Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Has Already Fixed the Wi-Fi Attack Vulnerability; Android Will Be Patched Within Weeks (theverge.com)

Posted by msmash on from the quick-dispatch dept.

Microsoft says it has already fixed the problem for customers running supported versions of Windows. From a report: "We have released a security update to address this issue," says a Microsoft spokesperson in a statement to The Verge. "Customers who apply the update, or have automatic updates enabled, will be protected. We continue to encourage customers to turn on automatic updates to help ensure they are protected." Microsoft is planning to publish details of the update later today. While it looks like Android and Linux devices are affected by the worst part of the vulnerabilities, allowing attackers to manipulate websites, Google has promised a fix for affected devices "in the coming weeks." Google's own Pixel devices will be the first to receive fixes with security patch level of November 6, 2017, but most other handsets are still well behind even the latest updates. Security researchers claim 41 percent of Android devices are vulnerable to an "exceptionally devastating" variant of the Wi-Fi attack that involves manipulating traffic, and it will take time to patch older devices.

90 of 136 comments (clear)

  1. Re: Um, fuck off by Anonymous Coward · · Score: 3, Insightful

    Grow up. The article links to the previous Slashdot story from earlier today and is still on the front page. The previous article links to a research paper explaining the vulnerability. For anyone who has looked at the front page this morning or even bothered to examine the links in the summary, it's blatantly obvious which vulnerability is being discussed here. Here's hoping you're modded -1 flamebait. You deserve it.

  2. Re:Um, fuck off by crypticedge · · Score: 5, Informative

    This is a high profile issue at the moment. I realize looking back at it in a few weeks may be worth that kind of comment, but there's been multiple slashdot articles on it today, and every tech news site is buzzing about it.

    To fill your rage though,

    The following Common Vulnerabilities and Exposures (CVE) identifiers were assigned to track which products are affected by specific instantiations of our key reinstallation attack:

    CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake.
    CVE-2017-13078: Reinstallation of the group key (GTK) in the 4-way handshake.
    CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the 4-way handshake.
    CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake.
    CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake.
    CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it.
    CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
    CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.
    CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
    CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
    Note that each CVE identifier represents a specific instantiation of a key reinstallation attack. This means each CVE ID describes a specific protocol vulnerability, and therefore many vendors are affected by each individual CVE ID. You can also read vulnerability note VU#228519 of CERT/CC for additional details on which products are known to be affected.

  3. allowing attackers to manipulate websites?? by bluelip · · Score: 1

    A WiFi attack allows one to manipulate a website? That escalated quickly.

    Oh, just /. editors' normal approval of bunk write-ups.

    --

    Yep, I never spell check.
    More incorrect spellings can be found he
    1. Re:allowing attackers to manipulate websites?? by Anonymous Coward · · Score: 1

      A WiFi attack allows one to manipulate a website? That escalated quickly.

      Oh, just /. editors' normal approval of bunk write-ups.

      It's actually possibly correct, assuming a non-HTTPS website.
      Which means it's correct but not at all likely.

    2. Re: allowing attackers to manipulate websites?? by p91paul · · Score: 1

      Apparently, at least the linux/android variant of the attack allows the attacker to forge traffic, not only decrypt it.

    3. Re:allowing attackers to manipulate websites?? by SethJohnson · · Score: 1

      So long as HTTPS isn't implemented, websites could be subjected to modified content submitted by visitors. For instance, browsers visiting self-hosted Wordpress blogs could see a javascript injected into the HTML received. In the background of the session, the user's browser could be comment-spamming the site. If the user is an admin of the site, then the javascript could use the admin's credentials to create other superuser accounts in the background.

      Even if the site's content submission forms are protected by captcha, the attacker could simply modify comment submission text to include links to pharmaceutical websites, etc. every time someone posts a comment to a self-hosted, non-HTTPS Wordpress blog. The same would hold true for forum posts.

      --
      $5 / month hosted VPS on linux = awesome!
    4. Re:allowing attackers to manipulate websites?? by bluelip · · Score: 1

      That would be "manipulate traffic to and or from a website" not "manipulate a website".

