-
Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.
All your WiFi devices are broken, Android/Linux devices particularly devastated
- Thread starter emag
- Start date
SuperBanana
Banned
Would my phone be safe if I use data rather than wifi in public areas? They'd have to virtually be outside my house to get within range at home.
Vanillalite
Ask me about the GAF Notebook
Again, no.
If your router is updated to always require a new encryption key during the authentication process, you will be safe. Yes, even if the client is not updated.
Just make sure you don't connect to unsafe networks, or when you do, that you do not transmit any sensitive data. But this should be common practice regardless on if you have patched your device or not.
paperboywriter
Member
Biggest breach ever?!
sixteen-bit
Member
scary stuff
Kill Your Masters
Member
Android devices are fucked either way. In 2 years, some new exploit comes out, and todays phones become vulnerable.
I assume OEMs don't care. Heck, the researchers and hackers are doing them a huge favor of seeling new devices through a fear that the old ones become vulnerable.
Vanillalite
Ask me about the GAF Notebook
Yes it's also a router issue, but people need to understand they need to update their individual devices and not just their router.
In hindsight I'll admit my post was flawed. I just didn't want people to think they are good without client patches too.
Chittagong
Gold Member
between this and Uber having access to your iPhone frame buffer at all times, privacy is dead
In terms of affected devices for a serious vulnerability maybe. Heartbleed would be pretty close. WEP was completely busted, but also declining in use by the time it became so.
Updating your router will make your network 100% safe.
Unsafe networks, public networks, are never safe. Patch or no. Regardless of sniffers, you should not be using them to do your internet banking or transmitting your cc data.
Kill Your Masters
Member
True.
Because your Wifi may be secure after updating but you basically never know if your friends/parents/whatever wifi is.
Wait so are Android 7.0 devices vulnerable?
KarneeKarnay
Member
It was never safe.
Engadget doesn't know what they're talking about. Given that the attacker is targeting the client by replaying/spoofing messages, the vulnerability cannot be mitigated by any router-only patches.
Yes, most likely any devices not patched after August 28 (apart from OpenBSD devices after July 15-ish) are vulnerable.
Tal Shiar Agent
Member
I actually just wired my home for ethernet so the only wireless devices in my home are our smartphones.
Stone Ocean
Member
Same here, I only do important shit on my PC so I should hopefully be safe.
MarkMclovin
Member
Why is android mentioned but not iOS devices?
This affects all WiFi devices that use WPA2 isn't it?
This affects all WiFi devices that use WPA2 isn't it?
Doesn't matter. Your Wi-Fi signal doesn't stop immediately outside your office/house.
The idea behind the attack yes, it affect every WPA2 device. iOS however doesn't present the entire problem (you can only get the group keys) because its implementation doesn't respect correctly the standard. It's bad and it should be patched as soon as possible, but it's not as bad as android (like really? They don't check if they are using a zero-key? Really?)
The OP explains it. The commonly used wpa_supplicant client which most Linux distros and Android devices use is particularly bad about storing private keys and can be broken much faster than the others.
iOS may or may not be just as bad, but being proprietary it can't be determined as easily.
iOS devices are at risk too, but Linux devices (which Android is based on) commonly use a certain method of encryption that put them at risk more so than other devices. You can read the Android section of the OP for more info.
I expect the desktop stack to be patched in no time
My 3 years old android though........
Why August 28th?
And damn, my Android security patch is as of August 1st.
This really fucks people who use older cheap Android devices like tablets. I hope Amazon and Lenovo are going to be patching their shit.
Also, I don't have Ethernet running to my desktop (running Windows 10) due to router location. Does using VPN help me out at all here? I'm good with doing any sort of transaction or banking as long as it's through https, correct?
Thanks. My phone my says the last security update was August 1st.
Frankly I'm just glad this was found by someone who made it public knowledge instead of the NSA or some hacker group.
Looks like it.
Looks like it.
esmith08734
Member
Weird, so on Saturday, my router was blinking and Internet was down for maybe 15 minutes. I wonder if that was an auto-update. It's solid light when operational.
Best course is to just keep checking for security updates on devices connected to routers?
Best course is to just keep checking for security updates on devices connected to routers?
TurboButts
Member
i don't think any of my neighbors are within range of my router.
am i good?
am i good?
Ideally yes, but not necessarily. There are several examples where you can bypass HTTPS.
August 28th is when vendors/manufacturers were notified of the vulnerability (OpenBSD was notified early and broke the patch embargo).
HTTPS (and possibly VPNs, depending on their specific implementation) is vulnerable to a man-in-the-middle attack in combination with this WPA2 exploit, but it would have to be specifically targeted (which is unlikely, as criminals focus on easier or higher-profile targets).
The router update doesn't matter nearly as much as the client update, unless you're using the router as a repeater or the like (where it's itself a client for another network).
The vulnerability is even easier/worse on Linux/Android, but it affects MacOS/iOS/etc. as well. It's possible that the vulnerability has been patched in recent versions of iOS (11.x.x) and MacOS (10.13.x), but I'm not aware of anyone stating it definitively at this time.
esmith08734
Member
And having macOS High Sierra and iOS 11 is good, correct?
Vanillalite
Ask me about the GAF Notebook
An Official list of when companies were told and when they pushed out a fix
http://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=228519&SearchOrder=4
PS: Someone add this to the OP
http://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=228519&SearchOrder=4
PS: Someone add this to the OP
aspiegamer
Member
Can we have some kind of thread title that doesn't make it sounds like the devices literally don't function? Also, 41% of Android devices also doesn't sound like "all" (unless that's just one aspect of this, sorry).
Android devices pre-6.0 are vulnerable, but not to the exceptionally devastating variant. 6.0+ are more vulnerable.
*all* android devices are vulnerable. it's just 41% are particularly vulnerable to an even easier exploit.
Zaraki_Kenpachi
Member
This sounds like it affects more than public WiFi?
Transistor
Banned
That's what I'm wondering, too. I have the September security patch, so I should be good.
aspiegamer
Member
Thanks! Well, no, this is actually awful, but you know what I'm saying.
Similar threads
- Locked