Re: [OT] Breaking WPA2 by forcing nonce reuse

[David Wright]

On Thu 19 Oct 2017 at 20:53:50 (-0400), Celejar wrote:
> On Thu, 19 Oct 2017 13:46:08 -0500
> David Wright  wrote:
> 
> > On Thu 19 Oct 2017 at 18:07:20 (+0200), to...@tuxteam.de wrote:
> > > On Thu, Oct 19, 2017 at 11:07:01AM -0400, Celejar wrote:
> > > > On Thu, 19 Oct 2017 12:05:23 +0100
> > > > Brian  wrote:
> > > > 
> > > > > On Wed 18 Oct 2017 at 21:30:48 -0400, Celejar wrote:
> > > 
> > > [...]
> > > 
> > > > Yes, what I'm probably going to do is use the printer's ethernet
> > > > connection along with a Powerline adapter into a nearby power outlet.
> > > 
> > > And how secure are the powerline adapters? Most probably they're
> > > broadcasting their stuff over your and your neighbour's AC net on
> > > top of some unspecified proprietary modulation. Just sayin'...
> > 
> > AIUI 128-bit AES on non-ancient ones. For your neighbour to eavesdrop,
> > they need to press their device's authenticate button when you press
> > yours. You can probably minimise the chances of the authentication
> 
> See this thread:
> 
> https://security.stackexchange.com/questions/9725/are-powerline-ethernet-adapters-inherently-secure
> 
> and this post in particular:
> 
> https://security.stackexchange.com/a/76266

Interesting that people posting to a technical site would run their
devices using the factory default settings.

I can't agree with Rory Alsop saying that sockets/outlets have to be
on the same phase. With a 220 volt supply, individual households are
going to be on the same phase anyway. In the US, where the voltage
splits at the main box, I've tested using opposite sides (and with
GFCI outlets) and found no problem. If there used to be a problem,
I think they solved it by using the neutral wire which is common.

I've read about using another device to "capture" the legitimate
network but I think you have to get a good connection to the power
circuit to achieve that. (We might be unusual in having interior
switches on all our external power outlets.)

I've tried measuring interference on the radio, and the devices
themselves do give off quite a bit within a metre or so (FM/MW/LW),
but I can only detect similar interference noises at distant outlets
by poking the telescopic aerial at the socket itself. None of this
affects the stations when you've tuned then in, even our preferred FM
station which transmits from 66 miles away.

I haven't tested DAB as my DAB radio only works on FM, but in that
role it works perfectly even though it's only three metres from the
main Powerline nexus and the router. If we had an HD radio (US's DAB)
I think it would be another source of analogue interference rather
than suffering from it. But thank goodness the days of CB radio
are long past.

Perhaps one day I'll climb a tree and see if we can get broadcast TV,
as the nearest local station we can Roku is 100 miles away. But
the amount of advertising they carry kills any motivation.

All in all, the Powerlines suit us perfectly and are quite secure
enough in our situation. Perhaps not so good in a condo.

Cheers,
David.

Re: [OT] Breaking WPA2 by forcing nonce reuse

[Dan Purgert]

Ron Leach wrote:
> On 19/10/2017 16:56, Dan Purgert wrote:
>> Brian wrote:
>>> [...]
>>> Isn't it sufficient to fix one end of the
>>> connection to dispose of the vulnerability?
>>>
>>
>> KRACK is an attack against the *client* side.  It MUST (rfc2119) be that
>> device that is patched against the attack.
>>
>
> Dan, I'm not sure it's that simple, either.
> [...]
>
> Your advice is extremely close, and very pertinent, but *both* clients 
> need to be fixed.  

I read his comment as "one side" being the AP side in the AP/Client
relationship ... not that you'd only need to patch "one client".

To be as clear as possible -- Any and all client devices MUST (rfc2119)
be patched to be secure from the KRACK attack.

-- 
|_|O|_| Registered Linux user #585947
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5  4AEE 8E11 DDF3 1279 A281

Re: [OT] Breaking WPA2 by forcing nonce reuse

[tv.deb...@googlemail.com]

On 20/10/2017 21:09, Brad Rogers wrote:

On Fri, 20 Oct 2017 10:05:34 +0530
"tv.deb...@googlemail.com"  wrote:

Hello tv.deb...@googlemail.com,


I sent that a day ago, but for some reason it didn't make it to the
list:


You're using google.  It's well known that they don't send your own list
posts back to you.



Sometime do, sometime don't, hard to know when a message doesn't show 
up, next time I'll try digging it from the archives.

Sorry for the noise then.

Re: [OT] Breaking WPA2 by forcing nonce reuse

[Brad Rogers]

On Fri, 20 Oct 2017 10:05:34 +0530
"tv.deb...@googlemail.com"  wrote:

Hello tv.deb...@googlemail.com,

>I sent that a day ago, but for some reason it didn't make it to the
>list:

You're using google.  It's well known that they don't send your own list
posts back to you.

