WPA2 is no longer safe ? [issue is already fixed on all Mint versions]

[Fabio7891]

Hello to everybody !

I have heard about a new attack called: Krack, on all the available wifi WPA2 connections

You can see everything here: https://www.krackattacks.com/

Now should they develop a new standard of connection ?

[Edit by admin]: this issue is already fixed on all Linux Mint Mint versions. Jump to this post for the details: viewtopic.php?f=58&t=255516&p=1377453#p1377453

[karlchen]

<moderator on>
Moved this thread from Linux Mint "Main Edition - Newbie Questions" to "Open Chat", because
+ the alledged WPA2 breach is not a Linux Mint problem only
+ but a problem affecting any operating system which uses wireless connections, e.g. Linux, MacOS, Windows, Andoid, IOS
+ there is no better sub-forum to discuss the topic
</moderator off>

[greerd]

Another reason to use a VPN, especially when using a hot spot.

[rene]

Now should they develop a new standard of connection ?

Not necessarily/immediately. From the description:

When the victim reinstalls the key, associated parameters such as the incremental transmit packet number (i.e. nonce) and receive packet number (i.e. replay counter) are reset to their initial value. Essentially, to guarantee security, a key should only be installed and used once. Unfortunately, we found this is not guaranteed by the WPA2 protocol. By manipulating cryptographic handshakes, we can abuse this weakness in practice.

This would be saying that software-fixes are possible in the sense of not allowing key re-installation. Certainly wrt. the specific mentioned Android/Linux extra vulnerability, by not allowing an all-zero key; this latter part will no doubt be the first fix/mitigation we see; completely disallowing reinstallation might be a higher impact issue.

But this is certainly a serious issue. Thanks for pointing it out.

[earthlingkc]

Is Mint patched for this?

[tovian]

Here's another article (from FORBES):

The researchers, who said the attack was particularly severe for Android and Linux users, showed how devastating an attack could be in the demonstration video

Read Entire Article

[rene]

Is Mint patched for this?

As far as I can see, not yet. The debian security advisory, http://seclists.org/bugtraq/2017/Oct/25, has a date of today (16-10-2017) and will given the amount of press this thing is generating very likely make it down to Ubuntu and then Mint within the day. But for now I believe you're vulnerable.

[merl1]

Here is a url explaining the patch that will be provided.
https://w1.fi/security/2017-1/wpa-packe ... ssages.txt

[earthlingkc]

Please post to this thread when confirmed that Mint is patched for this.

[NChewie]

very likely make it down to Ubuntu and then Mint within the day

Good.

I am willing to bet that there are few drive-by wifi hackers abroad in Ireland today

http://www.windy.com/?53.347,-6.244,5

[earthlingkc]

Some questions..

If the home router is patched are all unpatched WiFi devices connecting to it via WPA2 not vulnerable to this?
If say a WiFi printer isn't patched long term but the router is, can the printer data or connect password be monitored?

[rene]

If the home router is patched are all unpatched WiFi devices connecting to it via WPA2 not vulnerable to this?

They would still be vulnerable; this is a client-side issue; a (legitimate) router isn't in fact involved -- which is a blessing, since certainly many older and cheaper routers would not be getting updates.

It is explained at https://www.krackattacks.com/. The issue requires an untrustworthy Wi-Fi network (which may as in the supplied video be a cloned copy of a trustworthy one; i.e., not something you'd necessarily immediately notice) to replay a step of the WPA2 protocol handshake to the victim-client, causing it to re-install the encryption key for the connection. This is an important security issue on any platform but not yet (all of) the problem in itself; for details, read the bit directly under the "Practical impact" header. On Android and Linux the issue is however made worse by the possibility to trick clients to make that re-installed encryption key be an all-zero key; to effectively disable WPA2 encryption. To, hence, cause the connection to be easily monitored.

So, router no. A printer is a client and it's indeed conceivable someone could trick it onto an untrustworthy/cloned Wi-Fi network and monitor or forge its communication.

[xenopeek]

>> This issue is already fixed for all Linux Mint versions. <<

If you haven't yet applied all available security upgrades in Update Manager, do so now.

The affected packages are hostapd and wpasupplicant. Both come from the upstream package wpa so Update Manager conveniently shows you these as one upgrade under the name "wpa". But if you want to check your installed package versions, you need those first two package names. Mind that hostapd isn't installed by default so it may not be present on your system.

For Linux Mint 18.x you need version 2.4-0ubuntu6.2 or newer.
For Linux Mint 17.x you need version 2.1-0ubuntu1.5 or newer.
For LMDE 2 you need version 2.3-1+deb8u5 or newer.

Ubuntu security notice for the WPA2 issue is found here: https://usn.ubuntu.com/usn/usn-3455-1/ (Linux Mint 18.x are based on Ubuntu 16.04 LTS and Linux Mint 17.x are based on Ubuntu 14.04 LTS). Debian security announcement for the WPA2 issue is found here: https://lists.debian.org/debian-securit ... 00261.html (LMDE 2 is based on Debian Jessie aka oldstable).

Most if not all major GNU/Linux distros have already fixed the WPA2 issue today. The real issue is with phones and tablets.

[MintBean]

Many thanks xenopeek for the timely heads-up.

[rene]

Yep. Just now came in for me through the update manager on Mint 17.3.

[mike acker]

since i put the update on my LMDE/2 system disconnects from the router every once in a while.

this is the original LMDE/2 Dist. only; the later re-issue of the .iso doesn't seem to be affected

[Tomgin5]

Xenopeek I saw the "WPA" installed yesterday morning on my 18.2 an hour or so after I heard about the bug on the news (TV).

[BigEasy]

It is good that issue already fixed on Mint. But it is far from the end of story - who and when will fix our WIFI routers?

[xenopeek]

Ideally, yes home routers are also patched, but the krackattacks folks had this to say about it:

What if there are no security updates for my router?

Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates. We strongly advise you to contact your vendor for more details. In general though, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming). For ordinary home users, your priority should be updating clients such as laptops and smartphones.

[BG405]

A printer is a client and it's indeed conceivable someone could trick it onto an untrustworthy/cloned Wi-Fi network and monitor or forge its communication.

This would surely cause the printer to disappear from the genuine network? It would at least, hopefully, be spotted by the users on that network. Hopefully, even if this results in login credentials being obtained from the printer, using MAC address filtering should be enough to prevent the average miscreant from accessing your home network.

A mate of mine recently had a printout which definitely didn't come from any of his (or my) devices .. photo of some lady he didn't recognize. I was there when it happened. One reason my printer is on ethernet but it IS accessible via the router using WiFi.