Domain: krackattacks.com
Stories and comments across the archive that link to krackattacks.com.
Comments · 7
-
Re:Huawei U8150
-
Re:DisagreeHe's just bitter because he got slapped on the wrist last time.
Why did OpenBSD silently release a patch before the embargo?
OpenBSD announced an errata on 30 August 2017 that silently prevented our key reinstallation attacks. More specifically, patches were released for both OpenBSD 6.0 and OpenBSD 6.1.
We notified OpenBSD of the vulnerability on 15 July 2017, before CERT/CC was involved in the coordination. Quite quickly, Theo de Raadt replied and critiqued the tentative disclosure deadline: “In the open source world, if a person writes a diff and has to sit on it for a month, that is very discouraging”. Note that I wrote and included a suggested diff for OpenBSD already, and that at the time the tentative disclosure deadline was around the end of August. As a compromise, I allowed them to silently patch the vulnerability. In hindsight this was a bad decision, since others might rediscover the vulnerability by inspecting their silent patch. To avoid this problem in the future, OpenBSD will now receive vulnerability notifications closer to the end of an embargo.
-
Two good reasons
Reason 1:
https://www.krackattacks.com/Reason 2:
https://www.armis.com/blueborn...Those are two fairly major vulnerabilities that worked at a wireless level. Some vendors got it fixed fairly quickly, a lot did not (especially Android vendors). I love my Android phone feature-wise, but the platform is completely fuckadoo in terms of updates, and various models often have lingering security issues or even ones that get completely abandoned/unpatched, making them not just a risk to the owner but possibly nearby devices or infrastructure.
Realistically Android needs better central control, and much as I'm loath to give Google more control, I believe they should take more ownership of the base OS and patching, allowing for core updates to come from *them* as part of the platform rather than waiting on the vendors to implement their fixes. Make it like more like a Linux OS where they own the kernel and core, and vendors can add their stuff as packages and/or submit any special drivers back to Google for inclusion/patching.
-
Re:quick question
Disclaimer: I am no expert. I am basing this on this summary.
Absolutely yes to the PC because the attack targets wifi client devices rather than access points. (Actually, your android phone is a higher risk.) Having said that, your advice for Windows 10 is ensure you have October 2017 updates installed. For most people, run winver from the search box and version 15063.674 or above is patched). (here is the relevant MS page - sadly it looks like device drivers should also be updated.)
Yes to the router, because using 802.11r "fast roaming" or using the router as a repeater may expose you - but the risk is vastly lower as the router is a lot less likely to be vulnerable.. (Most home users don't use repeater configuration or fast roaming as they only have one access point.) It's possible that disabling repeater and fast roaming will be a work around for attacks against your router (APN).
Summary: Worry about your Android phone, other devices, PC, and other client devices first. If you have a typical single router set up, do check your router vendor for new firmware, but focus on your client devices. Normal people with normal Windows 10 installs merely need to use windows update.
-
Re:Open BSD Linux ... WTF
well I do love how OpenBSD already fixed this months ago
The discoverer of the vulnerability states on his website that openbsd (Theo Radt) broke the embargo in July. Not much to love with that, since it reduced the security of everybody else. You will notice that most everybody else (Google seems to have been asleep), had patches ready _today_. This was when the embargo was lifted.
Going to the discoverer's site ( https://www.krackattacks.com/ ) last night got you a page that said, "just a test that domain name and webserver are working." Unlike Theo, he was honoring the embargo-- this morning, he posted info about the exploit on that website.
-
You only need to patch the CLIENT
Just to be clear, you probably only need to patch the client devices, not the wireless access points. In particular, https://www.krackattacks.com says the following:
Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates.
... For ordinary home users, your priority should be updating clients such as laptops and smartphones. -
Finally!
Public announcement from Mathy Vanhoef is https://www.krackattacks.com/ and his research paper can be found https://papers.mathyvanhoef.co....