-- 
 Regards  _
 / )   "The blindingly obvious is
/ _)radnever immediately apparent"
What the hell has this place done for me?
Selfish Rubbish - Public Image Ltd


pgp75NDkSMkgG.pgp
Description: OpenPGP digital signature

Re: [OT] Breaking WPA2 by forcing nonce reuse

[rhkramer]

On Friday, October 20, 2017 12:35:34 AM tv.deb...@googlemail.com wrote:
> I sent that a day ago, but for some reason it didn't make it to the list:

Why do you think it didn't make it to the list?  I received it on Wednesday, 
with the same quote listed below--here are the headers:


Re: [OT] Breaking WPA2 by forcing nonce reuse
From: "tv.deb...@googlemail.com" <tv.deb...@googlemail.com> (resent from 
debian-user@lists.debian.org)
  To: debian-user@lists.debian.org
  Date: Wed Oct 18 13:04:04 2017


I suspect that, like for many email users / clients, some combination of the 
ISP, your email client, and the maillist headers keep you from seeing your own 
posts.


The following quote was in the Wednesday post:
> > Quote:
> > 
> > "an optional AP-side
> > workaround was introduced in hostapd to complicate these attacks,
> > slowing them down. Please note that this does not fully protect you from
> > them, especially when running older versions of wpa_supplicant
> > vulnerable to CVE-2017-13086, which the workaround does not address. As
> > this workaround can cause interoperability issues and reduced robustness
> > of key negotiation, this workaround is disabled by default."
> > 
> > Option in hostapd.sh [1] is:
> > 
> > wpa_disable_eapol_key_retries
> > 
> > 
> > [1]
> > https://git.lede-project.org/?p=source.git;a=commitdiff;h=d501786ff25684
> > 208d22b7c93ce60c194327c771
> > 
> > [2] https://downloads.lede-project.org/releases/17.01.4/targets/
> 
> So it is part of Latest LEDE release, but I am not aware of other distro
> using this workaround. It comes with a few potential problems, so must
> be thoroughly tested before being deployed, and it likely breaks
> standards which is never good.

Re: [OT] Breaking WPA2 by forcing nonce reuse

[Brian]

On Thu 19 Oct 2017 at 17:06:20 +0100, Ron Leach wrote:

> On 19/10/2017 16:56, Dan Purgert wrote:
> > Brian wrote:
> > > [...]
> > > Isn't it sufficient to fix one end of the
> > > connection to dispose of the vulnerability?
> > > 
> > 
> > KRACK is an attack against the *client* side.  It MUST (rfc2119) be that
> > device that is patched against the attack.
> > 
> 
> Dan, I'm not sure it's that simple, either.
> 
> There are *two* WiFi connections in the Debian-box to Printer case:
> i Debian box to Access Point
> ii Printer to Access Point
> 
> Brian's idea is good for the connection from the Debian box to the Access
> Point1.
> 
> But the connection between the printer, and the Access Point remains
> vulnerable - particularly to the possible all-zero key.
> 
> Your advice is extremely close, and very pertinent, but *both* clients need
> to be fixed.  So Celejar's powerline link may be a reasonable solution for
> his case.

Thanks to you, Dan Purgert and Celejar for correcting my misconception.
The middleman (the WAP) needs to be taken out of the picture. With more
recent printers this is a possibility if they have WiFi Direct. A Debian
machine with a patched supplicant can then be set up to connect directly
with the printer.

-- 
Brian.

Re: [OT] Breaking WPA2 by forcing nonce reuse

[tv.deb...@googlemail.com]

On 19/10/2017 21:42, Celejar wrote

[...]

like the printer. Henrique recently noted that there is a setting
available on new OpenWRT and LEDE builds that can help, but it's
apparently not yet included in any release yet:

https://lists.debian.org/debian-user/2017/10/msg00593.html

Celejar



I sent that a day ago, but for some reason it didn't make it to the list:


Hi,

17.01.4 just released [2] with fixed wpa and possibility to activate an AP side 
workaround. It is just a mitigation really, but should in practice impair an 
exploit. It is OFF by default.

Quote:

"an optional AP-side
workaround was introduced in hostapd to complicate these attacks,
slowing them down. Please note that this does not fully protect you from
them, especially when running older versions of wpa_supplicant
vulnerable to CVE-2017-13086, which the workaround does not address. As
this workaround can cause interoperability issues and reduced robustness
of key negotiation, this workaround is disabled by default."

Option in hostapd.sh [1] is:

wpa_disable_eapol_key_retries


[1] 
https://git.lede-project.org/?p=source.git;a=commitdiff;h=d501786ff25684208d22b7c93ce60c194327c771

[2] https://downloads.lede-project.org/releases/17.01.4/targets/


So it is part of Latest LEDE release, but I am not aware of other distro 
using this workaround. It comes with a few potential problems, so must 
be thoroughly tested before being deployed, and it likely breaks 
standards which is never good.