      --

      Yep, I never spell check.
      More incorrect spellings can be found he
    5. Re: allowing attackers to manipulate websites?? by bluelip · · Score: 1

      That's not manipulating a website. That's manipulating the traffic.

      --

      Yep, I never spell check.
      More incorrect spellings can be found he
    6. Re:allowing attackers to manipulate websites?? by bluelip · · Score: 1

      Modified traffic. Not a modified website.

      --

      Yep, I never spell check.
      More incorrect spellings can be found he
    7. Re:allowing attackers to manipulate websites?? by SethJohnson · · Score: 1

      By modifying the traffic, the content of the website can be manipulated. In the example I gave, superuser credentials could even be generated if the administrator visits the website and her HTTP transactions are modified by an attacker.

      --
      $5 / month hosted VPS on linux = awesome!
    8. Re:allowing attackers to manipulate websites?? by bluelip · · Score: 1

      No. The website remains the same. The content, as seen by the user, may be altered. Large difference. If credentials are compromised, that's a separate issue.

      --

      Yep, I never spell check.
      More incorrect spellings can be found he
    9. Re:allowing attackers to manipulate websites?? by SethJohnson · · Score: 1

      Please go back and read the examples I gave in my original post.

      This vulnerability opens up the user's session to being hijacked in a way that alters the content being submitted to any non-HTTPS website. That content could be forum posts or article comments. It could mean any URL posted in a comment could be changed to point at a pharma scam website. The user's browser could receive javascript injection that starts comment-spamming (as the user) a forum or wordpress site in the background.

      Packet-level manipulation works both ways-- what the browser receives as well as what the server receives.

      --
      $5 / month hosted VPS on linux = awesome!
    10. Re:allowing attackers to manipulate websites?? by bluelip · · Score: 1

      Your examples are marvelous. They're also irrelevant to my point. The website is not altered.

      --

      Yep, I never spell check.
      More incorrect spellings can be found he
    11. Re:allowing attackers to manipulate websites?? by mschwanke97402 · · Score: 1

      The OP wasn’t very clear but I get what he’s trying to say. Basically he’s trying to tell you an attacker is intercepting the traffic of an authorized poster to a Wordpress site, altering the poster’s submission as it is being submitted. As a result, the site content is being altered.

  4. Already released patch or new patch as of today? by millertym · · Score: 1

    The article wasn't quite clear? Made it sound like it was all, already taken care of... but didn't quite specify when that patch was released?

  5. Re: Um, fuck off by Anonymous Coward · · Score: 1

    How do I patch my Nexus 5? It's running the default Android, but I don't see an update available. When will this fix be available for Nexus phones?

  6. Re:Access Points by dc29A · · Score: 5, Insightful

    Worse, how many millions of Android handsets will never see this patch?

  7. Re: Um, fuck off by Archon · · Score: 1

    3rd party firmware is your only option at this point.

  8. Re:Patch "within weeks"; Android is a joke by Anonymous Coward · · Score: 1

    After those weeks it will take for google to patch it, add in several more weeks for the manufacturer and then yet more weeks for the carriers..... if they decide to do it at all.

  9. Android updates suck by DigitAl56K · · Score: 5, Insightful

    So now most Android devices are, and will continue to be, vulnerable to both BlueBourne and WPA2 KRACK, meaning that essentially they are wide open to anyone pilfering whatever they want off the device itself and as they communicate over the air. With most manufacturers abandoning updates in 3 years or sooner, and for the small pool of supported devices having very infrequent updates available, many times 3-6 months behind the curve, why do we allow this kind of chronic insecurity?

    It's insane that we allow businesses to behave like this: Give everyone computing devices they use to run their lives - healthcare, credit, banking, social, BYOD work, etc. and leave them open like Swiss cheese.

    1. Re:Android updates suck by DNS-and-BIND · · Score: 3, Insightful

      So, what you're telling me is that all of the affected customers will not be receiving updates, and they'll have to buy a new device?

      What a tragedy. By which I mean, the refusal to provide updates will result in greatly increased sales.

