citizens first, you move to change the government to not make it so anymore.

              1. Kiwi Silver badge

                Re: LEDE

                The first priority of any business is to make money. Otherwise, it has no real reason for existing.

                I realise your experience of the world may be a bit lacking, as much as you think it isn't, but I can assure you that for a great many business owners their first priority is NOT to make money, but to work in a field they enjoy and to do the best they can.

                You may find this odd, but a lot of people actually start businesses with spare resources because they don't like the perceived poor performance of others in the local market, or because it's something they can do and the local market isn't catered for.

                1. Charles 9 Silver badge

                  Re: LEDE

                  But if they don't make money, they bleed out and disappear. Put it this way. The first priority of any human is to obtain sustenance; otherwise, they die. Money, as they say, makes the world go round, and money is the lifeblood of any enterprise. Econ 101. You gotta pay the bills.

                  1. Kiwi Silver badge
                    Facepalm

                    Re: LEDE

                    But if they don't make money, they bleed out and disappear.

                    There's LOTS of small ("boutique") businesses like a lot of independant 2nd hand bookshops, antiques shops, many charity shops etc that have been running for years (sometimes decades), sometimes without enough income to pay the rent, yet they survive.

                    They survive because the owner is doing something s/he loves, and is not tied to the income from the shop.

                    Then look at the huge number of home-based businesses where the owner might sell one trinket a week, where they spend a few hours each week making said trinkets as a hobby and if they sell they sell if they don't sell so what.

                    As to "money being the lifeblood of any enterprise"; no, it's the workers (are you competing for silliest comment of the year?). Without the staff to run the business, even if there's a $billion in the bank, the business is dead the moment the last person decides they're not working there any more.

                    Get away from your "PROFESSIONAL gamers!!11!!1" for a while and get out into the real world, and get some life experience. This is stuff you learn in the first basic module of Real Life 101.

  6. Anonymous Coward
    Anonymous Coward

    I'm not worried because I use WEP and hide my base station ID.

    1. Charles 9 Silver badge
      FAIL

      WEP is trivial to crack these days and attackers can simply poll the devices that connect to your base station. Since you hide your ID, the clients MUST by necessity keep polling for them just to connect. Dead giveaway which is why it's considered good form not to rely on obscurity here. It's better to be known but hardened.

      1. Alan W. Rateliff, II

        Your post is informative to those who do not know otherwise, but... that was the joke.

        Honestly, I completely discount this "backward compatibility" nonsense argument for why equipment still includes WEP (non-)encryption.

        1. Anonymous Coward
          Anonymous Coward

          Wait what? My AP isn't secure?

          Next you'll be telling me I need to patch my XP boxes.

          1. Solarflare

            "Next you'll be telling me I need to patch my XP boxes."

            No no no, don't worry about that. XP stands for eXtremely Protected after all!

            1. Anonymous Coward
              Anonymous Coward

              Phew!

              I was worried for a minute then as I thought it might have been a problem what with all the cheap IoT camera's I have from China in the DMZ as well.

            2. PNGuinn Silver badge
              FAIL

              @ Solarflare

              No, that was last week. It's been patched.

              It now stands for eXcellently Patched.

              Do keep up.

          2. Mage Silver badge

            IoT, old consoles

            Old Android, old iOS, old Windows and embedded / IoT gadgets will never get patches. Old Nintendo handhelds etc already could not be used on properly set up WiFi as they didn't do WPA2 / AES, only TKIP etc.

            My linux laptop WiFi is patched already, last night. Need to check everything else.

        2. Charles 9 Silver badge

          "Your post is informative to those who do not know otherwise, but... that was the joke."

          Then where's the Joke Alert? Otherwise, I consider this a very bad case of "Dude, Not Funny!" unless YOU want to be one to argue with someone who insists on using a device that can ONLY use WEP (like a D-Link DIR-604, which is too weak to use WPA, believe me I've tried firsthand) and refuses to take, "Start from scratch" for an answer.

          1. Anonymous Coward
            Anonymous Coward

            @Charles 9

            I post AC so I can't use the icon, some can but I haven't tried to work out how to do it.

            Rest assured if you ever see a post by an AC that is so absurd, ridiculous or just plain stupid to the power of 10 then it's a joke.

            1. Alan W. Rateliff, II
              Paris Hilton

              hrmmmm Perhaps we can convince El Reg to use an icon of a troll instead of Guy Fawkes for ACs.