Re: [OT] Breaking WPA2 by forcing nonce reuse

[Celejar]

On Thu, 19 Oct 2017 13:46:08 -0500
David Wright  wrote:

> On Thu 19 Oct 2017 at 18:07:20 (+0200), to...@tuxteam.de wrote:
> > On Thu, Oct 19, 2017 at 11:07:01AM -0400, Celejar wrote:
> > > On Thu, 19 Oct 2017 12:05:23 +0100
> > > Brian  wrote:
> > > 
> > > > On Wed 18 Oct 2017 at 21:30:48 -0400, Celejar wrote:
> > 
> > [...]
> > 
> > > Yes, what I'm probably going to do is use the printer's ethernet
> > > connection along with a Powerline adapter into a nearby power outlet.
> > 
> > And how secure are the powerline adapters? Most probably they're
> > broadcasting their stuff over your and your neighbour's AC net on
> > top of some unspecified proprietary modulation. Just sayin'...
> 
> AIUI 128-bit AES on non-ancient ones. For your neighbour to eavesdrop,
> they need to press their device's authenticate button when you press
> yours. You can probably minimise the chances of the authentication

See this thread:

https://security.stackexchange.com/questions/9725/are-powerline-ethernet-adapters-inherently-secure

and this post in particular:

https://security.stackexchange.com/a/76266

Celejar

Re: [OT] Breaking WPA2 by forcing nonce reuse

[David Wright]

On Thu 19 Oct 2017 at 18:07:20 (+0200), to...@tuxteam.de wrote:
> On Thu, Oct 19, 2017 at 11:07:01AM -0400, Celejar wrote:
> > On Thu, 19 Oct 2017 12:05:23 +0100
> > Brian  wrote:
> > 
> > > On Wed 18 Oct 2017 at 21:30:48 -0400, Celejar wrote:
> 
> [...]
> 
> > Yes, what I'm probably going to do is use the printer's ethernet
> > connection along with a Powerline adapter into a nearby power outlet.
> 
> And how secure are the powerline adapters? Most probably they're
> broadcasting their stuff over your and your neighbour's AC net on
> top of some unspecified proprietary modulation. Just sayin'...

AIUI 128-bit AES on non-ancient ones. For your neighbour to eavesdrop,
they need to press their device's authenticate button when you press
yours. You can probably minimise the chances of the authentication
negotiation being picked up by plugging the devices into a filtered
power strip so that they can only see each other and not radiate into
the home wiring. We have two independent pairs running here, one on
the WAN side and one on the LAN. It looks odd as two units share the
same mains socket by using their pass-through power outlet.

How many neighbours you have depends on where you live. In Britain
you're likely to have a large number scattered randomly down the
street (sharing your phase). Here we have a pole-mount service
transformer that happens to serve just two houses and two street
lamps.

When we had the pole in our garden moved, they discovered that
the whole street's needed replacing, along with the transformers,
so we were lucky and didn't have to pay them anything for the move.
We just said stick it there please.

Cheers,
David.

Re: [OT] Breaking WPA2 by forcing nonce reuse

[Ron Leach]

On 19/10/2017 16:56, Dan Purgert wrote:

Brian wrote:

[...]
Isn't it sufficient to fix one end of the
connection to dispose of the vulnerability?



KRACK is an attack against the *client* side.  It MUST (rfc2119) be that
device that is patched against the attack.



Dan, I'm not sure it's that simple, either.

There are *two* WiFi connections in the Debian-box to Printer case:
i Debian box to Access Point
ii Printer to Access Point

Brian's idea is good for the connection from the Debian box to the 
Access Point1.


But the connection between the printer, and the Access Point remains 
vulnerable - particularly to the possible all-zero key.


Your advice is extremely close, and very pertinent, but *both* clients 
need to be fixed.  So Celejar's powerline link may be a reasonable 
solution for his case.


regards, Ron

Re: [OT] Breaking WPA2 by forcing nonce reuse

[Celejar]

On Thu, 19 Oct 2017 16:39:34 +0100
Brian  wrote:

> On Thu 19 Oct 2017 at 11:07:01 -0400, Celejar wrote:
> 
> > On Thu, 19 Oct 2017 12:05:23 +0100
> > Brian  wrote:
> > 
> > > On Wed 18 Oct 2017 at 21:30:48 -0400, Celejar wrote:
> > 
> > ...
> > 
> > > > developers, etc., but why should I not be worried and upset about the
> > > > situation with my phone, printer, etc.?
> > > 
> > > Depends on the level of your concern. There are USB and ethernet
> > > connections to the printer. This might require physical relocation
> > > of the printer but it could be worth it to be worry-free. Or use a 
> > > Debian-based, wireless-enabled print server in close proximity to
> > > the printer.
> > 
> > Yes, what I'm probably going to do is use the printer's ethernet
> > connection along with a Powerline adapter into a nearby power outlet.
> 
> That's a good idea, but thinking on: there two ends to the connection,
> the printer and the sending device. Fixing printers is unlikely to be
> high on vendors' lists of priorities, but a fix is available when the
> sending device uses Debian. Isn't it sufficient to fix one end of the
> connection to dispose of the vulnerability?

