cancel
Showing results for 
Search instead for 
Did you mean: 
Distinguished Expert
Distinguished Expert
3,001 Views
Message 31 of 39

Re: WPA2 security flaw


@R0B wrote:

For those on the forum who need a plain description of the WPA2 (krack) implications, this is a decent description.

 

https://techcrunch.com/2017/10/16/heres-what-you-can-do-to-protect-yourself-from-the-krack-wifi-vuln...

 

I have been in contact with BT and they say that they are working on a security fix to roll out to the home hubs.

 

They do not have an expected delivery date yet.

 

I've suggested that they shoud post something on here and email their customers.

 

The best advice I can find at the moment is to treat your home network as though it were a public Wi-Fi network.

 

If you hard wire to your home hub and disable Wi-Fi it would defeat the vulnerability - but your wireless devices won't work. So this isn't really practical.

 

Just hard wiring your PC to the hub doesn't really help much if any of the other Wi-Fi devices have already been compromised by malware (they would still see unencrypted traffic).

Using a HTTPS or a VPN is a good way to protect yourself, but that doesn't help protect against malware on devices like TV's and Set Top Boxes that can't run a VPN client.

 

Make sure that you only use apps downloaded from a reputable source. Keep your devices patched. Run a decent security package.

 

This is a very messy problem. It will take a while to go away.

 

 


There’s a generalised standard email coming through from a reputable internet security provider today.

It mirrors the content of your post exactly: stay alert, and use HTTPS websites, vpn, etc, etc.

No doubt BT’s McAfee version will be putting out the same message.

0 Ratings
smf22
Recognised Expert
2,982 Views
Message 32 of 39

Re: WPA2 security flaw

One thing that's not mentioned in this thread yet is that the attack is targeted at clients and not the WiFi Access Point that may be running in the BT Hubs. The following is by the researcher Mathy Vanhoef that found the vulnerability and quoted from the Key Reinstallation Attacks web site: 

 

"Q. What if there are no security updates for my router?

 

A. Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates. We strongly advise you to contact your vendor for more details. In general though, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming). For ordinary home users, your priority should be updating clients such as laptops and smartphones."

 

 

tyrez
Newbie
2,926 Views
Message 33 of 39

Re: WPA2 security flaw

It may not be practical for some, but that's exactly what I've done, connect via ethernet to the HomeHub and turn the wireless connection off. I can live with that until I know the router is safe.

0 Ratings
R0B
Beginner
2,894 Views
Message 34 of 39

Re: WPA2 security flaw

Yes, agreed, good point. I think that this confuses a lot of people.

 

The flaw is inherent in the way that the WPA2 protocol was designed (if implemented correctly, the protocol is vulnerable).

 

Android 6 and later versions of Linux are particularly vulnerable because their implementation allows for a encryption key of alll zeros to be used.

 

The attack vector is via the client, but the full fix is likely to require a backward compatible change to the WPA2 design and implementation. So every device is likely to require an update.

 

Hence, apply patches to ALL devices as soon as they become available.

 

0 Ratings
smf22
Recognised Expert
2,870 Views
Message 35 of 39

Re: WPA2 security flaw


@tyrez wrote:

It may not be practical for some, but that's exactly what I've done, connect via ethernet to the HomeHub and turn the wireless connection off. I can live with that until I know the router is safe.


@tyrez. Take a read of the Q&A from the researcher that I posted in message 32. The attack is against the client not the router that's acting as AP. It will make no difference what patch BT may or may not apply to the router, if you haven't patched your clients, then you'll still be vulnerable.

0 Ratings
tyrez
Newbie
2,848 Views
Message 36 of 39

Re: WPA2 security flaw

I've read the report on the researcher's krackattack.com website. He didn't categorically say the router didn't need updating'

 

He said

 

"Is my device vulnerable?

Probably. Any device that uses Wi-Fi is likely vulnerable. Contact your vendor for more information."

 

and

 

"Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates. We strongly advise you to contact your vendor for more details. In general though, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming). For ordinary home users, your priority should be updating clients such as laptops and smartphones."

 

So he does not say there is no problem with the router. BT wouldn't be preparing a patch if there wasn't a problem there.

 

The clients for Ubuntu (which I use) and Windows have reportedly already been patched

0 Ratings
Moderator
Moderator
2,810 Views
Message 37 of 39

Re: WPA2 security flaw

Hi Everyone,

 

I appreciate the concerns highlighted here and beyond.  I just wanted to confirm that we’re aware of the issue relating to the security of the WPA2 protocol. We’re working with equipment suppliers and the wider industry as a matter of priority to fully assess the impact and update software as appropriate.

If I can share any further updates I will do so on this thread.

 

Cheers

Neil

Community ModeratorNeilO
Did you get the help you needed?
Help others by clicking on ‘Mark as accepted solution’
Show your appreciation!
Click on the star next to a reply to say thanks
Help guide to using the community? Click below
Kudos”Kudos”
Highlighted
M3k0n
Beginner
2,383 Views
Message 38 of 39

Re: WPA2 security flaw

Just like to say thanks for the post Neil.

 

Pleased to hear BT are aware of the potential security issues and are actively looking into it.

 

Many thanks.

0 Ratings
Moderator
Moderator
1,414 Views
Message 39 of 39

Re: WPA2 security flaw

Hi everyone,

 

Thanks for your continued patience while we investigated this issue.  We’re working with industry to update software as appropriate. We can confirm that BT Home Hubs and BT Business Hubs aren’t at risk from this vulnerability and don’t need updating. 

 

However we recommend that customers update any devices they use with their BT Hubs, such as phones, laptops, tablets and computers as soon as updates are available, as those devices may be affected.

 

Cheers,

 

Robbie

Community ModeratorRobbieMac
Did you get the help you needed?
Help others by clicking on ‘Mark as accepted solution’
Show your appreciation!
Click on the star next to a reply to say thanks
Help guide to using the community? Click below
Kudos”Kudos”