I'll be moderately surprised if both Google and Apple don't have fixes available within the next 24 hours or so, along with many other affected manufacturers.
Do you think they'll be in a tertiary point update or be part of a future rollout, as developers do have new betas today. While the breach in security is large the risk to individuals seems pretty small. Hell, I assume most users aren't even using a VPN when connecting to open WiFi networks which could be more problematic for packet sniffing than someone writing SW and going to a location to get access to a network within the next couple weeks.
My personal guess is that both companies have already patched but done so under the radar. But that's just a guess
EDIT: I see now that Apple has reportedly (tho not officially) taken care of this via some previous point updates for most of their hardware, doing so "under the radar" as I suspected. The Airport family seems to be an exception for whatever reason, not that it's probably that big a deal. Only one side needs to be patched (user device or router for instance, either or) for the exploit to fail. No word if Google has included a fix in their next (or previous) monthly security update or not. The only thing Google has factually stated is that potentially-exploitable devices will be patched over the next few weeks. We shall see.
Not sure why Apple hasn't fixed it. Didn't the author release to CERT, and then CERT broadcasted to major vendors in August?
Yes they did but typically fixes aren't publically rolled out until the the exploit embargo is lifted. That happened today. The reasoning is that by publishing fixes out it alerts neer-do-wells to the flaw, who then rush figure out how the ploy works and take advantage of platforms/devices not yet patched by other companies. In this particular instance one developer DID jump the gun (BSD) which endangers everyone. Why did he do that? Because he thought it was silly to hold off publishing his "fix" until today. Now I'm sure he understands the reason why exploits are embargoed.
I'll be moderately surprised if both Google and Apple don't have fixes available within the next 24 hours or so, along with many other affected manufacturers.
I get a part of it, but unlike BSD, Apple iOS and macOS are not open source, therefore would not expose direct detail on the exploit. Also, Apple can't be sure that there isn't any rouge player out there who discovered this independent of this researcher and is already making use of the vulnerability.
While networks not broadcasting SSID, or network name, can still be sniffed out by the determined, still consider not having a publicly broadcast network name. If somebody is just looking to stir up some trouble, a less visible network is less likely to be attacked than a publicly broadcasting one.
I used to believe this, as well, and always made my networks hidden.
But then I learned about this:
When you hide your wireless SSID on the router side of things, what actually happens behind the scenes is that your laptop or mobile device is going to start pinging over the air to try and find your router—no matter where you are. So you’re sitting there at the neighborhood coffee shop, and your laptop or iPhone is telling anybody with a network scanner that you’ve got a hidden network at your house or job.
It's simply much better to ensure that you have a strong password.
I wish entire apartment buildings would get wired up so that each unit didn't need to have it's own separate wireless router. Instead, the entire building could be one super-powered network.
When you're being chased by a bear, you don't have to be the fastest. You just shouldn't be the slowest.
That scenario assumes one bear. In this scearnio there could be more hungry bears than there are people.
Could be. As long as (Bears) <= [(Number of people) - 2], though, this still applies and won't hurt you.
Not sure why Apple hasn't fixed it. Didn't the author release to CERT, and then CERT broadcasted to major vendors in August?
Yes they did but typically fixes aren't publically rolled out until the the exploit embargo is lifted. That happened today. The reasoning is that by publishing fixes out it alerts neer-do-wells to the flaw, who then rush figure out how the ploy works and take advantage of platforms/devices not yet patched by other companies. In this particular instance one developer DID jump the gun (BSD) which endangers everyone. Why did he do that? Because he thought it was silly to hold off publishing his "fix" until today. Now I'm sure he understands the reason why exploits are embargoed.
I'll be moderately surprised if both Google and Apple don't have fixes available within the next 24 hours or so, along with many other affected manufacturers.
Theo is well aware why there are embargoes. He's just a bit of an ass.
I'm woefully uninformed on the field of wireless security protocols. Is there a planned or working group successor to WPA in the works yet? If not, I'd guess this attack pushes up its development a bit.
Consumer-grade Wireless Routers (e.g. Asus, D-Link, LinkSys, NetGear) are at the most risk, esp. older models since manufacturers tend to stop any development/update after 2 years of its availability. And there are thousands of these devices out in the open...
Given the way they work, I imagine VPNs render the attacks useless as well.
Yes, but by the time you get the VPN turned on, your device has probably communicated with all sorts of services.
gatorguy said: I'll be moderately surprised if both Google and Apple don't have fixes available within the next 24 hours or so, along with many other affected manufacturers.