As I understand it, when I print something from some device (say, my
Debian laptop), the device establishes a TCP/IP connection with the
printer to do the printing. In my (typical) setup, at the link level,
the device connects to the AP / switch / router wirelessly (via WPA2),
and so does the printer. Assuming the device and router are both
patched, the link between the device and the router is secure, but the
link between the router and printer is not, so any data I send between
the device and the printer will be secure as it traverses the first
link, but not the second. As I understand things, patching the router
doesn't really help secure the link between it and vulnerable devices
like the printer. Henrique recently noted that there is a setting
available on new OpenWRT and LEDE builds that can help, but it's
apparently not yet included in any release yet:

https://lists.debian.org/debian-user/2017/10/msg00593.html

Celejar

Re: [OT] Breaking WPA2 by forcing nonce reuse

[tomas]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Thu, Oct 19, 2017 at 11:07:01AM -0400, Celejar wrote:
> On Thu, 19 Oct 2017 12:05:23 +0100
> Brian  wrote:
> 
> > On Wed 18 Oct 2017 at 21:30:48 -0400, Celejar wrote:

[...]

> Yes, what I'm probably going to do is use the printer's ethernet
> connection along with a Powerline adapter into a nearby power outlet.

And how secure are the powerline adapters? Most probably they're
broadcasting their stuff over your and your neighbour's AC net on
top of some unspecified proprietary modulation. Just sayin'...

;-)

Cheers
- -- tomás
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlnozbgACgkQBcgs9XrR2kbWgQCfQwm+ERBa9UL9HY38Z+YPuDOY
L9kAn3oJDwo3eNnFWZB2k3nA+skrytHm
=rld1
-END PGP SIGNATURE-

Re: [OT] Breaking WPA2 by forcing nonce reuse

[Dan Purgert]

Brian wrote:
> [...]
> That's a good idea, but thinking on: there two ends to the connection,
> the printer and the sending device. Fixing printers is unlikely to be
> high on vendors' lists of priorities, but a fix is available when the
> sending device uses Debian. Isn't it sufficient to fix one end of the
> connection to dispose of the vulnerability?
>

KRACK is an attack against the *client* side.  It MUST (rfc2119) be that
device that is patched against the attack.

-- 
|_|O|_| Registered Linux user #585947
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5  4AEE 8E11 DDF3 1279 A281

Re: [OT] Breaking WPA2 by forcing nonce reuse

[Brian]

On Thu 19 Oct 2017 at 11:07:01 -0400, Celejar wrote:

> On Thu, 19 Oct 2017 12:05:23 +0100
> Brian  wrote:
> 
> > On Wed 18 Oct 2017 at 21:30:48 -0400, Celejar wrote:
> 
> ...
> 
> > > developers, etc., but why should I not be worried and upset about the
> > > situation with my phone, printer, etc.?
> > 
> > Depends on the level of your concern. There are USB and ethernet
> > connections to the printer. This might require physical relocation
> > of the printer but it could be worth it to be worry-free. Or use a 
> > Debian-based, wireless-enabled print server in close proximity to
> > the printer.
> 
> Yes, what I'm probably going to do is use the printer's ethernet
> connection along with a Powerline adapter into a nearby power outlet.

That's a good idea, but thinking on: there two ends to the connection,
the printer and the sending device. Fixing printers is unlikely to be
high on vendors' lists of priorities, but a fix is available when the
sending device uses Debian. Isn't it sufficient to fix one end of the
connection to dispose of the vulnerability?

-- 
Brian.

Re: [OT] Breaking WPA2 by forcing nonce reuse

[Celejar]

On Thu, 19 Oct 2017 12:05:23 +0100
Brian  wrote:

> On Wed 18 Oct 2017 at 21:30:48 -0400, Celejar wrote:

...

> > developers, etc., but why should I not be worried and upset about the
> > situation with my phone, printer, etc.?
> 
> Depends on the level of your concern. There are USB and ethernet
> connections to the printer. This might require physical relocation
> of the printer but it could be worth it to be worry-free. Or use a 
> Debian-based, wireless-enabled print server in close proximity to
> the printer.

Yes, what I'm probably going to do is use the printer's ethernet
connection along with a Powerline adapter into a nearby power outlet.

