back to article If for some reason you're still using TKIP crypto on your Wi-Fi, ditch it – Linux, Android world bug collides with it

It’s been a mildly rough week for Wi-Fi security: hard on the heels of a WPA2 weakness comes a programming cockup in the wpa_supplicant configuration tool used on Linux, Android, and other operating systems. The flaw can potentially be exploited by nearby eavesdroppers to recover a crucial cryptographic key exchanged between a …

  1. sean.fr

    WiFi security is a mess

    For a Wifi admin there are no good choices systems. It is common in public spaces to have hot spots with open SSIDs and a captive portal. Neigbours do not need to do any dycrpt to see your traffic. You can have much more secure systems but only if the phone/tablette/ PC has the right supplicant and cert. Unless you can impose one OS, in a mixed environment they do not have a simple common mode that just works and is secure. In a Bring Your Own Device world, it is either simple or secure.

    With the Internet of Trash, it is only going to get worse.

    1. Lee D Silver badge

      Re: WiFi security is a mess

      Passworldless-wifi hot spots are indeed just open invitations to join a raw network. If you use them, VPN over them to a known-good server. You're sharing an Ethernet cable with every random stranger and the guy giving you Internet.

      Passworded wifi hotspots are, however, no better. If there's a common password and several people know it, the same thing happens - everyone can see what you're doing even if only by starting a Wifi network with the same name and password and blasting the other off-air (which can be easily done), thus forcing you onto an unknown network without you knowing. You're sharing an Ethernet cable with every one who has the password, and the guy giving you Internet.

      However, if you own/control the network, and you own/control the devices, there are more than a few ways to secure them reliably, not least to make the Wifi nothing more than a transport medium for a secure channel (everything supports VPN these days, even smartphones). You can do this with certs on them, or with VPN, etc. but the greater principle is just "make sure your services aren't plain-text".

      As we move towards everything being HTTPS, the problem begins to solve itself. We're treating *everything* as an insecure medium and encrypting everything with endpoint verification that can't be faked (without the user doing something incredibly stupid). HSTS, certificate pinning, etc. are guaranteeing that we're talking to even Facebook, let alone a corporate intranet.

      Wifi is an insecure medium but so is just plugging a random Ethernet cable into a machine, you have no idea who's listening to it or what's happening. Even with the securest of wifi, there's an IT guy somewhere listening in. The trick is to treat wifi - all wifi - as exactly what it is... an untrusted transport medium exactly like connecting over the Internet. Trust nothing, verify your endpoints, encrypt everything you can.

      The problem won't change. Because even with all the security of WPA3 or anything else you use, things get broken on a regular basis and even VPNs aren't safe. The trick is to never communicate over an untrusted medium as if it were trusted. And wifi and the Internet in general are untrusted. Even Google couldn't use raw Internet between their datacentres without the NSA snooping it, so they encrypted all traffic even between their own sites on private lines.

    2. Charlie Clark Silver badge

      Re: WiFi security is a mess

      WiFi is a mess: it was rushed by vendors eager to sell kit that could use unlicensed spectrum.

      1. DougS Silver badge

        WPA3 won't fix it, but it will sure help

        Not only will it fix the known attack on WPA2, it will encrypt passwordless wifi as well as passworded.

        You should still make sure something secure like HTTPS or a VPN is in use if you are connecting to anything where you wouldn't want the traffic sniffed - but that's already true for most things. You'd have to work hard in 2018 to find webmail, online shopping etc. where you can enter a password or credit card number in the clear.

        Think of it this way - everything that's in the clear on a passwordless wifi today is in the clear when you are sitting at home once it leaves your ISP. The odds of getting sniffed at internet exchange points by the NSA or GCHQ is probably 1000x greater than getting sniffed by someone sniffing your wifi in the coffee shop. Worry about the right things!

        1. Anonymous Coward
          Anonymous Coward

          Re: WPA3 won't fix it, but it will sure help

          "Worry about the right things!"

          This is superficially plausible - but good security is not about deciding whether to lock the doors OR lock the windows.

          Prioritize threats, but do not let the less likely ones fall off your radar...

          For that matter, different threats for different issues should not necessarily be compared. Again, it is not 'seatbelt' or 'flu shot'.

  2. sean.fr

    WiFi security is a mess

    For a Wifi admin there are no good choices systems. It is common in public spaces to have hot spots with open SSIDs and a captive portal. Neigbours do not need to any dycrpt to see your traffic. You can have much more secure systems but only if the phone/tablette/ PC has the right supplicant and cert. Unless you can impose one OS, in a mixed environment they do not have a simple common mode that just works and is secure. In a Bring Your Own Device world, it is either or.

    With the Internet of Trash, it is only going to get worse.

  3. Anonymous Coward
    Anonymous Coward

    "No one should be using TKIP in 2018"?

    Damn right. I've updated my wireless security to avoid anything associated with that insecure rubbish.

    Thank God for WEP.

    1. Roland6 Silver badge

      Re: "No one should be using TKIP in 2018"?

      Back in 2007 the recommendation was to use WPA2...

      The WiFi Alliance depreciated TKIP back in 2015, noting that it "no longer provides sufficient security to protect consumer or enterprise Wi-Fi® networks. ".

      >Thank God for WEP.

      Must be using real cheap or ancient kit; personally, I prefer my kit to carry the WiFi Alliance logo.

      1. This post has been deleted by its author

      2. Anonymous Coward
        Anonymous Coward

        Re: "No one should be using TKIP in 2018"?

        @Roland6; Spoiler- it was a joke!

        The idea that anyone who knew enough to be concerned about the WPA2-TKIP issue would "fix" it by moving to WEP (#) seemed rather... obviously implausible. (^_^)

        (#) FFS, WEP was *already* considered the chocolate teapot of WiFi security and deprecated in favour of WPA2 by the time I got my first wireless router in 2005!

        1. Roland6 Silver badge

          Re: "No one should be using TKIP in 2018"?

          @AC - Yes I knew, just that I tried (and failed) to make a wry observation about WEP.

          Re: (#) FFS, WEP... chocolate teapot

          Agree, however, even in 2008 there were still too many networks using it and even better 'security' experts advising people to hide their SSIDs. We can argue about the security aspects of NAT, but compared to hiding the SSID, NAT is a security feature.

          1. Roland6 Silver badge
            Pint

            Re: "No one should be using TKIP in 2018"?

            @Ac - The really scary thing is just how much new kit, especially consumer (eg. the Sky Hub) that still supports WEP, hence whilst reverting to WEP might be a joke, I can see people actually doing exactly that ! :).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019