There isn’t a lot of information yet but there is a huge stack of CVE numbers. Essentially, your wireless access point at home (and in many businesses) is insecure in that anyone can read the traffic going between your machine and the WAP. HTTPS should minimise the attack vector to an extent but the potential for network intrusion (we don’t know how big this is yet) is very, very worrying.
That’s why we have HTTPS
Not really, we don’t know how big this is but it implies network intrusion is possible, not just eavesdropping.
I really hope not!
Yeah but what good is it gonna do against HTTPS? It’s explicitly designed against eavesdropping and tampering/interception.
But you still have someone on your corporate network running wild and free…
So design your network around that. It’s been ages since I’ve configured any kind of service to blindly trust the local network. As far as my machines are concerned there’s no difference whether you’re inside or outside, you’ll still be asked for a client certificate, and I have yet to see any downside of this approach.
But the issue isn’t with the people that have taken that approach, it’s with the many that haven’t and whether they will ever actually install a patch…
True but in the grand scheme of things this isn’t that big of a deal - this vulnerability requires physical access while there’s plenty more that don’t and those people are more likely to get compromised by those rather than someone actually attacking the Wi-Fi layer.
We don’t know that yet! Details have not been announced
We still know that at the minimum this will require physical access so it isn’t a big deal compared to the tons of other vulnerabilities exploitable remotely.
But it will take a very long time before all the home routers are patched.
If at all…
I doubt vendors for some of the older ones will even bother issuing patches. Most consumers don’t know how to login to their router, and most routers don’t have auto-upgrade features!
Check out the above for more information, apparently the vuln is particularly bad for Android 6.0 or above and Linux:
CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake.
CVE-2017-13078: Reinstallation of the group key (GTK) in the 4-way handshake.
CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the 4-way handshake.
CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake.
CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake.
CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it.
CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.
CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
Good news is that this attack seems to be primarily against the client, which people tend to update more, so there is less reliance on vendors updating WAPs.
Turns out HTTPS isn’t a reliable defence and can be stripped. Yes you lose the green padlock but how many users actually check that?
This is bad.
Most sites use HSTS which means after connecting to them once with HTTPS your browser will prevent you from connecting to it via HTTP or bypassing the certificate warning so I don’t see it as a big issue.
Again except for high-value networks like in the enterprise I don’t see this as a big deal - nobody is gonna target the average user as this requires actually getting close enough to get within wireless range, and as far as ignoring certificate errors users are already at much greater risk due to remote exploits like compromising their router so if they’ve managed to survive until now I don’t think this particular vulnerability will affect them that much.
Yeah but not that many sites implement HSTS.
I agree with the last bit…for the moment but if it wasn’t patched that could change.
From the info I’ve read so far it seems like the issue is on the client side so OS updates should take care of it for the most part.
Just had this from Cisco:
We are reaching out to inform you of a new security vulnerability that has been recently discovered. The vulnerability has been documented as CVE-2017-13082 and makes Access Points with 802.11r enabled vulnerable to attacks. Customers that do not use 802.11r are not impacted.
The fix for the vulnerability is available in firmware versions MR 24.11 and MR 25.7. More information can be found here. You can upgrade your networks using the new ‘Firmware Upgrade Tool’ if you are not currently running these patched versions. Optionally, you can skip this version of firmware but this is not recommended. If you choose to skip upgrading to the latest firmware, we strongly urge you to disable 802.11r. You can disabled 802.11r for an SSID from the ‘Access Control’ page in dashboard.
uibuiqiti have released updated firmware too.