      --
      Shutting down free speech with violence isn't fighting fascism. It IS fascism!
    2. Re:Android updates suck by ilsaloving · · Score: 2

      This is one of the primary reasons I use iOS. Apple, for all their other negatives, DO support their products pretty well. I know I can expect a good 5 years of updates for my iThing.

      I'm more pissed off at the entire industry as a whole, because we are literally in a situation where consumers have no choice other than to pick the vendor that pisses them off the least. There are literally NO good vendors. They either make crap products, don't support their products, use their products to steal your personal information, or some combination thereof.

      As it stands, my choice is to buy Apple and bend over up front with my wallet held high, or buy Microsoft or Google and be bent over in perpetuity by Darth Vader, having my agreement altered and hoping (in vain) that the agreement won't be altered any further.

    3. Re:Android updates suck by gad_zuki! · · Score: 1

      Maybe. I believe the media exploit from a year or two ago on Android was patched on phones assumed abandoned by OEMs.

      Sadly, for many customers they rely on the goodwill of their OEM and telco to provide serious patches. I expect shops like Samsung, Lenovo/Moto, LG, Sony, and HTC to patch pretty much any phone sold in the past 3 years or so.

      Budget buyers, no-name brands, etc are most likely going to be hacked constantly until they replace the phone. KRACK is bad but WPA-AES means they can't inject data and that's on top of TLS blocking that as well. Blueborn, on the other hand, is much more serious and could provide root remotely.

    4. Re:Android updates suck by bill_mcgonigle · · Score: 1

      No modpoints, but have a "hear, hear"!

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    5. Re:Android updates suck by omfglearntoplay · · Score: 1

      I have an old iPad 2 (I think) that won't accept any more updates. It'd be nice if Apple made a special update for old devices just for this, since it completely destroys security.

    6. Re:Android updates suck by CanadianMacFan · · Score: 1

      But Apple won't port the fix back to previous versions of iOS for devices that can run the latest. I don't want to install iOS 11 because it doesn't offer me anything I want. It'll just slow things down until 11.1 comes out when they have had a chance to work on performance. But there's no way for me to get the security updates to 10 if I want to stay on that version. So now when the patch comes out for iOS 11 I'll have to "upgrade" to 11 just because I use my devices outside of the house.

      At least Apple doesn't do the same with macOS. One can still get the security updates for the previous versions without having to update to the latest.

    7. Re:Android updates suck by markdavis · · Score: 1

      >"Maybe. I believe the media exploit from a year or two ago on Android was patched on phones assumed abandoned by OEMs. "Budget buyers, no-name brands, etc are most likely going to be hacked constantly until..."

      What about Google's OWN DEVICES? I have a Nexus 5 which I bought in Feb 2014 when they were still very new. I haven't had a single update since Dec 2016. The phone works fine, it does what I want, but it will never be patched.

      I don't expect updates forever, but mine didn't even get updates for 3 years from when I bought it. And it was a flagship AND a brand name. I haven't found a single phone I could replace it with that is Android, 5", no vendor crapware/mods, works on any carrier, has a headphone jack, 64+GB, and supports wireless charging. Still waiting. :(

    8. Re:Android updates suck by nasch · · Score: 1

      If you're nerdy enough, you could get one that satisfies everything but no crapware, and put the Android build of your choice on it.

    9. Re:Android updates suck by markdavis · · Score: 1

      >"If you're nerdy enough, you could get one that satisfies everything but no crapware, and put the Android build of your choice on it."

      I have given it serious consideration but it seems there was always something majorly wrong- either it would break Netflix or break TiVo, or was missing the Google apps, or was too dangerous, or required a lot of maintenance, etc. And if it was a NEW device, it would void the warranty, which is just too risky on a $400-$800 device.

      I suppose I will have to do SOMETHING eventually. Sigh.

    10. Re:Android updates suck by Solandri · · Score: 1

      Google patched Blueborn within a day, and Samsung (as the major iPhone competitor) rolled out Blueborne fixes within about 2 weeks of it going public.

