MorphZone

WPA2 security hole

Zylesea

# 1
Yokemate of Keyboards

Posts: 2053 from 2003/6/4

www.krackattacks.com
Probably MorphOS is also affected.
--
http://via.bckrs.de

Whenever you're sad just remember the world is 4.543 billion years old and you somehow managed to exist at the same time as David Bowie.
...and Matthias , my friend - RIP
»17.10.17 - 07:27

Andreas_Wolf

# 2
Yokemate of Keyboards

Posts: 12075 from 2003/5/22

From: Germany

> Probably MorphOS is also affected.

Indeed, as it uses wpa_supplicant.

From your link:

"Our attack is especially catastrophic against version 2.4 and above of wpa_supplicant [...]. Here, the client will install an all-zero encryption key instead of reinstalling the real key. [...] This makes it trivial to intercept and manipulate traffic sent by these [...] devices."

I don't know which version of wpa_supplicant is used in MorphOS 3.9, though.
»17.10.17 - 10:12

cyfm

# 3
MorphOS Developer

Posts: 537 from 2003/4/11

From: Germany

wpa_supplicant 2.4 has been released in March 2015 and the code which WirelessManager is based on hasn't changed much since its original release in 2013, so feel free to do the math ... :)
If there is anything we can do/need to do about the issue, we will most likely include it in a future update.
»17.10.17 - 11:06

koszer

# 4
Paladin of the Pegasos

Posts: 1246 from 2004/2/8

From: Poland

Darn, even more delays...
»17.10.17 - 12:11

Andreas_Wolf

# 5
Yokemate of Keyboards

Posts: 12075 from 2003/5/22

From: Germany

> wpa_supplicant 2.4 has been released in March 2015 and the code which
> WirelessManager is based on hasn't changed much since its original
> release in 2013

So MorphOS only suffers from the "normal" KRACK vulnerability, not from the "especially catastrophic" one ;-)

> If there is anything we can do/need to do about the issue, we will most
> likely include it in a future update.

I suggest providing MorphOS 3.10 with WirelessManager based on wpa_supplicant 2.7, which should be imminent (or use 2.6 with the respective patches).

http://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt
http://lists.infradead.org/pipermail/hostap/2017-October/037989.html
»17.10.17 - 12:15

KennyR

# 6
Priest of the Order of the Butterfly

Posts: 872 from 2003/3/4

From: #AmigaZeux, Gu...

Chances are you're using a hardware router, and one where you're not going to get a firmware update, so you'll still be vulnerable even after MOS is patched.

Who'd have thought Laire's advice to 'buy a router' would have backfired after all this time? ;)
»17.10.17 - 21:41

Andreas_Wolf

# 7
Yokemate of Keyboards

Posts: 12075 from 2003/5/22

From: Germany

> Chances are you're using a hardware router

Yes, a WiFi one at that, else WPA2 wouldn‘t be needed, would it?

> and one where you're not going to get a firmware update,
> so you'll still be vulnerable even after MOS is patched.

MorphOS users can easily buy a new router, but can they stop using MorphOS and keep being MorphOS users?

> Who'd have thought Laire's advice to 'buy a router' would have backfired after all this time? ;)

He never said it would have to be a wireless one ;-)
»17.10.17 - 23:10

KennyR

# 8
Priest of the Order of the Butterfly

Posts: 872 from 2003/3/4

From: #AmigaZeux, Gu...

Quote:

Andreas_Wolf wrote:
> Chances are you're using a hardware router

Yes, a WiFi one at that, else WPA2 wouldn‘t be needed, would it?

Why - isn't it possible to use a computer directly connected to a modem as your router and use WPA2 to connect to that?
»18.10.17 - 00:59

Andreas_Wolf

# 9
Yokemate of Keyboards

Posts: 12075 from 2003/5/22

From: Germany

> Why - isn't it possible to use a computer directly connected to a modem as
> your router and use WPA2 to connect to that?

You're right, it is. I misread your post
»18.10.17 - 09:46

Tom4hawk

# 10
Just looking around

Posts: 4 from 2016/10/2

Quote:

KennyR wrote:
Chances are you're using a hardware router, and one where you're not going to get a firmware update, so you'll still be vulnerable even after MOS is patched.

No, it's mostly a WiFi client problem:

https://www.krackattacks.com/#faq
Relevant question:
"What if there are no security updates for my router?"

Answer:
Quote:

Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates. We strongly advise you to contact your vendor for more details. In general though, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming). For ordinary home users, your priority should be updating clients such as laptops and smartphones.

PowerBook5.5 G4 1500MHz|1.5GB DDR2|Radeon 9700 64MB|80GB Spinning Rust|MorphOS 3.9
»18.10.17 - 14:41

TheMagicM

# 11
Paladin of the Pegasos

Posts: 1217 from 2003/6/17

if your ap is running as a client in bridge mode, yes it is affected.
»19.10.17 - 17:31