Celejar

Re: [OT] Breaking WPA2 by forcing nonce reuse

[Brian]

On Wed 18 Oct 2017 at 21:30:48 -0400, Celejar wrote:

> On Tue, 17 Oct 2017 19:20:08 +0100
> Brian  wrote:
> 
> > On Tue 17 Oct 2017 at 10:57:15 -0400, Celejar wrote:
> > 
> > > On Tue, 17 Oct 2017 08:43:00 +0530
> > > "tv.deb...@googlemail.com"  wrote:
> > > 
> > > > So using https or better for communications on the local network is a 
> > > > good idea, but is it the norm? Many router firmwares or built-in 
> > > > webservers from cameras to printers default to http, sometime don't 
> > > > even 
> > > > offer https as an option.
> > > 
> > > Yes, after I sent my mail I realized that my wirelessly networked
> > > printer is going to be a problem. Some printers apparently support
> > > access via SSL/TLS (IPPS), but it looks like mine (Brother
> > > HL-2280DW) does not. And what are the odds that Brother will do a
> > > firmware update to patch WPA for this some 6 years old model ;)
> > 
> > I, and you, probably, are not dealing with printing confidential
> > documents. Those entities which are should be more concerned.
> 
> I'm not? What happens when I need to print out some sort of financial
> statement?

Ok.

> > > > It's patched in most distributions, and in router firmwares like LEDE 
> > > > already, was patched in some BSD even before publication, but how long 
> > > > before we see a patches for all affected devices?
> > > 
> > > Never - for many / most Android devices, my printer (probably), etc.
> > 
> > A timely fix arrives in Debian. Users who update are once again safe.
> > What more could you ask for? What can you say apart from "thanks"?
> 
> ? Yes, my Debian installations are now safe, and I'm duly thankful to
> the Debian maintainers, the wpa_supplicant developers, the LEDE
> developers, etc., but why should I not be worried and upset about the
> situation with my phone, printer, etc.?

Depends on the level of your concern. There are USB and ethernet
connections to the printer. This might require physical relocation
of the printer but it could be worth it to be worry-free. Or use a 
Debian-based, wireless-enabled print server in close proximity to
the printer.

-- 
Brian.

Re: [OT] Breaking WPA2 by forcing nonce reuse

[Celejar]

On Tue, 17 Oct 2017 19:20:08 +0100
Brian  wrote:

> On Tue 17 Oct 2017 at 10:57:15 -0400, Celejar wrote:
> 
> > On Tue, 17 Oct 2017 08:43:00 +0530
> > "tv.deb...@googlemail.com"  wrote:
> > 
> > > So using https or better for communications on the local network is a 
> > > good idea, but is it the norm? Many router firmwares or built-in 
> > > webservers from cameras to printers default to http, sometime don't even 
> > > offer https as an option.
> > 
> > Yes, after I sent my mail I realized that my wirelessly networked
> > printer is going to be a problem. Some printers apparently support
> > access via SSL/TLS (IPPS), but it looks like mine (Brother
> > HL-2280DW) does not. And what are the odds that Brother will do a
> > firmware update to patch WPA for this some 6 years old model ;)
> 
> I, and you, probably, are not dealing with printing confidential
> documents. Those entities which are should be more concerned.

I'm not? What happens when I need to print out some sort of financial
statement?

...

> > > It's patched in most distributions, and in router firmwares like LEDE 
> > > already, was patched in some BSD even before publication, but how long 
> > > before we see a patches for all affected devices?
> > 
> > Never - for many / most Android devices, my printer (probably), etc.
> 
> A timely fix arrives in Debian. Users who update are once again safe.
> What more could you ask for? What can you say apart from "thanks"?

? Yes, my Debian installations are now safe, and I'm duly thankful to
the Debian maintainers, the wpa_supplicant developers, the LEDE
developers, etc., but why should I not be worried and upset about the
situation with my phone, printer, etc.?

Celejar

Re: [OT] Breaking WPA2 by forcing nonce reuse

[tv.deb...@googlemail.com]

On 18/10/2017 19:03, Henrique de Moraes Holschuh wrote:

On Mon, Oct 16, 2017, at 14:49, Alexander V. Makartsev wrote:

That is one smoking fast update release. Demo works in perfect
environment, but I wonder if there are some settings on AP that help
to prevent successful

Yes, there is.  The AP may refuse to ever resent the third packet of the
4-way handshake if it is lost.  This causes slowdowns on association in
noisy/lossy environments, but safeguards the session key.
Newest openwrt and LEDE and hostapd/WPA git trees have a manual setting
that can do this.  It is not on any release yet,  but might be
available in nightly build images or the updated packages with the
wpa/hostapd binaries.

[...]

Hi,

17.01.4 just released [2] with fixed wpa and possibility to activate an 
AP side workaround. It is just a mitigation really, but should in 
practice impair an exploit. It is OFF by default.


Quote:

"an optional AP-side
workaround was introduced in hostapd to complicate these attacks,
slowing them down. Please note that this does not fully protect you from
them, especially when running older versions of wpa_supplicant
vulnerable to CVE-2017-13086, which the workaround does not address. As
this workaround can cause interoperability issues and reduced robustness
of key negotiation, this workaround is disabled by default."