The problem is more that on things like routers, even if a patch is released, it won't be widely installed.
Nothing like a wired connection. Whenever possible, of course.
Yea, I'm glad Apple is doing such a great job of promoting wired connections.... doh! So, Bluetooth and now this, just as Apple is probably considering eliminating every last port so wireless is the only option.
I'm woefully uninformed on the field of wireless security protocols. Is there a planned or working group successor to WPA in the works yet? If not, I'd guess this attack pushes up its development a bit.
It's mainly the implementation that's flawed in allowing reinstalling the keys. Once a wireless connection is established, nothing should be allowed to reset it. The protocol doesn't prevent this so there might be a new version but I'd expect just an amendment like WPA2.1. The implementation patches will fix it using the same WPA2 protocol.
Attackers are able to intercept some SSL traffic so I imagine the fixes will be made available quickly but I doubt people will update their routers quickly. What's needed is end-to-end encryption and it shouldn't rely on servers supporting HTTPS. Trust and encryption can be separate. Every digital connection that is made should be encrypted and it's done very easily. If the clients and servers both have asymmetric keys, when they first connect, all communication can only be decrypted by each end, there would be no decoder keys sent between them.
This should be used for email. There are providers that did this but they used the asymmetric keys between the server and client ( https://en.wikipedia.org/wiki/Lavabit ). This meant that the government could demand the private key from the server, which they tried to hand over in small printed text. This compromises every user. It ought to be done end-to-end (like Apple with Messages) so the email sender gives the public key to the email recipient and nothing in between can decode the messages. This does mean the server can't check the content for spam (just the source) or allow email search on the server and multiple email clients would need synced keys but this is all trivial now. The device encryption needs to be on top of this to prevent people seeing where the packets are going.
I don't expect there will be many exploits of this due to the wifi range, timing, potential targets and technical knowhow required. Maybe higher profile targets like businesses but it still requires logging data for a long time and decoding everything to find something important. The following video around 3:20 shows the kind of output:
It's a long stream of network messages including email and app connections firing at the same time. A search would help narrow them down to passwords but it would take a while and they'd have to enter the password while you were logging. This is also why we shouldn't use passwords any more because they are fixed and transmitted keys too, which can be intercepted.
Comments
EDIT: I see now that Apple has reportedly (tho not officially) taken care of this via some previous point updates for most of their hardware, doing so "under the radar" as I suspected. The Airport family seems to be an exception for whatever reason, not that it's probably that big a deal. Only one side needs to be patched (user device or router for instance, either or) for the exploit to fail. No word if Google has included a fix in their next (or previous) monthly security update or not. The only thing Google has factually stated is that potentially-exploitable devices will be patched over the next few weeks. We shall see.
The problem is more that on things like routers, even if a patch is released, it won't be widely installed.
Yea, I'm glad Apple is doing such a great job of promoting wired connections.... doh! So, Bluetooth and now this, just as Apple is probably considering eliminating every last port so wireless is the only option.
Attackers are able to intercept some SSL traffic so I imagine the fixes will be made available quickly but I doubt people will update their routers quickly. What's needed is end-to-end encryption and it shouldn't rely on servers supporting HTTPS. Trust and encryption can be separate. Every digital connection that is made should be encrypted and it's done very easily. If the clients and servers both have asymmetric keys, when they first connect, all communication can only be decrypted by each end, there would be no decoder keys sent between them.
This should be used for email. There are providers that did this but they used the asymmetric keys between the server and client ( https://en.wikipedia.org/wiki/Lavabit ). This meant that the government could demand the private key from the server, which they tried to hand over in small printed text. This compromises every user. It ought to be done end-to-end (like Apple with Messages) so the email sender gives the public key to the email recipient and nothing in between can decode the messages. This does mean the server can't check the content for spam (just the source) or allow email search on the server and multiple email clients would need synced keys but this is all trivial now. The device encryption needs to be on top of this to prevent people seeing where the packets are going.
I don't expect there will be many exploits of this due to the wifi range, timing, potential targets and technical knowhow required. Maybe higher profile targets like businesses but it still requires logging data for a long time and decoding everything to find something important. The following video around 3:20 shows the kind of output:
It's a long stream of network messages including email and app connections firing at the same time. A search would help narrow them down to passwords but it would take a while and they'd have to enter the password while you were logging. This is also why we shouldn't use passwords any more because they are fixed and transmitted keys too, which can be intercepted.