Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Has Already Fixed the Wi-Fi Attack Vulnerability; Android Will Be Patched Within Weeks (theverge.com)

Posted by msmash on from the quick-dispatch dept.

Microsoft says it has already fixed the problem for customers running supported versions of Windows. From a report: "We have released a security update to address this issue," says a Microsoft spokesperson in a statement to The Verge. "Customers who apply the update, or have automatic updates enabled, will be protected. We continue to encourage customers to turn on automatic updates to help ensure they are protected." Microsoft is planning to publish details of the update later today. While it looks like Android and Linux devices are affected by the worst part of the vulnerabilities, allowing attackers to manipulate websites, Google has promised a fix for affected devices "in the coming weeks." Google's own Pixel devices will be the first to receive fixes with security patch level of November 6, 2017, but most other handsets are still well behind even the latest updates. Security researchers claim 41 percent of Android devices are vulnerable to an "exceptionally devastating" variant of the Wi-Fi attack that involves manipulating traffic, and it will take time to patch older devices.

19 of 136 comments (clear)

  1. Re: Um, fuck off by Anonymous Coward · · Score: 3, Insightful

    Grow up. The article links to the previous Slashdot story from earlier today and is still on the front page. The previous article links to a research paper explaining the vulnerability. For anyone who has looked at the front page this morning or even bothered to examine the links in the summary, it's blatantly obvious which vulnerability is being discussed here. Here's hoping you're modded -1 flamebait. You deserve it.

  2. Re:Um, fuck off by crypticedge · · Score: 5, Informative

    This is a high profile issue at the moment. I realize looking back at it in a few weeks may be worth that kind of comment, but there's been multiple slashdot articles on it today, and every tech news site is buzzing about it.

    To fill your rage though,

    The following Common Vulnerabilities and Exposures (CVE) identifiers were assigned to track which products are affected by specific instantiations of our key reinstallation attack:

    CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake.
    CVE-2017-13078: Reinstallation of the group key (GTK) in the 4-way handshake.
    CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the 4-way handshake.
    CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake.
    CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake.
    CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it.
    CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
    CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.
    CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
    CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
    Note that each CVE identifier represents a specific instantiation of a key reinstallation attack. This means each CVE ID describes a specific protocol vulnerability, and therefore many vendors are affected by each individual CVE ID. You can also read vulnerability note VU#228519 of CERT/CC for additional details on which products are known to be affected.

  3. Re:Access Points by dc29A · · Score: 5, Insightful

    Worse, how many millions of Android handsets will never see this patch?

  4. Android updates suck by DigitAl56K · · Score: 5, Insightful

    So now most Android devices are, and will continue to be, vulnerable to both BlueBourne and WPA2 KRACK, meaning that essentially they are wide open to anyone pilfering whatever they want off the device itself and as they communicate over the air. With most manufacturers abandoning updates in 3 years or sooner, and for the small pool of supported devices having very infrequent updates available, many times 3-6 months behind the curve, why do we allow this kind of chronic insecurity?

    It's insane that we allow businesses to behave like this: Give everyone computing devices they use to run their lives - healthcare, credit, banking, social, BYOD work, etc. and leave them open like Swiss cheese.

    1. Re:Android updates suck by DNS-and-BIND · · Score: 3, Insightful

      So, what you're telling me is that all of the affected customers will not be receiving updates, and they'll have to buy a new device?

      What a tragedy. By which I mean, the refusal to provide updates will result in greatly increased sales.

      --
      Shutting down free speech with violence isn't fighting fascism. It IS fascism!
    2. Re:Android updates suck by ilsaloving · · Score: 2

      This is one of the primary reasons I use iOS. Apple, for all their other negatives, DO support their products pretty well. I know I can expect a good 5 years of updates for my iThing.

      I'm more pissed off at the entire industry as a whole, because we are literally in a situation where consumers have no choice other than to pick the vendor that pisses them off the least. There are literally NO good vendors. They either make crap products, don't support their products, use their products to steal your personal information, or some combination thereof.

      As it stands, my choice is to buy Apple and bend over up front with my wallet held high, or buy Microsoft or Google and be bent over in perpetuity by Darth Vader, having my agreement altered and hoping (in vain) that the agreement won't be altered any further.

  5. Re:Already released patch or new patch as of today by crypticedge · · Score: 2

    So Microsoft "patched" this by not properly implementing the phase 3 handshake re-transmit as it's required in spec of 802.11i from the start.

    Windows rejects retransmit requests, causing the attack to fail.