      The problem is the damn carriers. They delay the manufacturer patches while they do their own "testing" and tweaking (i.e. installing software you can't uninstall), sometimes for months. Apple was able to strongarm the carriers into conceding control over software updates on iPhones. None of the Android manufacturers has enough marketing clout to do the same. And Google can't because they've released Android as Open Source. If they try to strongarm the carriers, the carrier can just blow off Google and install a custom version of Android on their phones.

      What we need is to break up the vertical integration in the cell phone market. Cell tower networks, cellular service, and cellular phones should all be managed and marketed by different companies. No single company should have their fingers in more than one of those markets.

    11. Re:Android updates suck by nasch · · Score: 1

      If it's new, you will be getting updates anyway. If not, you could try stock Android. That should be pretty safe for running whatever app you want, and it will have the Google stuff. And if you don't want to put the latest OS on an older device I believe Google is good about issuing security patches, so you could go back to Lollipop or Marshmallow without giving up security. I don't know that for 100% though so don't take my word for it.

    12. Re:Android updates suck by ilsaloving · · Score: 1

      As an end user I really don't care where the problem is. If there's a serious vulnerability, I expect it to be fixed. I don't care if it's Google, the manufacturer, the carrier, or a leprechaun. At the end of the day, if I have an Apple device that is 5 years old, I *will* get an update. If my device is older than that, I may still get an update if the issue is serious enough.

      In the android world, it's a crap shoot. Hell, it was only a couple of years ago or so when the big makers (Samsung, LG, I forget who else) finally agreed that they would provide 2 years worth of updates for their hardware. My last Samsung device was prior to that agreement, and updates were virtually unheard of. I ended up being forced to root my device and install cyanogenmod just so I could have a phone that didn't suck. That was when I threw my hands up in the air and went iOS. It is unacceptable that an end user should have to root their device and install a 3rd party OS on a practically new device, just to make it work acceptably.

  10. Re:Access Points by 93+Escort+Wagon · · Score: 1

    Won't make a bit of difference if the access points are still vulnerable.

    This seems to be more of an attack on clients (e.g. laptops, tablets, phones) rather than access points.

    Interestingly, this vulnerability does not expose a network's WPA2 passphrase.

    --
    #DeleteChrome
  11. Re:What devices need to be patched? by UnknowingFool · · Score: 1

    The attack requires spoofing the AP. The client (your device) will certainly need to be patched. The AP's firmware might be hardened so that spoofing is less likely is mostly likely the fix.

    --
    Well, there's spam egg sausage and spam, that's not got much spam in it.
  12. Re:Already released patch or new patch as of today by crypticedge · · Score: 2

    So Microsoft "patched" this by not properly implementing the phase 3 handshake re-transmit as it's required in spec of 802.11i from the start.

    Windows rejects retransmit requests, causing the attack to fail.

  13. Re:Access Points by fluffernutter · · Score: 1

    How many of these millions of phone and handsets will actually see a successful attack? How many have anything on them worth attacking?

    --
    Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
  14. What percentage of Android will be patched by perpenso · · Score: 4, Insightful

    Android Will Be Patched Within Weeks

    What percentage of Android will be patched?
    The 18% with 7/Nougat or better,
    the 50% with 6/Marshmallow or better,
    the 78% with 5/Lollipop or better,
    the 92% with 4.4/Kitkat or better?
    https://developer.android.com/...

    1. Re:What percentage of Android will be patched by Merk42 · · Score: 5, Insightful

      Android Will Be Patched Within Weeks

      What percentage of Android will be patched?
      The 18% with 7/Nougat or better,
      the 50% with 6/Marshmallow or better,
      the 78% with 5/Lollipop or better,
      the 92% with 4.4/Kitkat or better?
      https://developer.android.com/...

      The .02% with 8/Oreo or better

    2. Re:What percentage of Android will be patched by KiloByte · · Score: 1

      What percentage of Android will be patched?

      Those which are rooted and have available drivers so you can recompile them yourself, plus a couple of randomly chosen models running the newest version of Android 9.53.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    3. Re:What percentage of Android will be patched by thegarbz · · Score: 1

      Not sure why you're quoting version numbers instead of manufacturer support. This isn't iOS. Most security fixes are backported to earlier versions of Android. E.g. Samsung Galaxy Tab 3 which is now 5 years old had it's most recent security update applied in February this year for both devices running 4.4/Kitkat and those which were optionally upgraded to 5/Lollipop by users.

      And that's to say nothing of the many security problems that are resolved in Android by simply updating some application through the play store which includes things such as security flaws in system components and drivers.

    4. Re:What percentage of Android will be patched by perpenso · · Score: 1

      Not sure why you're quoting version numbers instead of manufacturer support. This isn't iOS. Most security fixes are backported to earlier versions of Android. E.g. Samsung Galaxy Tab 3 which is now 5 years old had it's most recent security update applied in February this year for both devices running 4.4/Kitkat and those which were optionally upgraded to 5/Lollipop by users.

      A Samsung branded device is no assurance of a patch. I have older Galaxy S phones that have not been offered patches in years.

    5. Re:What percentage of Android will be patched by markdavis · · Score: 1

      >"Not sure why you're quoting version numbers instead of manufacturer support. This isn't iOS. Most security fixes are backported to earlier versions of Android"

      Even that doesn't help much as an explanation, either. I am one of the 50% that have Android 6.0.1, but it is on a Nexus 5. Google hasn't pushed a single OS update since Dec 2016, and likely never will. So I won't matter if they push it to older versions of Android, because I still won't get it, even on Google's own device.

    6. Re:What percentage of Android will be patched by thegarbz · · Score: 1

      I have a Galaxy S4, last patch was in March. I have an S5 last patch was 3 weeks ago.

      Prior to that there existed no patching framework as it was only introduced in KitKat.

    7. Re:What percentage of Android will be patched by thegarbz · · Score: 1

      That's not a guarantee. Google has pushed out security updates for devices past it's guaranteed security update window in the past. But all in all you're still talking about a single device. The problem is ultimately one of vendors. In the security and core OS the issue is long solved.

      E.g. 2017-09-01 security update which I got on my more than 3 year old Samsung devices has been back ported all the way to KitKat, and I actually own a Tab 3 which still runs KitKat which received a security update earlier this year.

      Point is it makes zero sense to gauge the likelihood of getting an upgrade based on which version of Android you're running. .... Unless you're running 4.3 in which case the answer is a resounding no since the security framework didn't exist prior to then.

    8. Re:What percentage of Android will be patched by markdavis · · Score: 1

      >"The problem is ultimately one of vendors. In the security and core OS the issue is long solved."

      My point in all this was the original statement about back-porting it to Android 6. Even Google won't update their own Nexus devices running Android 6 [with other bug and security fixes], so why would any other vendor? Now, I say that, but I suppose it is POSSIBLE Google might update older devices running 6... I don't think we have had a security concern of this magnitude in recent history, so I guess we just wait and see. In this particular case, it wouldn't be difficult to develop and deliver a tiny patch a single driver to devices to which they already have access.

      Of course the big issue is going beyond Google's own devices, and that really is a major problem when we hit something like this.

      >"But all in all you're still talking about a single device. "

      Not really. I not only do I have Nexus 5 running Android 6, I have a Nexus 10 also running Android 6. :)

    9. Re:What percentage of Android will be patched by nasch · · Score: 1

      You're agreeing with him. He said the issue is manufacturer support, not OS version, and that's exactly the problem you described.

    10. Re:What percentage of Android will be patched by markdavis · · Score: 1

      >"You're agreeing with him. He said the issue is manufacturer support, not OS version, and that's exactly the problem you described."

      Yeah, I am probably too tired to be replying right now ;)

    11. Re:What percentage of Android will be patched by nasch · · Score: 1

      Pleasant dreams. :-)

    12. Re:What percentage of Android will be patched by fearlezz · · Score: 1

      As I know from first hand experience (broadpwn), Samsung SGS8 will get its update in one and a half month after stock android received its patch. Samsung SGS7, SGS6 will get it in 3 months. And SGS5 (which was still for sale just a year ago) will go unpatched for so long that the few users that had one, switched to a brand new iphone.
      Yup, no more samsung in my company.

