• Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.

All your WiFi devices are broken, Android/Linux devices particularly devastated

E

epmode

Member
torontoml said:
So my pixel that was updated on October 5th is secure? Anything that has had an update after Aug 28th is good?
Click to expand...

You shouldn't assume that a patch fixed anything until it's publicly confirmed.

magawolaz said:
Can't find an update button on my router settings webpage.

Official website support page only shows firmware 1.00 dating back to 17/12/2015.

what do. I literally bought this router two months ago ;_;
Click to expand...

I don't think routers are the real problem (unless you're using them in an unusual manner). You need to patch most/all of your wifi devices once the security updates are available.
 
L

linkboy

Member
mclem said:
"Note that currently 41% of Android devices are vulnerable to this exceptionally devastating variant of our attack."

So... are the other 59% on a certain version or beyond, or what? Something instead of the common wpa_supplicant?
Click to expand...

There's a lot of cheap Android phones (think straight talk as a prime example) that are still running lollipop and will never get an update.
 
E

emag

Member
Owzers said:
An iPad 3 that doesn’t get ios 11?
Click to expand...

Don't use it for anything where you care about security.

torontoml said:
So my pixel that was updated on October 5th is secure? Anything that has had an update after Aug 28th is good?
Click to expand...

Anything that hasn't been updated since August 28th (outside of OpenBSD, July 15) is almost certainly vulnerable. Anything updated since then might be fixed, but there are few confirmations as of yet.
 
M

mclem

Member
Media said:
As an android user, basically I just need to wait for an update to push?

Edit : okay nevermind Samsung already pushed an update. Whew.
Click to expand...

If you're referring to the page linked in this post:

Vanillalite said:
An Official list of when companies were told and when they pushed out a fix

http://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=228519&SearchOrder=4


PS: Someone add this to the OP
Click to expand...

... I *think* that's saying that the last Samsung update was on Oct 12th, but that did not fix this vulnerability. I might be misreading it, though, or you might be referring to a different source.
 
K

Kinokou

Member
So, being on wifi and using a web browser people can now:

-see what thread I'm reading on GAF?
-see what I post to GAF?
-edit my post as it is being posted to GAF?
-edit my post as I type it?
-see my password when I log into GAF?
-see my password when browsing GAF?
 
D

Dr.Acula

Banned
As I understand it, this is a targeted vulnerability against wifi transmissions. Meaning someone has to be in wifi range and targeting you, specifically. Practically speaking, the average person shouldn't be worried about their banking info being swept up in a large, general attack like a computer virus.
 
S

SirMossyBloke

Member
Plus even though Samsung had an update on Oct 12th, a lot of these still are delayed by the carrier. My phone hasn't been updated since August 1st.
 
V

Vanillalite

Ask me about the GAF Notebook
mclem said:
If you're referring to the page linked in this post:



... I *think* that's saying that the last Samsung update was on Oct 12th, but that did not fix this vulnerability. I might be misreading it, though, or you might be referring to a different source.
Click to expand...

That's how I read it to.

I assume they'll change the left column from affected or unknown to fixed/patched when done.
 
S

smisk

Member
Maybe this is naive of me, but with stuff like this (also the Equifax leack) it feels like the number of targets is so large that I'm unlikely to be exploited. I mean, how many WPA2 devices do you think there are? I'm betting a couple billion at least.
 
T

torontoml

Member
emag said:
Don't use it for anything where you care about security.



Anything that hasn't been updated since August 28th (outside of OpenBSD, July 15) is almost certainly vulnerable. Anything updated since then might be fixed, but there are few confirmations as of yet.
Click to expand...
Ok, not like I'm going to really change anything, doesn't seem like there is anything I can do when it comes to phones, but was curious.
 
J

JettDash

Junior Member
smisk said:
Maybe this is naive of me, but with stuff like this (also the Equifax leack) it feels like the number of targets is so large that I'm unlikely to be exploited. I mean, how many WPA2 devices do you think there are? I'm betting a couple billion at least.
Click to expand...

Personally I have like 12.
 
C

cpp_is_king

Member
Problem is bad, but OP is going a little too far. Attacker still cannot see https encrypted data (which honestly in this day and age covers pretty much everything important
 
E

emag

Member
Kinokou said:
So, being on wifi and using a web browser people can now:

-see what thread I'm reading on GAF?
-see what I post to GAF?
-edit my post as it is being posted to GAF?

-see my password when I log into GAF?
Click to expand...

Yes, assuming that the attacker has a device within WiFi range of your browser device.

-see my password when browsing GAF?
Click to expand...

No. Once you're logged in, GAF operates based on cookies. Someone could copy that cookie, of course, but it shouldn't contain your password.

-edit my post as I type it?
Click to expand...

No.

AFAIK, nothing is being sent while you're typing (only when you hit submit/preview).
 
