WPA2 security hole
  • Paladin of the Pegasos
    Paladin of the Pegasos
    Zylesea
    Posts: 1800 from 2003/6/4
    www.krackattacks.com
    Probably MorphOS is also affected.
    --
    http://www.via-altera.de

    Whenever you're sad just remember the world is 4.543 billion years old and you somehow managed to exist at the same time as David Bowie.
  • »17.10.17 - 06:27
    Profile Visit Website
  • Yokemate of Keyboards
    Yokemate of Keyboards
    Andreas_Wolf
    Posts: 9334 from 2003/5/22
    From: Germany
    > Probably MorphOS is also affected.

    Indeed, as it uses wpa_supplicant.

    From your link:

    "Our attack is especially catastrophic against version 2.4 and above of wpa_supplicant [...]. Here, the client will install an all-zero encryption key instead of reinstalling the real key. [...] This makes it trivial to intercept and manipulate traffic sent by these [...] devices."

    I don't know which version of wpa_supplicant is used in MorphOS 3.9, though.
  • »17.10.17 - 09:12
    Profile
  • MorphOS Developer
    cyfm
    Posts: 369 from 2003/4/11
    From: Germany
    wpa_supplicant 2.4 has been released in March 2015 and the code which WirelessManager is based on hasn't changed much since its original release in 2013, so feel free to do the math ... :)
    If there is anything we can do/need to do about the issue, we will most likely include it in a future update.
  • »17.10.17 - 10:06
    Profile Visit Website
  • Priest of the Order of the Butterfly
    Priest of the Order of the Butterfly
    koszer
    Posts: 658 from 2004/2/8
    From: Poland
    Darn, even more delays...
  • »17.10.17 - 11:11
    Profile
  • Order of the Butterfly
    Order of the Butterfly
    KennyR
    Posts: 242 from 2003/3/4
    From: #AmigaZeux, Gu...
    Chances are you're using a hardware router, and one where you're not going to get a firmware update, so you'll still be vulnerable even after MOS is patched.

    Who'd have thought Laire's advice to 'buy a router' would have backfired after all this time? ;)
  • »17.10.17 - 20:41
    Profile
  • Yokemate of Keyboards
    Yokemate of Keyboards
    Andreas_Wolf
    Posts: 9334 from 2003/5/22
    From: Germany
    > Chances are you're using a hardware router

    Yes, a WiFi one at that, else WPA2 wouldn‘t be needed, would it?

    > and one where you're not going to get a firmware update,
    > so you'll still be vulnerable even after MOS is patched.

    MorphOS users can easily buy a new router, but can they stop using MorphOS and keep being MorphOS users?

    > Who'd have thought Laire's advice to 'buy a router' would have backfired after all this time? ;)

    He never said it would have to be a wireless one ;-)
  • »17.10.17 - 22:10
    Profile
  • Order of the Butterfly
    Order of the Butterfly
    KennyR
    Posts: 242 from 2003/3/4
    From: #AmigaZeux, Gu...
    Quote:

    Andreas_Wolf wrote:
    > Chances are you're using a hardware router

    Yes, a WiFi one at that, else WPA2 wouldn‘t be needed, would it?


    Why - isn't it possible to use a computer directly connected to a modem as your router and use WPA2 to connect to that?
  • »17.10.17 - 23:59
    Profile
  • Yokemate of Keyboards
    Yokemate of Keyboards
    Andreas_Wolf
    Posts: 9334 from 2003/5/22
    From: Germany
    > Why - isn't it possible to use a computer directly connected to a modem as
    > your router and use WPA2 to connect to that?

    You're right, it is. I misread your post
  • »18.10.17 - 08:46
    Profile
  • Just looking around
    Tom4hawk
    Posts: 4 from 2016/10/2
    Quote:

    KennyR wrote:
    Chances are you're using a hardware router, and one where you're not going to get a firmware update, so you'll still be vulnerable even after MOS is patched.


    No, it's mostly a WiFi client problem:

    https://www.krackattacks.com/#faq
    Relevant question:
    "What if there are no security updates for my router?"

    Answer:
    Quote:

    Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates. We strongly advise you to contact your vendor for more details. In general though, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming). For ordinary home users, your priority should be updating clients such as laptops and smartphones.

    PowerBook5.5 G4 1500MHz|1.5GB DDR2|Radeon 9700 64MB|80GB Spinning Rust|MorphOS 3.9
  • »18.10.17 - 13:41
    Profile
  • Paladin of the Pegasos
    Paladin of the Pegasos
    TheMagicM
    Posts: 1105 from 2003/6/17
    if your ap is running as a client in bridge mode, yes it is affected.
  • »19.10.17 - 16:31
    Profile Visit Website