Option in hostapd.sh [1] is:

wpa_disable_eapol_key_retries


[1] 
https://git.lede-project.org/?p=source.git;a=commitdiff;h=d501786ff25684208d22b7c93ce60c194327c771


[2] https://downloads.lede-project.org/releases/17.01.4/targets/

Re: [OT] Breaking WPA2 by forcing nonce reuse

[Henrique de Moraes Holschuh]

On Mon, Oct 16, 2017, at 14:49, Alexander V. Makartsev wrote:
> That is one smoking fast update release. Demo works in perfect
> environment, but I wonder if there are some settings on AP that help
> to prevent successful
Yes, there is.  The AP may refuse to ever resent the third packet of the
4-way handshake if it is lost.  This causes slowdowns on association in
noisy/lossy environments, but safeguards the session key.
Newest openwrt and LEDE and hostapd/WPA git trees have a manual setting
that can do this.  It is not on any release yet,  but might be
available in nightly build images or the updated packages with the
wpa/hostapd binaries.
It obviously protects you only while connected to that AP. You still
want/need a device firmware update or to always use a VPN (or ssh or
https, etc) when using random APs out there...
--
  Henrique de Moraes Holschuh 

Re: [OT] Breaking WPA2 by forcing nonce reuse

[Brian]

On Tue 17 Oct 2017 at 10:57:15 -0400, Celejar wrote:

> On Tue, 17 Oct 2017 08:43:00 +0530
> "tv.deb...@googlemail.com"  wrote:
> 
> > So using https or better for communications on the local network is a 
> > good idea, but is it the norm? Many router firmwares or built-in 
> > webservers from cameras to printers default to http, sometime don't even 
> > offer https as an option.
> 
> Yes, after I sent my mail I realized that my wirelessly networked
> printer is going to be a problem. Some printers apparently support
> access via SSL/TLS (IPPS), but it looks like mine (Brother
> HL-2280DW) does not. And what are the odds that Brother will do a
> firmware update to patch WPA for this some 6 years old model ;)

I, and you, probably, are not dealing with printing confidential
documents. Those entities which are should be more concerned.

Remember, good though the research might be, there is as yet no
published POC and the ideas behind it do not appear particulary
easy to implement. I'm not expecting anyone with the necessary
equipment to be sitting in a car outside my house any time soon.
If I got concerned (and HP did nothing about it) I wonder whether
running arp would do anything to discover what is essentially a
MitM situation?

> > This isn't as bad as blueborne but it is nonetheless another of the most 
> > widely used wireless standard being broken in a short time.
> 
> Certainly.
> 
> > It's patched in most distributions, and in router firmwares like LEDE 
> > already, was patched in some BSD even before publication, but how long 
> > before we see a patches for all affected devices?
> 
> Never - for many / most Android devices, my printer (probably), etc.

A timely fix arrives in Debian. Users who update are once again safe.
What more could you ask for? What can you say apart from "thanks"?

-- 
Brian.

Re: [OT] Breaking WPA2 by forcing nonce reuse

[Larry Dighera]

On Mon, 16 Oct 2017 15:42:09 + (UTC), Curt  wrote:

>https://www.krackattacks.com/
>
> Our attack is especially catastrophic against version 2.4 and above of
> wpa_supplicant, a Wi-Fi client commonly used on Linux. Here, the client will
> install an all-zero encryption key instead of reinstalling the real key. 
>
>Uh-oh.

 Latest Intel drivers:
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00101=en-fr
for M.2 devices.

NetGear firmware updates:
https://kb.netgear.com/49498/Security-Advisory-for-WPA-2-Vulnerabilities-PSV-2017-2826-PSV-2017-2836-PSV-2017-2837

Re: [OT] Breaking WPA2 by forcing nonce reuse

[Celejar]

On Tue, 17 Oct 2017 08:43:00 +0530
"tv.deb...@googlemail.com"  wrote:

> On 17/10/2017 00:49, Celejar wrote:
> > On Mon, 16 Oct 2017 21:27:30 +0530
> > "tv.deb...@googlemail.com"  wrote:

...

> >> the world. After Bluetooth a few weeks ago, now wpa2 wifi, most of the
> >> wireless consumer electronic have it's base covered and ripe for 
> >> cracking...
> > 
> > It's crucial to understand that there's a huge difference in severity
> > between BlueBorne and and KRACK: the former "allows attackers to take
> > control of devices", and "does not require the targeted device to be
> > paired to the attacker’s device, or even to be set on discoverable
> > mode" (!) [https://www.armis.com/blueborne/], whereas the latter
> > 'simply' breaks WPA2, and can't really hurt you insofar as you're using
> > secure higher level protocols (ssh, SSL/TSL, HTTPS).
> > 
> > I don't mean to say that KRACK isn't nevertheless a huge problem,
> > but it doesn't seem to be nearly as serious as BlueBorne, and it isn't
> > going to be catastrophic to anyone not treating WiFi as a really secure
> > protocol. E.g., on my home network, I do use WPA, but I still require
> > SSH and so on for internal communication between my local hosts.
> > 
> > Celejar
> > 
> 
> Agreed, my post was just a quick reaction to an 'OT' labeled thread, not 
> a lecture on the respective merits of those vulnerabilities, or an 
> attempt to spread F.U.D.. Sorry if it came out this way (not a native 
> speaker).

