Support NeoGAF

[WordAssassin]

If anyone's waiting to hear from Apple, they've apparently said it's fixed in the latest iOS, macOs, etc betas. Based on past update schedules the x.1 releases come out in mid-late October so the public releases should be very soon.

I just saw that but I can't see anything about their AirPort routers getting patched? I can't imagine they wouldn't but it would be nice to get a confirmation.

Fuckin sucks that my OG iPad/iPad Mini and even my current iPhone 5 are now a liability that I guess I shouldn't be using on WiFi anymore ):<

 

[True Fire]

Well, my PC and phone are already updated.

I'm worried about my consoles though. And before I buy an IOT device going forward I'll have to make sure it's modern. Ugh.

 

[Primus]

Damn I have a DD wrt reapter but if the information is correct I should only need to patch my router only?

On DD-WRT's side, the patch for the fixes is already in their codebase. We just need to wait for updated builds to come out in the next few days.

 

[Random Human]

Does Microsoft still provide updates for Win7?

 

[tonysidaway]

Are consoles at risk from this attack?

Yes, anything that uses the WPA2 protocol needs to be patched. But being realistic, if you're only using your console for gaming it may not be as high a priority as say, laptops, tablets and phones you're using for banking.

As this only affects WiFi, an obvious temporary fix is to pick up some cat5 cables and wire up your critical devices.

 

[tonysidaway]

Does Microsoft still provide updates for Win7?

You need Windows 7 SP1 to pick up extended support updates. According to Wikipedia extended support continues until 2020.

 

[sensi97]

Yeah but should I be worried because my linkys usb stick that gives my computer wifi isnt updated? Does that have to be updated seperately?

No you should not have to update your USB stick.

 

[tonysidaway]

Well, my PC and phone are already updated.

I'm worried about my consoles though. And before I buy an IOT device going forward I'll have to make sure it's modern. Ugh.

IoT is a security nightmare. You might as well trust your home security to Cyberdyne Systems.

 

[Tertullian]

Have iOS device been patched yet? Like, in the latest iOS version?



Well shit, I read this page, but I didn't read every post quoted on this page...

 

[Vuze]

Have iOS device been patched yet? Like, in the latest iOS version?

They've issued a statement that it's already fixed in the new betas and will be fixed in the next stable minor that will be released this month.

 

[paperboywriter]

Most businesses are not gonna move on this fast enough. If this takes off a lot of people are fucked like there is no tomorrow.

 

[Blizzard]

Most businesses are not gonna move on this fast enough. If this takes off a lot of people are fucked like there is no tomorrow.

Are you saying this because most people don't use HTTPS for important transactions, or because there's going to be man in the middle attacks, or because malware will get installed due to HTTP hijacks?

I still haven't figured out answers to my questions on the previous page so I'm unsure how much impact this will have.

 

[Jotakori]

Okay, so updating computers and phones? No problem, easy check.
But what I'm unsure about, is what this means for consoles and handhelds?
My household has a PS3/4, two Wii Us, Switch, and at least three 3/2DS's. I see the patched list includes Sony, but would that cover the consoles? Is it a matter of turning off/using WiFi sparingly on the other devices and otherwise finger-crossing that they update or that we luck out and they just never cause a problem?

Unfortunately cuz of our house layout, we can wire the PS3 and one of the Wii Us, but it isn't all that practical for the other consoles and the PS4 especially gets a lot of network use for media streaming. x__x;;

 

[NOLA_Gaffer]

I need to get my parents Windows 7 PC replaced entirely at this point.

 

[adamantypants]

Great. I'm on an LG phone from last year on Sprint. Probably get an update some time in 2020.

 

[Blizzard]

I need to get my parents Windows 7 PC replaced entirely at this point.

Maybe, but it appears to have already been patched along with more recent versions of Windows per a post earlier in the thread.

 

[PushTheButtonMax]

I like my Droid Turbo a lot less now.

 

[Novoitus]

Seems like most of my devices are fine. But I can't find anything about Linksys providing updates for their routers.

 

[mcrommert]

Well, my PC and phone are already updated.

I'm worried about my consoles though. And before I buy an IOT device going forward I'll have to make sure it's modern. Ugh.

Xbox should be patched as part of windows update today for fall update

Playstation will probably be months

 

[NOLA_Gaffer]

Maybe, but it appears to have already been patched along with more recent versions of Windows per a post earlier in the thread.

Hopefully the patch actually installed. Every time I drop in at their place there seems to be a dozen or so updates that put up "failed to install" errors.

I wonder if Apple will push out a security update for iOS10 devices. Still lots of folks out there with iPhone 5's and 5c's.

 

[OriginofHysteria]

Ugh any word for Google Pixel devices?

 

[RoadHazard]

Ugh any word for Google Pixel devices?

