WPA2 WiFi Security Vulnerability - Important

[HanaBi]

For users that configured their home or business network to use WPA2 security protocols, be aware that there is a possible security hack that may compromise your network, leaving it vulnerable to further attack.

Changing passwords has no affect; in fact there is little you can do other than be vigilant and perhaps monitor who is on your network. The burden lies with the router manufacturers, who should be rolling out fix packs asap.

The problem isn't specifically related to particular routers, but a design flaw with the wifi WPA2 protocol itself. But will cause vulnerabilities to all logged-on devices on that network (Android, Apple, Windows, Linux devices etc)

However, there are two problems here:

1) if you own an old router than has long gone out of support, you will probably not get a security patch, thus leaving your network vulnerable.

2) If your router is supported, there still remains the tricky installation of the patch, which often requires performing a backup of your existing configuration prior to taking your router offline in order to perform the update (not all routers require this, but a reboot is generally needed afterwards, so it is always a good idea to get everyone off your network). However, because a lot of users rarely check for router updates generally, there is a possibility that the latest patch may not work unless dependent updates have been performed first.

It should also be noted that now this "security flaw" is in the national headlines it will inevitably attract bogus callers or emails purporting to be from the likes of Microsoft, Apple, perhaps even your ISP, saying that there is a serious security problem with your network, and can they "remote in" onto your domain, and do all sorts of damage!

Best advice is to logon to your router, and navigate to your "system spec" page, find out what version and firmware your router is on, and then go to the manufacturer's site for any updates and help with the installation.

WPA2 KRACK attack smacks Wi-Fi security: Fundamental crypto crapto

 

[tinkerdan]

I don't think we are talking about anything new here.
The minute they came up with WPA2 they knew it had vulnerabilities.
However the vulnerabilities were fewer and less known than those of WPA and WEP; which I should point out are usually accessible as options for use in most devices--at least they are in the devices I have.

So it goes without saying that there is a likelihood of someone coming up with hacks.

I think that the flaw here is in that there is no streamline way set up for these devices to be updated seamlessly and that seems to prompt someone such as the author of this work to remind administrators that they need to seek updates. (Ones they should be seeking constantly anyway.)

It's unfortunate that this seems to result in panicking the users over something they should have already been made aware of in that their wireless systems have never been secure and likely the patch they are applying now may only secure them from one vulnerability and there are unfortunately possibilities for many more.

We have a case where the advancement and proliferation of wireless devices has always outstripped our ability to protect the data going across them and we've had to rely on the best solutions available as a temporary fix until we somehow catch up.

The bottom line is that presently we should treat our wireless devices as though they are wide open rather than secure and make judgments about how we use them from that perspective.

 

[Overread]

Thing is most people are not well trained in how to use computers. And even tasks which we all know we should do are often overlooked; that's why MS wanted to force updates on users; its why many software packages have auto-updates. IT's why most routers that you get now come with a pre-designated password encrypted into it (in the last you had to set it all up yourself).

The result of such measures that remind/enforce good practice is that most people get even more lazy about good practice and rely on the automated/enforced systems to protect them. Plus you quickly train a new generation who don't know how to or have need to step outside of the automated process. Look at phones/tablets and apps for a system that's almost totally automated by default (to the point where you can't even get applications off your hardware when they are "core").

 

[HanaBi]

Very true. Most home users rarely worry about updates these dates as most of them are automatically installed (whether you like it or not), and as such its one less thing to worry about.

However, laptops, tablets and phones are pretty useless without a router/modem and WAPs. These are devices that are incredibly vulnerable to being attacked - they're like the front door to your home. But alas a lot of users rarely bother to manage them. Which is unfortunate because installing updates is mostly a manual requirement and not always an easy one: get it wrong and your local network could be offline for however long it takes to resolve the issue.

You can have all the antivirus/malware applications on your devices to offer some form of protection, but that could all be undone if someone breaks in through your "front door".

Apathy and denial are the real issues. And this is what hackers thrive on, unfortunately.

 

[tinkerdan]

There is a marked difference here though between standard updates of apps and the security on the wi-fi grid itself.

Thing is most people are not well trained in how to use computers. And even tasks which we all know we should do are often overlooked; that's why MS wanted to force updates on users; its why many software packages have auto-updates. IT's why most routers that you get now come with a pre-designated password encrypted into it (in the last you had to set it all up yourself).

The result of such measures that remind/enforce good practice is that most people get even more lazy about good practice and rely on the automated/enforced systems to protect them. Plus you quickly train a new generation who don't know how to or have need to step outside of the automated process. Look at phones/tablets and apps for a system that's almost totally automated by default (to the point where you can't even get applications off your hardware when they are "core").