B

Big_Al

Unconfirmed Member
Well that's me fucked then, I'm still using a Note 2 which has been doing the job just fine. Guess I'll have to upgrade sooner rather than later then as I sure don't see me getting a patch.
 
ISee

ISee

Member
Oh great.
It will take ages for all carriers and ISPs to patch all modems/routers and handheld devices.
 
K

Kinokou

Member
emag said:
Yes, assuming that the attacker has a device within WiFi range of your browser device.



No. Once you're logged in, GAF operates based on cookies. Someone could copy that cookie, of course, but it shouldn't contain your password.



No.

AFAIK, nothing is being sent while you're typing (only when you hit submit/preview).
Click to expand...

Thank you for tacking the time for my juvenile examples, it's really helpful since I'm not that security savvy.
 
C

cpp_is_king

Member
esmith08734 said:
So, if you use port 443 you're okay - i.e. typing in https instead of just www.?
Click to expand...

Not strictly true, but it’s true enough that you can think of it that way.

This does allow an attacker to see your https data, btw, they will just not be able to do anything with it unless your actual device is owned (will just look like random garbage). But then they didn’t even need this attack to begin with
 
E

esmith08734

Member
cpp_is_king said:
Not strictly true, but it’s true enough that you can think of it that way.

This does allow an attacker to see your https data, btw, they will just not be able to do anything with it unless your actual device is owned (will just look like random garbage). But then they didn’t even need this attack to begin with
Click to expand...

I see, thanks, cpp. You're always saving me, lol. I will just be sure to get in the habit of prefixing all of my browsing with https.
 
C

cpp_is_king

Member
esmith08734 said:
I see, thanks, cpp. You're always saving me, lol. I will just be sure to get in the habit of prefixing all of my browsing with https.
Click to expand...

You shouldn’t even need to. Just type www, sites that support https at all almost always default to it. There are some rare exceptions
 
Khrae

Khrae

Member
Even Phil Collins is helping to spread the word...

th
 
C

close to the edge

Member
emag said:
Legacy devices (and their users) are fucked. All of their data belongs to anyone within WiFi distance who bothers to take it. Turn off WiFi, delete your accounts, buy new devices, or pray that no one takes what's sitting out in the open.

All of your WiFi communications are public. Anyone can see everything going both ways.
Click to expand...

This is false. If you communicate via a secured channel (e.g. HTTPS, SSH, VPN), it's still as secure as that protocol is. You're losing the secondary encryption from WPA2, but your communication is still encrypted.
 
S

Star Orpheus

Member
Can this exploit only be done if your within range of someone's wifi?

I live in a semi crowded area but my wifi doesn't work to far from my house and the locals don't strike me as to computer savvy.
 
B

bobs...onGaf

Member
So I imagine this vulnerability is that if someone can see my wifi connection they can get onto it?

Is it a good safety measure at the moment to disable ssid broadcast to prevent others seeing my network?

Also I know there's a wireless admin option - if I disable that so someone has to be wired into my connection - does that save me at all?
 
K

kami_sama

Member
bobs...onGaf said:
So I imagine this vulnerability is that if someone can see my wifi connection they can get onto it?

Is it a good safety measure at the moment to disable ssid broadcast to prevent others seeing my network?

Also I know there's a wireless admin option - if I disable that so someone has to be wired into my connection - does that save me at all?
Click to expand...

Disabling SSID broadcast does nothing at all. Might be even worse in some cases iirc.
This would be used to snoop on your communications, I don't think you would be able to conecto to the access point.
 
S

Somnid

Member
Kinokou said:
So, being on wifi and using a web browser people can now:

-see what thread I'm reading on GAF?
-see what I post to GAF?
-edit my post as it is being posted to GAF?
-edit my post as I type it?
-see my password when I log into GAF?
-see my password when browsing GAF?
Click to expand...

This was always possible because GAF lacks TLS encryption (https). And on that note WPA is more to protect from people getting into your network, it's not really content protection, that is usually handled by a higher level network protocol like TLS.
 
M

M52B28

Banned
Star Orpheus said:
Can this exploit only be done if your within range of someone's wifi?

I live in a semi crowded area but my wifi doesn't work to far from my house and the locals don't strike me as to computer savvy.
Click to expand...
I was worried about my parents, but I realized they live in the hood and should be safe lol

Nobody is gonna go around hacking shit when they have to go to work by bus at 6am. This isn't Watchdogs, yet.
 
T

The Albatross

Member
Kinokou said:
So, being on wifi and using a web browser people can now:

-see what thread I'm reading on GAF?
Click to expand...

Yep, probably

-see what I post to GAF?
Click to expand...

Sort of, as it would work the same as the first one, mostly by watching your traffic.

-edit my post as it is being posted to GAF?
Click to expand...

Probably not. It's not impossible, just more difficult to intercept your post request as it's being submitted and then resubmit with something else. Not impossible, but just the effort involved is a good deal higher.