Next security update, in about 2 weeks.

 

[Knuckle Sandwich]

Hmm. I don't understand what's going on so I'm just going to ignore it.

 

[RoadHazard]

Hmm. I don't understand what's going on so I'm just going to ignore it.

All of your datas are now stolen.

 

[Audioboxer]

lol @ all of us on Samsung phones. They already release Android updates like 8-12 months after they are out. You reap what you sow Samsung when you have 8 million variants of the same handsets.

My S6 is fucked. Due to change it now anyway.

Netgear has already released a FW update for my old R7000 router.

 

[Sulik2]

The travesty here is surely going to be how long Verizon and att take to update their mobile phones.

 

[HeartlessNobody213]

Well my PS4 is connected through a powerline adapter so I’m good with that.

Only thing at risk is my phone.

 

[Bladelaw]

Well this sucks.
Game plan for me:
-Update all mobile devices if possible (phones, laptops, tablets, portable consoles)
-Update router (again if possible)
-Update hardlined devices (in the event I need them wireless for anything, especially consoles).
-Take stock of devices that will not be updated and wipe them (should have done this a while ago as a good practice but oh well).

 

[BreezyLimbo]

Fuck me so my phone doesnt have an update available

Last update 2016

Should I just keep the wifi feature turned off on my phone? Will that be enough?

 

[OriginofHysteria]

Next security update, in about 2 weeks.

Well that sucks. Should I just not connect to WiFi in two weeks?

 

[Bladelaw]

Well that sucks. Should I just not connect to WiFi in two weeks?

Don't transmit any data you'd rather not have snooped over WiFi. Assume any network traffic on that device is public and act accordingly until it's updated. If possible update your router which should limit the damage.

 

[Blizzard]

Don't transmit any data you'd rather not have snooped over WiFi. Assume any network traffic on that device is public and act accordingly until it's updated. If possible update your router which should limit the damage.

How can updating a router limit the damage if the attack is client-based due to a flawed client handshake protocol? As far as I understand, the attack is actually initiated by imitating a router.

 

[Random Human]

How do Chromecast updates usually work? I just got one recently and I think this now might be the least secure point of my network, at least once Apple releases an update for iOS.

 

[Bladelaw]

How can updating a router limit the damage if the attack is client-based due to a flawed client handshake protocol? As far as I understand, the attack is actually initiated by imitating a router.

From page two of the thread via Engaget:

The problem should be relatively easy to fix. A firmware change can force routers to require a dedicated certificate for each handshake, instead of relying on the one already generated. And, as the security researchers who discovered it say, "implementations can be patched in a backwards-compatible manner."

That means if you patch your Android device and not your router, you can still communicate and be safe, and vice-versa. Nevertheless, they also advise to patch all your devices as soon as security updates are available. For more details about the hack, check this very detailed FAQ from Aruba Networks.

 

[Blizzard]

From page two of the thread via Engaget:

I must have misunderstood the exploit description then. I thought the point was that the attacker detects when a handshake is beginning, and creates fake packets that appear to come from the router.

I thought because of this, it wouldn't matter if a router is fixed or not, since the fake packets (replayed message 3) will always be the same and unpatched clients would honor them. I suppose in reality a fixed router would alter the handshake enough that the client can no longer be manipulated in the same way.

 

[M3d10n]

You are right, it should be clarified. I edited my post. He warns that you shouldn't feel you're safe just because you're using HTTPS.


From the guy who discovered the vulnerability:

Our attack is not limited to recovering login credentials (i.e. e-mail addresses and passwords). In general, any data or information that the victim transmits can be decrypted. Additionally, depending on the device being used and the network setup, it is also possible to decrypt data sent towards the victim (e.g. the content of a website). Although websites or apps may use HTTPS as an additional layer of protection, we warn that this extra protection can be bypassed in a worrying number of situations

Clarification time:

1) Any login mechanism worth a grain of salt won't send e-mail/password combos even when using HTTPs. Instead, a cryptographically-based challenge-response mechanism is the bare minimum, in which neither the password nor a hash of it are sent to the server. For example, during account creation the client used its password to generate a public/private key pair and the server stores the public key. During login, the server sends the client a one-time-use piece of data, the client encrypts said data using its private key and sends it back to the server, which then verifies if the stored public key can be used to decrypt the data. A rogue party in the middle cannot simply steal credentials in such case (of course, if you use the same password everywhere and an attacker intercepts login credentials to unsafe sites - like GAF, you're potentially fucked).

2) In the most commonly used network setup (AES), the attack can only decrypt packets sent by the client: data sent from the AP is encrypted using a different key. This is what the "depending on the device being used and the network setup" part means: you need a Linux/Android device on a TKIP/GCMP network for full catastrophe, in which case the attacker can actually send fake packets to the client.