              1. Anonymous Coward
                Anonymous Coward

                @Alan W. Rateliff, II

                Good sir, I resent that comment I have never been and never will be a troll, I don't even own a bridge.

                1. Mike Moyle Silver badge

                  "Good sir, I resent that comment I have never been and never will be a troll, I don't even own a bridge."

                  Do you want one? I've got a nice one in Brooklyn that I can let go for a VERY reasonable price!

            2. Robin

              Rest assured if you ever see a post by an AC that is so absurd, ridiculous or just plain stupid to the power of 10 then it's a joke.

              Also, one that's clearly a joke (given the target audience) is probably a joke too.

            3. Solmyr ibn Wali Barad

              "I post AC so I can't use the icon, some can but I haven't tried to work out how to do it."

              - Post as AC

              - edit the post

              - untick checkbox 'Post anonymously'

              - choose an icon

              - hit 'Submit'

              Voilá. Post stays anonymous, but is decorated with an icon.

              It's probably a quirk in the forum code and will be corrected Anytime Soon®. Enjoy it while it lasts.

              1. Solmyr ibn Wali Barad

                Bugger. Does not work anymore.

                1. Anonymous Coward
                2. Anonymous Coward
                  Anonymous Coward

                  Re: Does not work anymore.

                  That'll teach you. Where's the fun in secret back doors, if they're not secret any more?

            4. Charles 9 Silver badge

              Then use the <Sarcasm> tag if you can't use the icon. Otherwise, always consider that Truth can be stranger than fiction and that what you think is a joke really happened somewhere.

              1. Androgynous Cupboard Silver badge

                You're in a hole Charles, for the love of god stop digging.

                1. Charles 9 Silver badge

                  If you're in a hole and all you have is a shovel, how do you get out without digging?

                2. Kiwi Silver badge
                  Coat

                  You're in a hole Charles, for the love of god stop digging.

                  Maybe he's really religious, and wants to live on hole-y ground?

                  I know, I know, I'm going. No need for bullets...

              2. Anonymous Coward
                Trollface

                Trump got elected president<Sarcasm>

  7. sanmigueelbeer Silver badge
    FAIL

    IoT ... HA HA HA HA

    The biggest problem I see are the Internet of Trash. Y'know those cheap Wi-Fi devices with hardcoded root passwords?

    Yeah, those ones. I bet the OEM ain't going to give a rat's a$$ pushing out patches.

    1. petur

      Re: IoT ... HA HA HA HA

      Espressif already has a firmware out with fixes, so IoT using ESP chips can be upgraded (mine will).

    2. bombastic bob Silver badge
      Unhappy

      Re: IoT ... HA HA HA HA

      yeah some IOT devices have WPA2 support on SILICON

      and thinking of content injection - TCP protocol would limit its effectiveness and you'd likely get framing errors on both ends [rendering it ineffective], unless there's a true MITM going on where the packet stream can be edited, in both directions [netfilter does this for NAT FTP, for example, and has some helper functions to assist you in modifying a TCP stream - but netfilter IS "the man in the middle"]

  8. Ben Bonsall

    dd-wrt builds from yesterday already have the patch. :)

    1. This post has been deleted by its author

      1. Ben Bonsall

        yes. repeaters.

  9. Anne-Lise Pasch

    As a sysadmin, the impact is far more severe than the 'shady hoodie' issue. We're an office in central London. In a managed building of many floors and other companies. This is *not unusual*. GDPR et al say we have to protect customer data. If there's a known, unpatched, easy exploit to our perimeter, then we have to do something. in this case, terminate wifi until further notice. (Even if further notice only ends up being a few days) Because our security just weakened from authentication/privilege escalation to bypass, to just privilege escalation. And that's a lot of unhappy pointy-hairs.

    1. MrXavia

      Surely the problem is the devices connecting, if you have BYOD policy in place, how can you be certain that the devices are updated?

    2. phuzz Silver badge

      Put your wifi on the outside of the firewall, and get people to use a VPN if they want to connect to the main network.

    3. Anonymous Coward
      Anonymous Coward

      You have PHBs who actually genuinely care about Data Protection compliance and security, rather than just paying lip service? «faints with impressed shock»

  10. Chz
    Facepalm

    Web site encryption

    "and that's why we try to do HTTPS and other end-to-end encryption everywhere"

    Which is why El Reg hasn't bothered to jump on that trend (defaulting to HTTPS) yet. ;) C'mon, guys. Most of the larger sites have turned it on.

