Mailinglist Archive: opensuse (783 mails)

< Previous Next >
Re: [opensuse] Fwd: Basically every WiFi device just hacked?
On 18/10/17 17:48, Tony Su wrote:
Greg,
I agree with most of what you wrote about possible attack scenarios,
but YMMV regarding broadcasting enough noise to disrupt a session
causing a client to reconnect generally possible only if you have a
powerful enough transmitter and if that's the case then why bother
with these attacks? Just impersonate, capture passwords and be done
with it.

And, it does matter about when Users connect and relative to the
amount of traffic, so for instance when Users first connect it's true
that they're Tx and Rx those magic packets, but the next most likely
thing to happen is that those machines will be updating and checking
email... So although it's more likely that those packets will be
within a smaller time frame, the total traffic volume will also be
enormous.

The scenario posited on LWN was very simple, and does not need much by
way of powerful kit.

Most sessions nowadays are spread-spectrum. I'm not sure how it works,
but if you disrupt the connection open sequence, ie get the client
transmitting on one frequency, and the router receiving on another, you
can MITM the conversation.

You then simply don't forward packet #3, forcing the client or router
(can't remember which) to retry.

This then causes the connection to reset with a nonce of 0, and a key of
0. Bingo - connection encryption now cracked, and the supposedly secure
connection is wide open.

That's the way these things always go - someone cocks up and the
resulting crack is pretty simple. Changing topic slightly - you're aware
somebody's found a bug in an RSA implementation such that any 4096-bit
keys from this generator can be brute-forced? Not sure how long it takes
but it's well within the ability of a determined attacker! As always, an
implementation cockup gives a back-door into the encryption.

Cheers,
Wol

I just posted an opinion on the openSUSE Forums, as I described only
an opinion which of course can be subject to ridicule and disagreement

https://forums.opensuse.org/showthread.php/527675-WPA2-situation?p=2842095#post2842095

As for DMARC, it's actually not more than SPF and TKIP which have been
around for ages plus applying policy. So, nothing revolutionary. And,
only addresses forging email domains. It won't do anything for you
regarding the overall possible phishing attacks and other ways of
implanting malware. If you're not already doing SPF and TKIP, then
it's a step forward but isn't a replacement for other methods like
blocklists, whitelisting and anti-spam.

IMO,
Tony

On Wed, Oct 18, 2017 at 6:38 AM, Wols Lists <antlists@xxxxxxxxxxxxxxx> wrote:
On 16/10/17 17:35, Tony Su wrote:
From the general description (I haven't been able to inspect a
detailed demo), it looks like a cousin to the Diffie Hellman flaw
described last year.

If so,
- All encrypted traffic including SSL/TLS, SSH, VPNs, etc should be
protected despite the researchers' suggestion that <might> also be
vulnerable. And, all User activity that involves exchanging passwords
on websites, Financial/Banking, email and other activity are covered
here.

- The other stuff about capturing, replaying and injecting content or
even false network settings is a different consideration, but if this
is not much different than what has always been possible using
aircrack-ng against WEP or WPA1, then there are practical
considerations which can make this kind of attack difficult although
possible... like...

The attacker might have to capture gigabytes of data to obtain the few
packets which contain a WPA handshake. Low activity APs might be more
vulnerable than heavily used.

Once captured, the attacker has to crack the keys. Depending on
strength and available machine resources plus method of crack (are
rainbow tables available and used?), this might take awhile

LIKE A COUPLE OF NANOSECONDS?

Sorry for shouting, but the nature of the crack tricks wpa_supplicant
into using a key of 0x00.

Once cracked, the keys are usable for only as long as the original
User has not yet closed his wireless session. Once the User has
disconnected, then a new session and handshake has to be cracked.

So,
Unless you're supporting a high security wireless network, I don't
think that anyone should be pressing any emergency buttons, and if you
were supporting a high security network then I'd be questioning why
you even have Wifi or not deploying WiFi that automatically rotates
new keys every few minutes.

Yes you should be pressing security buttons. The key is absolutely no
protection at all!

Cheers,
Wol


--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx




--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups