cancel
Showing results for 
Search instead for 
Did you mean: 
jake_d
Beginner
4,037 Views
Message 21 of 39

Re: WPA2 security flaw

Here's a list of router vendors that have already patched their hardware. I'm not sure who makes BT Home Hubs?

https://m.androidcentral.com/these-are-router-makers-have-patched-krack-wpa2-wi-fi-flaws
0 Ratings
Carlusha
Contributor
3,758 Views
Message 22 of 39

Re: WPA2 security flaw

This may help further discussion and allay some of our fears unless I am misunderstanding something.

 

Attacker must be within WiFi network range

 

The attack works only if the attacker is in the victim's WiFi network range, and is not something that could be carried out via the Internet.

 

HTTPS may also protect user traffic in some cases, as HTTPS uses its own separate encryption layer. Nonetheless, HTTPS is not 100% secure, as attacks exist that could downgrade the connection and grant the attacker access to HTTPS encrypted traffic 

 

The KRACK attack is universal and works against all type of devices connecting or using a WPA2 WiFi network. This includes Android, Linux, iOS, macOS, Windows, OpenBSD, and embedded and IoT devices.

 

The attack allows a third-party to eavesdrop on WPA2 traffic, but if the WiFi network is configured to use WPA-TKIP or GCMP encryption for the WPA2 encryption, then the attacker can also inject packets into a victim's data, forging web traffic.

 

https://www.bleepingcomputer.com/news/security/new-krack-attack-breaks-wpa2-wifi-protocol/

0 Ratings
casaschi
Contributor
3,664 Views
Message 23 of 39

Re: WPA2 security flaw


@Bill_Cumming wrote:

Patches take time to produce and test!

Windows and Linux systems already have a patch out. (Updated my Linux box a few hours ago)

Android and Apple devices will take a couple of weeks as well .

As for routers. Netgear have a patch for *some* of ther devices and others will be rolled out on the coming weeks. Other makers are somewhere between "got a patch about to roll out" and "well have one in a few weeks or so."

BT will have to wait to test any patch to make sure it does not cause more problems than it solves in their devices...


The security expert that found the vulnerability shared his findings several weeks ago, well in advance of the public announcement.

 

BT had all the time they needed to prepare a patch if they wanted; no excuse for ignoring the security risk, waking up last moment and suggesting they need time to fix their products.

 

Others vendors managed to be ready by the time of the public announcement, what's the excuse for BT lack of action?

0 Ratings
tyrez
Newbie
3,431 Views
Message 24 of 39

Re: WPA2 security flaw

There's a list of affected vendors here http://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=228519&SearchOrder=4

 

From the dates given there the security researcher who found the vulnerability told the vendors about it on 28th August, closer to 2 months ago than 1 month. So plenty of time to produce a patch, as quite a few have. And certainly time to let customers know what the situation is. So why nothing fom BT?

 

 

0 Ratings
Bill_Cumming
Contributor
3,276 Views
Message 25 of 39

Re: WPA2 security flaw

ermmm.. did you read my post??

It's going to take ever the BIG players like Netgear, Google and Apple 2 weeks to fully push out a patch and you want BT to do it instantly??

They may have to go to the company that supplied the Firmware to produce and test a patch, then they have BT's own internal QA tests to make sure it complies to their quality control. That can't be done in a half-hour tea brake.
0 Ratings
tyrez
Newbie
3,261 Views
Message 26 of 39

Re: WPA2 security flaw

Did you read mine? How is having nearly two months notice to produce a patch having to produce it 'instantly'? We don't know if they even need to produce a patch. It would be nice to know one way or the other.

0 Ratings
Highlighted
Mr_L
Newbie
3,207 Views
Message 27 of 39

Re: WPA2 security flaw

I spoke to BT help desk, they told me that the hubs were auto updated with a fix. My hub says it's running "Software version 4.7.5.1.83.8.236.1.2 | Last updated 14/07/17" which doesn't fall in line with the engineers notifying companies 2 months ago.

 

The rep didn't have many details for me but I've asked them to comment in this thread and make users aware of major security fixes so we don't have to hear about such news from tech blogs first. Hopefully, they'll be able to share more information soon.

0 Ratings
fen93t
Newbie
3,171 Views
Message 28 of 39

Re: WPA2 security flaw

What about the smart hub?

 

Mine's

 

Firmware version:

SG4B1000B316

Firmware updated:

01-Aug-2017

0 Ratings
Jonkarra
Expert
3,100 Views
Message 29 of 39

Re: WPA2 security flaw

The BT hub like most home routers is based on linux underneath so the underlying linux tools will need to be updated, whoever does the firmware would then need to validate, integrate and test the update. All of that takes time. The problem as well is any patch will basically break the protocol specification and move the devices outside of the published protocol specification as knowing standards bodies it will take months to fix the protocol specification. 

 

Any patch will potentially impact interoperability of wireless networked devices, its far easier to test and roll out a patch to the client devices to work around this issue than to push out a fix for routers and wireless access points, as its far more likely old legacy client machines and IoT things will break that a semi modern WAP or router.

0 Ratings
R0B
Beginner
2,442 Views
Message 30 of 39

Re: WPA2 security flaw

For those on the forum who need a plain description of the WPA2 (krack) implications, this is a decent description.

 

https://techcrunch.com/2017/10/16/heres-what-you-can-do-to-protect-yourself-from-the-krack-wifi-vuln...

 

I have been in contact with BT and they say that they are working on a security fix to roll out to the home hubs.

 

They do not have an expected delivery date yet.

 

I've suggested that they shoud post something on here and email their customers.

 

The best advice I can find at the moment is to treat your home network as though it were a public Wi-Fi network.

 

If you hard wire to your home hub and disable Wi-Fi it would defeat the vulnerability - but your wireless devices won't work. So this isn't really practical.

 

Just hard wiring your PC to the hub doesn't really help much if any of the other Wi-Fi devices have already been compromised by malware (they would still see unencrypted traffic).

Using a HTTPS or a VPN is a good way to protect yourself, but that doesn't help protect against malware on devices like TV's and Set Top Boxes that can't run a VPN client.

 

Make sure that you only use apps downloaded from a reputable source. Keep your devices patched. Run a decent security package.

 

This is a very messy problem. It will take a while to go away.

 

 

0 Ratings