      --
      .sig: No such file or directory
    13. Re:What percentage of Android will be patched by thegarbz · · Score: 1

      so why would any other vendor?

      What a silly statement. Because not all vendors are the same? I just gave you an example of 2 devices which are almost twice as old running versions of Android far earlier than the Nexus. Don't put Google on some pedestal of perfection that other's can't reach or even exceed.

      What google decides to push specifically to the Nexus 5 has nothing to do with what fixes they apply to Android, fixes which they patch all the way to KitKat.

    14. Re:What percentage of Android will be patched by perpenso · · Score: 1

      I have a Galaxy S4, last patch was in March. I have an S5 last patch was 3 weeks ago.

      Prior to that there existed no patching framework as it was only introduced in KitKat.

      My S4 mini hasn't patched in years.

    15. Re:What percentage of Android will be patched by thegarbz · · Score: 1

      Samsung issued security updates to the S4 mini in April this year, and before that November last year. Sounds like your shitty carrier is getting in the way.

    16. Re:What percentage of Android will be patched by perpenso · · Score: 1

      Samsung issued security updates to the S4 mini in April this year, and before that November last year. Sounds like your shitty carrier is getting in the way.

      As I said, a Samsung branded device is no assurance of a patch.

    17. Re:What percentage of Android will be patched by thegarbz · · Score: 1

      As I said, not Samsung's fault, not Google's fault, and quite critically to the very core of my original post: Nothing at all to do with vendors not updating the Android version.

    18. Re:What percentage of Android will be patched by perpenso · · Score: 1

      It doesn't matter whose fault it is. The fact remains, a Samsung branded device is no assurance of a patch.

  15. Re: Um, fuck off by Anonymous Coward · · Score: 1

    https://forum.xda-developers.com/google-nexus-5/orig-development/rom-cm14-1-nexus-5-hammerhead-t3510548
    https://download.lineageos.org/hammerhead
    https://twrp.me/devices/lgnexus5.html
    https://forum.xda-developers.com/google-nexus-5/general/noob-read-adb-fastboot-how-hep-t2807273

  16. Re: What devices need to be patched? by p91paul · · Score: 1

    On his website, the researcher wrote that sometimes AP can be configured to act as clients towards other APs (e.g. repeaters), in which case they are vulnerable.

  17. Re:Windows phone already patched by thegreatbob · · Score: 1

    You're leaking smartquotes, bro.

    --
    There is no XUL, only WebExtensions...
  18. Google has promised a fix for affected devices by Anonymous Coward · · Score: 2, Insightful

    Google has promised a fix for affected devices "in the coming weeks."

    As a Nexus 5 owner, I'm not holding my breath on that being a true statement.

  19. Re:Already released patch or new patch as of today by Dog-Cow · · Score: 4, Insightful

    Sounds like a good fix to me. Instead of accepting retransmits, it's safer to restart the entire handshake.

  20. Re:MS just gets stuff done. by Hal_Porter · · Score: 1

    This is a trolling effort worthy of the legendary posters of yore!

    +5 Inciteful

    --
    echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
  21. Did they? by DontBeAMoran · · Score: 1

    I guess that explains why my Win10 box rebooted by itself two days ago.

    --
    #DeleteFacebook
    1. Re:Did they? by antdude · · Score: 1

      It was the normal second Tuesday of each month from MS. :)

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
  22. Re:Already released patch or new patch as of today by DRJlaw · · Score: 3, Interesting

    "The key negotiation process needs to allow for the possibility of radio interference, so it permits the access point to re-send the message that is step three of the handshake. If an attacker sends a copy of this message, the client device will be tricked into reverting back to the original encryption key and initialization vector used at the start of the session. The client's next transmissions will have been encrypted with the same key as earlier transmissions, even though that key was only meant for a single use. That allows for a key reuse attack, which doesn't directly expose the underlying encryption key but does make it relatively easy to decrypt the data that was encrypted, especially if something is known about the structure of the messages that were both encrypted with the same key. IP packet headers, in turn, provide exactly that."