  6. What percentage of Android will be patched by perpenso · · Score: 4, Insightful

    Android Will Be Patched Within Weeks

    What percentage of Android will be patched?
    The 18% with 7/Nougat or better,
    the 50% with 6/Marshmallow or better,
    the 78% with 5/Lollipop or better,
    the 92% with 4.4/Kitkat or better?
    https://developer.android.com/...

    1. Re:What percentage of Android will be patched by Merk42 · · Score: 5, Insightful

      Android Will Be Patched Within Weeks

      What percentage of Android will be patched?
      The 18% with 7/Nougat or better,
      the 50% with 6/Marshmallow or better,
      the 78% with 5/Lollipop or better,
      the 92% with 4.4/Kitkat or better?
      https://developer.android.com/...

      The .02% with 8/Oreo or better

  7. Google has promised a fix for affected devices by Anonymous Coward · · Score: 2, Insightful

    Google has promised a fix for affected devices "in the coming weeks."

    As a Nexus 5 owner, I'm not holding my breath on that being a true statement.

  8. Re:Already released patch or new patch as of today by Dog-Cow · · Score: 4, Insightful

    Sounds like a good fix to me. Instead of accepting retransmits, it's safer to restart the entire handshake.

  9. Re:Already released patch or new patch as of today by DRJlaw · · Score: 3, Interesting

    "The key negotiation process needs to allow for the possibility of radio interference, so it permits the access point to re-send the message that is step three of the handshake. If an attacker sends a copy of this message, the client device will be tricked into reverting back to the original encryption key and initialization vector used at the start of the session. The client's next transmissions will have been encrypted with the same key as earlier transmissions, even though that key was only meant for a single use. That allows for a key reuse attack, which doesn't directly expose the underlying encryption key but does make it relatively easy to decrypt the data that was encrypted, especially if something is known about the structure of the messages that were both encrypted with the same key. IP packet headers, in turn, provide exactly that."

    So Microsoft "patched" this by not properly implementing the phase 3 handshake re-transmit as it's required in spec of 802.11i from the start.

    Yes, if the phase 3 handshake re-transmit required by the specification inherently enables a key reuse attack, then the flaw is not in the implementation, but the specification itself, and security would dictate that one refuse to enable that portion of the specification. Losing the ability to initialize a connection in a high RFI environment, which most installations attempt to avoid and mitigate, is an inconvenience. Having your traffic snooped is quite a bit more of an issue.

  10. Some details please by 140Mandak262Jamuna · · Score: 2

    From what I understand, the attack is on the router, forcing it to re use known keys for encryption. How do the client devices fix this issue?

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:Some details please by guruevi · · Score: 2

      The problem is on the client imho. Basically what you do is replay the authentication packet "as if" the packet got lost and you're just asking for the packet to be re-sent. The client will then re-send predictable data (zeros) which an attacker can thus use to decrypt the key.

      It's a bit similar to the apocryphal story about hacking the Enigma, if you send "Heil Hitler" at the end of every message or weather reports, you can guess those portions of a key and by calculating back/forwards you can get a number of partial or complete messages.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
  11. Re: Um, fuck off by behrooz0az · · Score: 2

    And don't forget that the front page shows the most recent submissions first.

    Thank you. This is actually what happened here.
    As some of us have jobs and don't live in our mom's basements we tend to read the news after we're done and what do we get? This masterpiece of editorial work.

    --
    Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion. -- Spazmania (174582)
  12. Linux patches out already - well ubuntu/debian by Anonymous Coward · · Score: 2, Informative

    wpa (2.1-0ubuntu1.5) trusty-security; urgency=medium

        * SECURITY UPDATE: Multiple issues in WPA protocol
            - debian/patches/2017-1/*.patch: Add patches from Debian jessie
            - CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080,
                CVE-2017-13081, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087,
                CVE-2017-13088
        * SECURITY UPDATE: Denial of service issues
            - debian/patches/2016-1/*.patch: Add patches from Debian jessie
            - CVE-2016-4476
            - CVE-2016-4477

      -- Marc Deslauriers Mon, 16 Oct 2017 08:20:18 -0400

  13. Re:What devices need to be patched? by laurencetux · · Score: 2

    you can patch the issue on either side of the setup and this attack will fail so

    P client and P router = no attack
    N client and P router = no attack
    P client and N router = no attack
    N client and N router = PAWNED

  14. "already" is misleading and undeserved. by smblion · · Score: 2

    Unless the patch was deployed before the vulnerability was exposed, the word "already" shouldn't be in the headline.

  15. Re:Access Points by WaffleMonster · · Score: 2

    If you patch a client that client is safe.
    If you patch an AP all clients using that AP are safe.

    Wrong. There is no possible AP only patch that renders clients safe.