-edit my post as I type it?
Click to expand...

No

-see my password when I log into GAF?
Click to expand...

On Gaf, maybe, because Gaf doesn't use https:// which it really should. The password submission is still encrypted and salted, but the encryption method is usually pretty dated on forum software like this, and if a hacker is going through the trouble to snoop your traffic on a site like neogaf they'd likely be able to get the encryption key, which they could then use to decrypt your password as it's submitted. But, if you've logged in someplace where you're using a more private wifi (say like, at your house where it's unlikely that someone is sitting in your driveway snooping your data), then you're probably using a cookie to stay logged in. A hacker could snoop this cookie as it's passed over to neogaf, but most websites that deal with anything require more than just the cookie to pretend to be someone else, and will require another login.

-see my password when browsing GAF?
Click to expand...

No, the password is only passed once when you log in. For websites that use https:// this is even less likely, but of course, NeoGaf does not use https://
 
U

UpDownLeftRight

Banned
So my router is WPA2 it seems. This means I'm not affected because the company provided me a shitty device using and already fucked security type right?
 
C

close to the edge

Member
bobs...onGaf said:
So I imagine this vulnerability is that if someone can see my wifi connection they can get onto it?

Is it a good safety measure at the moment to disable ssid broadcast to prevent others seeing my network?

Also I know there's a wireless admin option - if I disable that so someone has to be wired into my connection - does that save me at all?
Click to expand...
1. I believe the security benefits of not broadcasting SSID are negligible. It's probably going to make it less likely for you to be attacked when there's lots of networks but a determined attacker isn't going to be deterred by that.
2. That's not gonna change anything. The only thing that would prevent is for the attacker to change your wifi password when he's gained access to your network (which wouldn't be a smart thing to do, since you can just reset your router and it'd alert you to their presence).
 
V

Vanillalite

Ask me about the GAF Notebook
Forbes

A Google spokesperson wrote in an email to Forbes: "We're aware of the issue, and we will be patching any affected devices in the coming weeks."

Microsoft confirmed it had rolled patches out already: "We have released a security update to address this issue. Customers who apply the update, or have automatic updates enabled, will be protected."
Click to expand...
 
T

The Albatross

Member
UpDownLeftRight said:
So my router is WPA2 it seems. This means I'm not affected because the company provided me a shitty device using and already fucked security type right?
Click to expand...

The flaw is in WPA2, which is one of the more common types of WiFi security. If your router has WPA2 it doesn't mean it's shitty, most of the best routers available that cost several hundred dollars also pack WPA2.

epmode said:
Didn't GAF use HTTPS for a few days? If I remember correctly, it went back to HTTP because it broke some stuff. Ads, maybe?
Click to expand...

Secure certs cost money, high traffic websites will cost more, and because of the extra levels of security, some things that would have previously worked might not. For instance, for users with strict security settings, any content loaded over http:// on an https:// website will be blocked. For most users, it's not blocked but your console throws a warning. So, if you have strict settings, many things like people posting images, gifs, etc., would be blocked unless their image host uses https:// for hosting, which again, many do (imgur does, but again, it's more expensive so not everything does). There's some content that will be blocked, like CSS, JS, and other external resources will be blocked by the browser, which could affect ad delivery networks if they don't take security seriously (an dreally, ad networks should take security seriously because it's the easiest way for a hacker to exploit tons of users).

That all said, for any semi-major website, there's no excuse for not using https:// anymore. Like, if you're worried about the cost, you're going to end up eating it one way or another at some point, either you're eating it for slightly higher cost now or you're eating it having to spend money fixing a hack later.

esmith08734 said:
So, if you use port 443 you're okay - i.e. typing in https instead of just www.?
Click to expand...

The website has to support https://
If you type https:// into a website that doesn't have TLS set up, it won't do anything. In most cases, your browser will give you warning that you've entered https:// but there is no secure certificate.
 
S

Somnid

Member
epmode said:
Didn’t GAF use HTTPS for a few days? If I remember correctly, it went back to HTTP because it broke some stuff. Ads, maybe?
Click to expand...

It did, but the ad network Evilore does business with had issues with it. Gotta pay the bills, but I wish he would dump them for someone else.
 
You must log in or register to reply here.

Similar threads

PlayStation’s first Remote Play dedicated device, PlayStation Portal remote player, to launch later this year at $199.99
13 14 15 16 17
846
36K
mckmas8808 replied
How Nacon, The Publisher of The Sinking City, Cracked and Pirated The Game
32
5K
ManaByte replied
  • Locked
Hide yo Wifi, new wireless Android/iOS exploit allows for fatal phone hijacks
14
4K
Coreda replied
RetroArch 1.8.2 (and onwards)
2 3 4
192
38K
Teslerum replied
  • Locked
O-MG, It's time for Android O (Dev Preview)
2
73
7K
Pyrokai replied
Top Bottom