    (Yes, I know the forums are using SSL but the whole site really should)

    1. Dan 55 Silver badge
      WTF?

      Re: Web site encryption

      The whole site does, at least for me.

      Something up with your browser's HSTS setting?

      1. Jonathan Richards 1
        Go

        Re: Web site encryption

        For aeons, I've been using a bookmark for El Reg which explicitly had http:// prefixed. That meant that all the pages I visited here were also unsecured. I just changed the bookmark to be https://, and now wherever I go on theregister.co.uk, I get the little green Padlock of Reassurance. Simples, but I never bothered until this morning!

    2. Craigie

      Re: Web site encryption

      Install 'HTTPS Everywhere' in Chrome. Idk if el reg defaults to HTTPS or not, but it does for me.

      1. Mage Silver badge

        Re: HTTPS Everywhere' in Chrome

        Except Chrome is Google spyware. No thanks.

        Anyway, that's a pointless plugin.

      2. Dan 55 Silver badge

        Re: Web site encryption

        I think it must be HTTPS Everywhere. I just tried going to the HTTP site in two other browsers (IE11 and Vivaldi) and it didn't switch to HTTPS.

        1. DropBear Silver badge
          Alert

          Re: Web site encryption

          "The whole site does, at least for me."

          It's a bit of "Schrödinger's HTTPS" though. I type theregister.co.uk and get auto-redirected to https://; but if I type www.theregister.co.uk the site proceeds to merrily chug along on http://...

    3. Anonymous Coward
      Anonymous Coward

      Re: Web site encryption

      "and that's why we try to do HTTPS and other end-to-end encryption everywhere"

      What makes you think HTTPS is end-to-end?

      1. Amos1

        Re: Web site encryption

        Quite. And even if you cannot get your own root certificate installed on their PC it's not a problem.

        "Certificate error? WTH does that mean? I went to this website yesterday and I didn't get an error! I know it's fine! *CLICK*"

      2. Adam 1 Silver badge

        Re: Web site encryption

        > What makes you think HTTPS is end-to-end?

        What, you telling me that a cloudflare certificate might be encrypted at the caching/DDOS mitigation layer but flow as clear text between origin and cloudflare, permitting you to activate HTTPS on your website without needing to actually change your server configuration by checking a few checkboxes? Shirley not. It isn't like commentards were giving a hard time every time a new security story came up...

  11. Anonymous South African Coward Silver badge

    /goes off to check Ubiquiti Unifi updates

    There is a good reason why wifi need to be on its own VLAN or physically separated from the main network... and this is one of them.

  12. Anonymous Coward
    Anonymous Coward

    Yawn

    "but we shudder to think about all the Linux-based unloved Internet-of-Things devices out there that will remain unpatched for a while or indefinitely."

    I know it's fashionable to hate IOT right now, but you are just embarrassing yourself by pretending all IOT is the same...

    https://partner.android.com/things/console/?pli=1

    Click click done. All IOT devices have an OTA update that they will download in the next 24 hours or so.

    1. Anonymous Coward
      Anonymous Coward

      Re: Yawn

      Until someone hijacks the update mechanism to turn your IOT stuff into the next Mirai...

  13. phuzz Silver badge

    Lineage OS

    LineageOS just patched what looks like *all* the vulnerabilities in "android_external_wpa_supplicant_8", so the next builds should be good.

    Mind you, they probably won't be released until next week for some devices.

    1. Chronos Silver badge
      Thumb Up

      Re: Lineage OS

      Ta muchly for that post. I shall sync and kick off a build. That will be pretty much all devices patched against this flaw.

  14. Colonel Mad

    Netgear R6250

    Patched, Firmware date 1st October 2017, Pleased!

  15. Shameless Oracle Flack

    Drop IEEE for Apache/Internet Societ

    IEEE is supposed to be non-profit but it is always trying to make money off standardization efforts. Better to leverage Apache's infrastructure and use the money saved by dropping IEEE to fund open source driver development for all major phone and PC platforms.

  16. Haku

    "There is no, to the best of our knowledge, working exploit code available yet "

    aka "It has been reported that a hole has appeared in the side of a high street bank yesterday. Police are looking into it."