I actually do agree with what you wrote, I was just trying to add a bit
of detail.

> That being said, for a lot of the common use cases having an attacker 
> sit on the assumed-to-be secured wifi and able to intercept traffic for 
> days, weeks, months maybe since the patching will be as usual "patchy", 
> is bad enough. It is not the same as the "bombing the dhcp server and 

...

> So using https or better for communications on the local network is a 
> good idea, but is it the norm? Many router firmwares or built-in 
> webservers from cameras to printers default to http, sometime don't even 
> offer https as an option.

Yes, after I sent my mail I realized that my wirelessly networked
printer is going to be a problem. Some printers apparently support
access via SSL/TLS (IPPS), but it looks like mine (Brother
HL-2280DW) does not. And what are the odds that Brother will do a
firmware update to patch WPA for this some 6 years old model ;)

> This isn't as bad as blueborne but it is nonetheless another of the most 
> widely used wireless standard being broken in a short time.

Certainly.

> It's patched in most distributions, and in router firmwares like LEDE 
> already, was patched in some BSD even before publication, but how long 
> before we see a patches for all affected devices?

Never - for many / most Android devices, my printer (probably), etc.

> By the way, since we are security OT'ing, check your RSA keys if you 
> used Infineon products to generate it.[1]
> 
> [1] https://lwn.net/Articles/736520/rss

Yeah, just saw that on Ars this morning:

https://arstechnica.com/information-technology/2017/10/crypto-failure-cripples-millions-of-high-security-keys-750k-estonian-ids/

Another day, another critical vulnerability ...

Celejar

Re: [OT] Breaking WPA2 by forcing nonce reuse

[tv.deb...@googlemail.com]

On 17/10/2017 00:49, Celejar wrote:

On Mon, 16 Oct 2017 21:27:30 +0530
"tv.deb...@googlemail.com"  wrote:


On 16/10/2017 21:12, Curt wrote:

https://www.krackattacks.com/

   Our attack is especially catastrophic against version 2.4 and above of
   wpa_supplicant, a Wi-Fi client commonly used on Linux. Here, the client will
   install an all-zero encryption key instead of reinstalling the real key.

Uh-oh.



   It was addressed in Debian by DSA-3999-1 I think, but will probably
linger for a long time on routers, phones, appliances and IoT all over
the world. After Bluetooth a few weeks ago, now wpa2 wifi, most of the
wireless consumer electronic have it's base covered and ripe for cracking...


It's crucial to understand that there's a huge difference in severity
between BlueBorne and and KRACK: the former "allows attackers to take
control of devices", and "does not require the targeted device to be
paired to the attacker’s device, or even to be set on discoverable
mode" (!) [https://www.armis.com/blueborne/], whereas the latter
'simply' breaks WPA2, and can't really hurt you insofar as you're using
secure higher level protocols (ssh, SSL/TSL, HTTPS).

I don't mean to say that KRACK isn't nevertheless a huge problem,
but it doesn't seem to be nearly as serious as BlueBorne, and it isn't
going to be catastrophic to anyone not treating WiFi as a really secure
protocol. E.g., on my home network, I do use WPA, but I still require
SSH and so on for internal communication between my local hosts.

Celejar



Agreed, my post was just a quick reaction to an 'OT' labeled thread, not 
a lecture on the respective merits of those vulnerabilities, or an 
attempt to spread F.U.D.. Sorry if it came out this way (not a native 
speaker).


That being said, for a lot of the common use cases having an attacker 
sit on the assumed-to-be secured wifi and able to intercept traffic for 
days, weeks, months maybe since the patching will be as usual "patchy", 
is bad enough. It is not the same as the "bombing the dhcp server and 
throwing everyone off the wifi" prank. From the paper:


"We show that an attacker can force these nonce resets by collecting
and replaying retransmissions of message 3. By forcing nonce reuse
in this manner, the data-confidentiality protocol can be attacked,
e.g., packets can be replayed, decrypted, and/or forged. The same
technique is used to attack the group key, PeerKey, and fast BSS
transition handshake.
When the 4-way or fast BSS transition handshake is attacked,
the precise impact depends on the data-confidentiality protocol
being used. If CCMP is used, arbitrary packets can be decrypted.
In turn, this can be used to decrypt TCP SYN packets, and hijack
TCP connections. For example, an adversary can inject malicious
content into unencrypted HTTP connections. If TKIP or GCMP is
used, an adversary can both decrypt and inject arbitrary packets."

So using https or better for communications on the local network is a 
good idea, but is it the norm? Many router firmwares or built-in 
webservers from cameras to printers default to http, sometime don't even 
offer https as an option.


This isn't as bad as blueborne but it is nonetheless another of the most 
widely used wireless standard being broken in a short time.


