Navigation

    UBports Robot Logo

    UBports Forum

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Search

    [security][solved] KRACK: Breaking WPA2 by forcing nonce reuse

    OS
    3
    9
    2169
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      Talkless last edited by Talkless

      OK so we potentially have second (together with BlueBorne Blueetooth vuln.) security issue:
      https://www.krackattacks.com/

      We discovered serious weaknesses in WPA2, a protocol that secures all modern protected Wi-Fi networks. An attacker within range of a victim can exploit these weaknesses using key reinstallation attacks (KRACKs). Concretely, attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted.

      Android and Linux
      Our attack is especially catastrophic against version 2.4 and above of wpa_supplicant, a Wi-Fi client commonly used on Linux.

      So, is this relevant for Ubuntu Touch devices?

      1 Reply Last reply Reply Quote 0
      • T
        Talkless last edited by

        apt-cache policy wpasupplicant shows that I have this on BQ E5 UBPorts OTA-2, so.. yeah.

        Debian just released wpasupplicant update. Here's patch example for 2.4:

        https://anonscm.debian.org/cgit/collab-maint/wpa.git/commit/?h=debian/2%2.4-1%2Bdeb9u1&id=45e13c4ee809e7c8ca7949a52ed7e5f79666112a

        G 1 Reply Last reply Reply Quote 0
        • T
          Talkless last edited by

          Could UBPorts raise some few more hundred bucks to part-time-employ some security expert (maybe someone from Debian or Ubuntu security team would agree) for managing security hotfixes only?

          L 1 Reply Last reply Reply Quote 0
          • L
            Leppa @Talkless last edited by

            @Talkless said in [security] KRACK: Breaking WPA2 by forcing nonce reuse:

            raise some few more hundred bucks

            I don't think they can just get money just like that.

            T 1 Reply Last reply Reply Quote 0
            • T
              Talkless @Leppa last edited by

              @Leppa said in [[security] KRACK: Breaking WPA2 by forcing nonce reuse]

              I don't think they can just get money just like that.

              Patreon has set "Goals", one of them could be better security support.

              1 Reply Last reply Reply Quote 1
              • G
                guru @Talkless last edited by

                @Talkless said in [security] KRACK: Breaking WPA2 by forcing nonce reuse:

                apt-cache policy wpasupplicant shows that I have this on BQ E5 UBPorts OTA-2, so.. yeah.

                Debian just released wpasupplicant update. Here's patch example for 2.4:

                https://anonscm.debian.org/cgit/collab-maint/wpa.git/commit/?h=debian/2%2.4-1%2Bdeb9u1&id=45e13c4ee809e7c8ca7949a52ed7e5f79666112a

                Yep, but one can not update this without mounting the device for write. Better is a correct OTA r3 from UBports and OTA-16 from Canonical too. They promised to fix for some time critical issues. This is one!

                matthias

                T 1 Reply Last reply Reply Quote 0
                • T
                  Talkless @guru last edited by

                  @guru said in [[security] KRACK: Breaking WPA2 by forcing nonce reuse]

                  They promised to fix for some time critical issues. This is one!

                  They promised to maintain security updates for month or few, it ended quite some time ago now.

                  @mariogrip Could you comment about this issue?

                  G 1 Reply Last reply Reply Quote 0
                  • G
                    guru @Talkless last edited by

                    Are there any plans for an OTA r3 to address this security issue?
                    Thanks, matthias

                    1 Reply Last reply Reply Quote 1
                    • T
                      Talkless last edited by

                      From Community Update 15:

                      People have been asking about the KRACK and BlueBorne vulnerabilities lately, and for good reason. These are highly public explots. Both have been fixed in the RC and Devel channels, with the fixes landing in Stable with the next OTA.

                      Yay!

                      Marking this thread as solved.

                      1 Reply Last reply Reply Quote 1
                      • First post
                        Last post