People are giving their children wireless devices to keep track of them in an effort to keep them safe and though you can keep the device itself safe you are still reliant upon outside networks to bring that information to you and keep it encrypted and that's where this come into play. So there really needs to be some automation that can cover the infrastructure that's rapidly spawning across communities.

However a more important point is that none of this is absolutely secure even when you have the proper updates; it's only as secure as possible at the moment with a strong recognition that so far each encryption system comes with known limitations.

We spend a lot of time building a false sense of security and then have a knee jerk reaction when someone announces that it's no longer safe.

It's not the consumers fault and only marginally the IT or IS specialists fault, but falls back on the manufacturer and when companies such as Microsoft retire an OS and ends support for it, that may seem good economics for them, but it bad business because not all of the equipment gets retired and it manages to remain available to the infrastructure and this remains even more evidently true in the realm of Routers and servers.

This is policed to a point where some ISP's will forcibly shut down the pipeline and give notice that it won't be restored until they fix the problem; however not all ISP's operate the same. That can leave some unexpected holes in security when relying on mobile wi-fi devices no matter which encryption method is involved.

Bottom line again is to be weary of what you use those wi-fi devices for.

 

[Nick B]

Use a VPN. The end. If you aren't using a VPN, start using one, there is simply no better security out there really.

 

[tinkerdan]

from flashrouters
The Difference Between VPN Encryption & Wireless Network Security

To summarize Dave’s in-depth explanation, VPN encrypts your outbound Internet traffic, while wireless security protects your local network from intrusions.

So on a VPN you can still be hacked through the wireless your using and then that renders the VPN encryption a moot point as they have full access to everything on your end.

 

[Nick B]

Didn't think of that! Yeah, sorry, it's inbound intrusion that the router can stop. Still, use a VPN anyway! Encrypt all possible devices (phones, tablets etc.) harder to encrypt a PC as you need to create encrypted containers, I'm not sure you dan encrypt an entire drive easily.

 

[HanaBi]

Well there's always bogstandard BitLocker for Windows.

Trouble is though, all this talk of VPNs, encryption, firewalls etc, won't have that much appeal to an average user - just another "problem" along with more passwords to remember.

 

[Nick B]

Depends how safe you want your data to be.

 

[tinkerdan]

Honestly you can handle all of those through one good device:: one good firewall router and just keep it up to date.

Well there's always bogstandard BitLocker for Windows.

Trouble is though, all this talk of VPNs, encryption, firewalls etc, won't have that much appeal to an average user - just another "problem" along with more passwords to remember.

Then you can keep your mobile devices up to date- those that roam.

And even with this alleged failure in WPA2 your single largest weak spot is the user--more often then not a single click on the wrong email or a website that has been compromised can undo your efforts; rather than the posited intrusion through such WPA2 vulnerability.

The single thing most to fear with the WPA2 is that when roaming you are at the mercy of a public access hub that might be vulnerable and even with all your efforts with those devices--you could still be at risk. Devices kept up to date might be able to detect and warn you that the connection is not secure and the user might still chose to use the connection.

 

[HanaBi]

Honestly you can handle all of those through one good device:: one good firewall router and just keep it up to date.

Then you can keep your mobile devices up to date- those that roam.

And even with this alleged failure in WPA2 your single largest weak spot is the user--more often then not a single click on the wrong email or a website that has been compromised can undo your efforts; rather than the posited intrusion through such WPA2 vulnerability.

The single thing most to fear with the WPA2 is that when roaming you are at the mercy of a public access hub that might be vulnerable and even with all your efforts with those devices--you could still be at risk. Devices kept up to date might be able to detect and warn you that the connection is not secure and the user might still chose to use the connection.

indeed, all very easy. But this goes back to the original point of people having to perform updates to their routers; which can be quite daunting for some, bordering on impossible for old routers that are no longer supported. The only solution is for users to contact their ISP and either ask for an updated router/modem, or guidance to do the update as simplistic as possible.

 

[Dave]

From what Norton Security informed me, this was more a problem in unsecured WiFi in cafes and coffee shops, rather than in your private WiFi at home.

Use a VPN. The end. If you aren't using a VPN, start using one, there is simply no better security out there really.

That was their suggestion, of course, they do want to sell you a VPN, which made the advice rather suspect.

 

[HanaBi]

From what Norton Security informed me, this was more a problem in unsecured WiFi in cafes and coffee shops, rather than in your private WiFi at home.

That was their suggestion, of course, they do want to sell you a VPN, which made the advice rather suspect.

Hotspots are certainly more vulnerable, but home routers running WPA2 are still at risk.

And given my experience of Norton software and their 3rd line technical support over the years, I really wouldn't place a whole lot of faith in what they say.

 

[Nick B]

I have a lifetime subscription to a decent vpn, 5 devices, cheap as hell. Just pick your vpn wisely, not all are the same.