    So Microsoft "patched" this by not properly implementing the phase 3 handshake re-transmit as it's required in spec of 802.11i from the start.

    Yes, if the phase 3 handshake re-transmit required by the specification inherently enables a key reuse attack, then the flaw is not in the implementation, but the specification itself, and security would dictate that one refuse to enable that portion of the specification. Losing the ability to initialize a connection in a high RFI environment, which most installations attempt to avoid and mitigate, is an inconvenience. Having your traffic snooped is quite a bit more of an issue.

  23. Some details please by 140Mandak262Jamuna · · Score: 2

    From what I understand, the attack is on the router, forcing it to re use known keys for encryption. How do the client devices fix this issue?

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:Some details please by guruevi · · Score: 2

      The problem is on the client imho. Basically what you do is replay the authentication packet "as if" the packet got lost and you're just asking for the packet to be re-sent. The client will then re-send predictable data (zeros) which an attacker can thus use to decrypt the key.

      It's a bit similar to the apocryphal story about hacking the Enigma, if you send "Heil Hitler" at the end of every message or weather reports, you can guess those portions of a key and by calculating back/forwards you can get a number of partial or complete messages.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    2. Re:Some details please by 140Mandak262Jamuna · · Score: 1
      You dont need physical access. Just within wifi range. But still it is the router that sends back a predictable packet and allows the hacker to guess the decryption key. How can the client machine stop the router from retransmitting the key?

      May be it can start a fresh handshake everytime anyone reports lost packet and requests a retransmission. Assume all retransmission requests are hostile intrusion. Not sure I get it fully even now.

      --
      sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    3. Re:Some details please by thegarbz · · Score: 1

      By ignoring any attempt to re-transmit and restarting the entire handshake process from the beginning. Ultimately it will result in a slower connection if something doesn't go perfectly the first go but the security flaw relies on a spec feature that was designed to cope with transmission errors during the negotiation process.

  24. Re: Um, fuck off by behrooz0az · · Score: 2

    And don't forget that the front page shows the most recent submissions first.

    Thank you. This is actually what happened here.
    As some of us have jobs and don't live in our mom's basements we tend to read the news after we're done and what do we get? This masterpiece of editorial work.

    --
    Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion. -- Spazmania (174582)
  25. Linux patches out already - well ubuntu/debian by Anonymous Coward · · Score: 2, Informative

    wpa (2.1-0ubuntu1.5) trusty-security; urgency=medium

        * SECURITY UPDATE: Multiple issues in WPA protocol
            - debian/patches/2017-1/*.patch: Add patches from Debian jessie
            - CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080,
                CVE-2017-13081, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087,
                CVE-2017-13088
        * SECURITY UPDATE: Denial of service issues
            - debian/patches/2016-1/*.patch: Add patches from Debian jessie
            - CVE-2016-4476
            - CVE-2016-4477

      -- Marc Deslauriers Mon, 16 Oct 2017 08:20:18 -0400

  26. Re:What devices need to be patched? by laurencetux · · Score: 2

    you can patch the issue on either side of the setup and this attack will fail so

    P client and P router = no attack
    N client and P router = no attack
    P client and N router = no attack
    N client and N router = PAWNED

  27. Re:Access Points by sexconker · · Score: 1

    Wrong.

    If you patch a client that client is safe.
    If you patch an AP all clients using that AP are safe.

  28. What about all of the other clients? by CanadianMacFan · · Score: 1

    It's not just the phones, tablets and computers that need to be updated. Since it's clients that need to be patched it's everything that connects to the network. Thermostats, scales, TVs, digital photo frames, ...

  29. Re:Access Points by slack_justyb · · Score: 1

    How many have anything on them worth attacking?

    CPU cycles is one commodity. People tend to use the same password for multiple sites, so finding the one social network that sends it unencrypted is paydirt for someone who will take it and attempt it on other sites.

  30. "already" is misleading and undeserved. by smblion · · Score: 2

    Unless the patch was deployed before the vulnerability was exposed, the word "already" shouldn't be in the headline.