It's patched in most distributions, and in router firmwares like LEDE 
already, was patched in some BSD even before publication, but how long 
before we see a patches for all affected devices?


By the way, since we are security OT'ing, check your RSA keys if you 
used Infineon products to generate it.[1]


[1] https://lwn.net/Articles/736520/rss

Re: [OT] Breaking WPA2 by forcing nonce reuse

[Brian]

On Mon 16 Oct 2017 at 15:42:09 +, Curt wrote:

> https://www.krackattacks.com/
> 
>  Our attack is especially catastrophic against version 2.4 and above of
>  wpa_supplicant, a Wi-Fi client commonly used on Linux. Here, the client will
>  install an all-zero encryption key instead of reinstalling the real key. 
> 
> Uh-oh.

Not particularly off-topic but not particularly useful in itself
either. We suppose there is probably an intention to advise Debian
users on what to do about this and how to go about mitigating it.
That would be real, valuable information.

-- 
Brian.

Re: [OT] Breaking WPA2 by forcing nonce reuse

[Celejar]

On Mon, 16 Oct 2017 21:27:30 +0530
"tv.deb...@googlemail.com"  wrote:

> On 16/10/2017 21:12, Curt wrote:
> > https://www.krackattacks.com/
> > 
> >   Our attack is especially catastrophic against version 2.4 and above of
> >   wpa_supplicant, a Wi-Fi client commonly used on Linux. Here, the client 
> > will
> >   install an all-zero encryption key instead of reinstalling the real key.
> > 
> > Uh-oh.
> > 
> > 
>   It was addressed in Debian by DSA-3999-1 I think, but will probably 
> linger for a long time on routers, phones, appliances and IoT all over 
> the world. After Bluetooth a few weeks ago, now wpa2 wifi, most of the 
> wireless consumer electronic have it's base covered and ripe for cracking...

It's crucial to understand that there's a huge difference in severity
between BlueBorne and and KRACK: the former "allows attackers to take
control of devices", and "does not require the targeted device to be
paired to the attacker’s device, or even to be set on discoverable
mode" (!) [https://www.armis.com/blueborne/], whereas the latter
'simply' breaks WPA2, and can't really hurt you insofar as you're using
secure higher level protocols (ssh, SSL/TSL, HTTPS).

I don't mean to say that KRACK isn't nevertheless a huge problem,
but it doesn't seem to be nearly as serious as BlueBorne, and it isn't
going to be catastrophic to anyone not treating WiFi as a really secure
protocol. E.g., on my home network, I do use WPA, but I still require
SSH and so on for internal communication between my local hosts.

Celejar

Re: [OT] Breaking WPA2 by forcing nonce reuse

[Alexander V. Makartsev]

That is one smoking fast update release.
Demo works in perfect environment, but I wonder if there are some
settings on AP that help to prevent successful exploitation of this
vulnerability before(if ever) firmware updates are released by device
manufacturers.
Such as setting re-keying delay to one minute (it is usually 3600sec or
7200sec), so attacker will be forced to perform successful exploitation
every minute.
Or disabling SSID broadcasting and setting channel to fixed value on AP
and client, so this should prevent rogueAP from tricking client to
connect to it.
Also setting power of AP transmitter to the maximum should prevent
situation where client will talk to rogueAP or make it significantly
harder, because rogueAP have to be closer to client.
I'm waiting for PoC scripts release to test it all out.


On 16.10.2017 20:57, tv.deb...@googlemail.com wrote:
> On 16/10/2017 21:12, Curt wrote:
>> https://www.krackattacks.com/
>>
>>   Our attack is especially catastrophic against version 2.4 and above of
>>   wpa_supplicant, a Wi-Fi client commonly used on Linux. Here, the
>> client will
>>   install an all-zero encryption key instead of reinstalling the real
>> key.
>>
>> Uh-oh.
>>
>>
>  It was addressed in Debian by DSA-3999-1 I think, but will probably
> linger for a long time on routers, phones, appliances and IoT all over
> the world. After Bluetooth a few weeks ago, now wpa2 wifi, most of the
> wireless consumer electronic have it's base covered and ripe for
> cracking...
>

-- 
With kindest regards, Alexander.

⢀⣴⠾⠻⢶⣦⠀ 
⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system
⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org
⠈⠳⣄ 

Re: [OT] Breaking WPA2 by forcing nonce reuse

[tv.deb...@googlemail.com]

On 16/10/2017 21:12, Curt wrote:

https://www.krackattacks.com/

  Our attack is especially catastrophic against version 2.4 and above of
  wpa_supplicant, a Wi-Fi client commonly used on Linux. Here, the client will
  install an all-zero encryption key instead of reinstalling the real key.

Uh-oh.


 It was addressed in Debian by DSA-3999-1 I think, but will probably 
linger for a long time on routers, phones, appliances and IoT all over 
the world. After Bluetooth a few weeks ago, now wpa2 wifi, most of the 
wireless consumer electronic have it's base covered and ripe for cracking...