I must have misunderstood the exploit description then. I thought the point was that the attacker detects when a handshake is beginning, and creates fake packets that appear to come from the router.

I thought because of this, it wouldn't matter if a router is fixed or not, since the fake packets (replayed message 3) will always be the same and unpatched clients would honor them. I suppose in reality a fixed router would alter the handshake enough that the client can no longer be manipulated in the same way.

The exploit allows an attacker to put the client into a predictable state (reset the packet numbers to the initial state) where it's possible to deduce the key used to encrypt outgoing data (and incoming data, if using TKIP/GCMP instead of AES). This is done by replaying the handshake message #3 and then scanning for packets with known content (of which there are many) to figure out the key (if the target is using unpatched Linux/Android, the key simply becomes zero).

A patched router would simply reject a packet stream that was "rolled back" like that forcing the client to re-do the handshake.

 

[Blizzard]

The exploit allows an attacker to put the client into a predictable state (reset the packet numbers to the initial state) where it's possible to deduce the key used to encrypt outgoing data (and incoming data, if using TKIP/GCMP instead of AES). This is done by replaying the handshake message #3 and then scanning for packets with known content (of which there are many) to figure out the key (if the target is using unpatched Linux/Android, the key simply becomes zero).

A patched router would simply reject a packet stream that was "rolled back" like that forcing the client to re-do the handshake.

So you could essentially do the attack on a client, but you can't continue the attack by snooping the stream because the router would reset the client handshake at that point? Thanks, I think I understand now.

 

[Hello? This is Hailun!]

Fuck me so my phone doesnt have an update available

Last update 2016

Should I just keep the wifi feature turned off on my phone? Will that be enough?

Keep it turned on. Thread title is clickbait. You are very, incredibly highly unlikely to be affected.

 

[RoadHazard]

Well that sucks. Should I just not connect to WiFi in two weeks?

Most connections to any reputable services (such as everything Google-related) will be over HTTPS, and thus separately encrypted and secure. An attacker could theoretically intercept that encrypted data, but he couldn't do anything with it. You really only have to worry about unsecure services and sites (such as GAF...). And even then, you really don't. It's highly unlikely that you will actually be targeted and affected by this.

 

[thenexus6]

Great. I'm on an LG phone from last year on Sprint. Probably get an update some time in 2020.

Don't worry, I have a Motorola.

 

[Dominican Power]

There's a lot of Verizon Fios customers out there. They need to get on this ASAP or else those gigabit commercials are for naught.

 

[nature boy]

Well that sucks. Should I just not connect to WiFi in two weeks?

That's ridiculous. For the most part, you can ignore the issue even exists.

Spoiler

Unless you're a valuable target for any intelligence service. Are you?

 

[Seik]

Being a user of a Samsung Galaxy S4 I say this word.

Fuck.

This sounds very big...no banking on phone anymore it seems.

 

[jellies_two]

That's ridiculous. For the most part, you can ignore the issue even exists.

Spoiler

Unless you're a valuable target for any intelligence service. Are you?

And that's the thing .. if you feel someone is watching and waiting for an opportunity to hack you, from within rf distance of your AP, you better stick to https for banking and important docs etc. which you probably do anyway.
Otherwise, it isn't a big concern for a while at least.

As for consoles and iot devices, that's even less of a concern although it would be nice to see them patched this year.

 

[BasilZero]

Majority of people will not know this holy smokes


Anyways anyone know which windows kb update will roll out a patch for win 7 and win 8.1?

 

[JCV]

So what's a good router to replace my shitty Netgear that will probably never get updated?

 

[nature boy]

And that's the thing .. if you feel someone is watching and waiting for an opportunity to hack you, from within rf distance of your AP, you better stick to https for banking and important docs etc. which you probably do anyway.
Otherwise, it isn't a big concern for a while at least.

As for consoles and iot devices, that's even less of a concern although it would be nice to see them patched this year.

This attack requires a very determined (and patient) adversary, and a determined adversary doesn't need this vulnerability to wreck havoc.

People should be freaking out about ip cameras lol, and yet here we are.

 

[zelas]

So what's a good router to replace my shitty Netgear that will probably never get updated?

Newer netgear options are still quality options. R7000, R8000 series. They have updates available.

 

[Primus]

Is someone out there keeping up a list of who's fixed their shit and when? I have a bunch of entries in a spreadsheet in my head from this thread and other places, but it'd be nice to have some sort of web-enabled list that I could just go to and search for a vendor name.

 

[ViciousDS]

not seeing kb4042895 on my system.....which is supposed to be the update that fixes it


edit: nvm i was looking at the wrong version

2017-10 Cumulative Update for Windows 10 Version 1703 for x64-based Systems (KB4041676)


actually just installed on my PC

alright....now to wait for the nighthawk update and im good to go