  31. Re:Windows phone already patched by Z00L00K · · Score: 1

    What smartquotes? Those are the most stupid things that ever was invented since they screw up code examples royally.

    --
    If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
  32. Re:What devices need to be patched? by Z00L00K · · Score: 1

    N client and Evil Router = PAWNED.

    --
    If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
  33. Re:What devices need to be patched? by Z00L00K · · Score: 1

    The delay and ineptness from various vendors to not provide updates is probably what will hurt the Android environment the most in the long run.

    Early days of MS-DOS had actually different computers that weren't compatible with each other when it came to hardware and each required its own version of MS-DOS. Android is in the same seat.

    --
    If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
  34. Re: Um, fuck off by thegarbz · · Score: 1

    Can't get to the link in the 8th word of the submission? How do you have a job with an attention span that short?

    Or if you actually have a useful attention span, how do you have a job with time management skills so poor that you spend more time posting about not being spoon fed then clicking a link?

  35. How do you check? by craighansen · · Score: 1

    OK, so how do I check whether a system has been pwned via any of these CVE's before being patched? openBSD provided system updates that essentially leaked the vulnerability, and government agencies have known for at least two months, not to mention everyone that they notified. Of course, we all have complete faith in the fidelity of our beloved United States government and all commercial corporations - they've never let us down.....

    Does anyone have utilities that checks all system programs and critical files via digital signatures against the versions that are supposed to be there? Bonus points if it identifies out-of-date programs and suggests updates. Let us ignore for now the possibilities that (1) the system has been pwned so cleverly that such utilities can be fooled (2) the utility installs a backdoor that pwns the system and reports false signatures, as (3) open-sourcing the utility is a basic requirement for transparency, or many independent versions could be easily written given an appropriate database...

    The database of file signatures is the important part, and can be quickly developed from one or more clean installs (multiple installs to catch variable files). I'm already aware of signatures used to validate updates, but this is for validation of existing systems. Presumably a list of files not covered by the database is a starting point to complete the system validation.

    A little searching turned up machinery-project.org - anyone familiar with that, or can suggest other tools?

  36. Re:What devices need to be patched? by rbgaynor · · Score: 1

    I remember CP/M getting customized by the harware maker, but not MS-DOS.

    --
    "Good things don't end with eum, they end with mania or teria." - H. Simpson
  37. Re:What devices need to be patched? by jaa101 · · Score: 1

    Router? Huh? What do routers have to do with this?

    On the off chance that you seriously don't know what's going on here: for the general public, all boxes that connect them to the internet are "routers." This is not too surprising since a high proportion of home devices do perform routing functions. The percentage of the general public that understands what a wireless access point is is very small.

  38. Debian too... by Parker+Lewis · · Score: 1

    ... and first than MS, but I think they're not paying media like TheVerge to share this.

  39. Re:Access Points by WaffleMonster · · Score: 2

    If you patch a client that client is safe.
    If you patch an AP all clients using that AP are safe.

    Wrong. There is no possible AP only patch that renders clients safe.

  40. Re:What devices need to be patched? by thogard · · Score: 1

    Before the IBM bios was clean room reverse engineered, every vendors version of MS DOS was different. Tandy and DEC were two examples.

  41. Re: Um, fuck off by Brockmire · · Score: 1

    He's not asking for a fucking link, asshole. He's asking for a proper description of the bug, specifically a CVE number. Your reading comprehension is pathetic. How the fuck do you operate without hand holding?

  42. Re: What devices need to be patched? by Brockmire · · Score: 1

    Don't contribute and allow improper use of router and AP terms. The OP should be shamed to prevent this kind of stupid talk.

  43. Re: Gee, thanks Mr. Google by Brockmire · · Score: 1

    I'm certain it'll be in next month's update for my BlackBerry phone.

  44. Google doin great as always. by dramason · · Score: 1

    "within weeks". Epic customer support.

  45. Re: MS just gets stuff done. by Brockmire · · Score: 1

    I think Jared updated the pedo profile. s/cheetos/subs/.