  17. Anonymous Coward
    Thumb Up

    To stop 99% of malicious JavaScript code injections and malware downloads into plain HTTP connections, just switch on your ad blocker.

  18. TheNotSoEvilEngineer

    I'm not too worried about corporate networks.

    Whats the worst that could happen? Equifax already released all of the US consumer credit information.

    Corporate networks will get patched, the home users and their easy to exploit IoT devices are what I worry about. An attack vector to infect any one of a dozen IoT devices could sit on a home network and carry out this exploit and start gathering data on a home user's tablets, and smartphones.

  19. markrchambers@rogers.com

    Mr Me

    I called Ring to see if they were going to be releasing a patch to their video Doorbells. The level 2 engineer I talked to didn't even know what Kracken was, or that it existed. The best was their online support chat bot that kept insisting they had Bank Grade Encryption. Good luck with that one. Guess I'll have to uninstall the Ring cameras in my house and send them back.

  20. Dave Bell

    This is getting confusing

    So vendors have had about six months notice to produce patched code

    Netgear have a new firmware version for my modem/router, and that might mean it is patched against this attack. but they don't even give a date for the new code, and the release notes just mention unspecified security fixes.

    There is this, but the list of devices doesn't include my stuff, so I think I am OK, but they are so vague about the new firmware version that I still worry

    Note that they caution against using the bridge mode, but I am nore sure how much stuff like video has the wired connection to use that. I just checked and the NOW TV box has wired ethernet, while Amazon Fire sticks are WiFi only. Setting up more ethernet is looking to be a good idea. How about one of those data over powerline things?

    When I thought the news was fresh, not with a private warning six months ago, I expected confusion. What I am seeing isn't good enough.

  21. benthe

    From what I understand, the man in the middle (MITM) needs to war-drive to my network and use some tool, as yet developed, to hijack a signal from a specific un-patched wifi device (a TV for example). Is that right? Also, it looks like the hacker needs the MAC address of the compromised device. That's a lot of info not available to a casual war-driver.

    Is it possible to update the router firmware to detect the key re-installation? That way, the old un-patched Squeezeboxes and baby cams could still be used, risk free.

  22. User-1

    "Sadly, quite a lot of internet traffic is still using unencrypted and unprotected HTTP,.........."

    No kidding! Kinda like this site huh?

  23. hammarbtyp Silver badge

    An important point

    One point missed (and it is rather important) is that routers are only really affected if they operate in bridge mode, which is relatively rare.

    So if you have a windows PC running a reasonable modern OS (7 or higher ), installed the latest patches and your home router is not in bridge mode, you are probably pretty safe

  24. Anonymous Noel Coward
    Boffin

    Seeing as the router is in my bedroom, and I'm the only one in the house who uses the Internet, couldn't I just cover my walls in tinfoil and be done with it?

  25. David Nash Silver badge
    Mushroom

    Summary

    So have I got this right?

    - I need to patch: My Wifi AP / Router(s) (using the term Router to mean Router-with-AP)

    - Every device that might connect to them

    and if I miss one or two devices then my network is as good as hacked?

    What chance do we have?

    1. hammarbtyp Silver badge

      Re: Summary

      Well...

      1. It is only a local attack. i.e. someone has to within range of your wifi. This is is a lot more effort than a remote attack

      2. A lot of your devices may already of been updated

      3. Routers are only affected if they are being used to bridge to other routers

      4. The attack is a proof of concept, and in the wild is harder to pull off

      5. If you send your traffic via VPN or HTTPS, it greatly reduces your risk

      6. Considering the effort required, do you really think your traffic is worth the cost and trouble? If yes then it is likely this attack is the least of your problems

      To summarise. Keep calm and carry on

  26. patrickstar

    "At that point, the snooper is just like any other spy potentially sitting on the vast web of networks between you and the website or service you're connected to – and that's why we try to do HTTPS and other end-to-end encryption everywhere: to thwart naughty people lurking silently in the middle. "

    Just a nitpick here... Unless your threat model is a nation-state attacker or similar (which, admittedly, it might very well be these days), your traffic is much more likely to get snatched near the endpoints than in the middle.

    Even with compromised core routers at their disposal (which attackers certainly have), actually sniffing traffic in a useful way is - at best - difficult, risky and/oir noisy.

    But still - just a nitpick. There's rarely any reason to let unencrypted traffic over the wider Internet these Days.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019