• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Register
  • Login
UBports Robot Logo UBports Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Register
  • Login

[security][solved] KRACK: Breaking WPA2 by forcing nonce reuse

Scheduled Pinned Locked Moved OS
9 Posts 3 Posters 2.7k Views 3 Watching
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T Offline
      Talkless
      last edited by Talkless 16 Oct 2017, 10:01

      OK so we potentially have second (together with BlueBorne Blueetooth vuln.) security issue:
      https://www.krackattacks.com/

      We discovered serious weaknesses in WPA2, a protocol that secures all modern protected Wi-Fi networks. An attacker within range of a victim can exploit these weaknesses using key reinstallation attacks (KRACKs). Concretely, attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted.

      Android and Linux
      Our attack is especially catastrophic against version 2.4 and above of wpa_supplicant, a Wi-Fi client commonly used on Linux.

      So, is this relevant for Ubuntu Touch devices?

      Volla Phone X

      1 Reply Last reply Reply Quote 0
      • T Offline
        Talkless
        last edited by 16 Oct 2017, 10:59

        apt-cache policy wpasupplicant shows that I have this on BQ E5 UBPorts OTA-2, so.. yeah.

        Debian just released wpasupplicant update. Here's patch example for 2.4:

        https://anonscm.debian.org/cgit/collab-maint/wpa.git/commit/?h=debian/2%252.4-1%2Bdeb9u1&id=45e13c4ee809e7c8ca7949a52ed7e5f79666112a

        Volla Phone X

        G 1 Reply Last reply 18 Oct 2017, 14:38 Reply Quote 0
        • T Offline
          Talkless
          last edited by 16 Oct 2017, 13:03

          Could UBPorts raise some few more hundred bucks to part-time-employ some security expert (maybe someone from Debian or Ubuntu security team would agree) for managing security hotfixes only?

          Volla Phone X

          L 1 Reply Last reply 16 Oct 2017, 14:14 Reply Quote 0
          • L Offline
            Leppa @Talkless
            last edited by 16 Oct 2017, 14:14

            @Talkless said in [security] KRACK: Breaking WPA2 by forcing nonce reuse:

            raise some few more hundred bucks

            I don't think they can just get money just like that.

            Everyone believes that their actions are better than the alternatives.

            T 1 Reply Last reply 16 Oct 2017, 16:36 Reply Quote 0
            • T Offline
              Talkless @Leppa
              last edited by 16 Oct 2017, 16:36

              @Leppa said in [[security] KRACK: Breaking WPA2 by forcing nonce reuse]

              I don't think they can just get money just like that.

              Patreon has set "Goals", one of them could be better security support.

              Volla Phone X

              1 Reply Last reply Reply Quote 1
              • G Offline
                guru @Talkless
                last edited by 18 Oct 2017, 14:38

                @Talkless said in [security] KRACK: Breaking WPA2 by forcing nonce reuse:

                apt-cache policy wpasupplicant shows that I have this on BQ E5 UBPorts OTA-2, so.. yeah.

                Debian just released wpasupplicant update. Here's patch example for 2.4:

                https://anonscm.debian.org/cgit/collab-maint/wpa.git/commit/?h=debian/2%252.4-1%2Bdeb9u1&id=45e13c4ee809e7c8ca7949a52ed7e5f79666112a

                Yep, but one can not update this without mounting the device for write. Better is a correct OTA r3 from UBports and OTA-16 from Canonical too. They promised to fix for some time critical issues. This is one!

                matthias

                T 1 Reply Last reply 18 Oct 2017, 15:27 Reply Quote 0
                • T Offline
                  Talkless @guru
                  last edited by 18 Oct 2017, 15:27

                  @guru said in [[security] KRACK: Breaking WPA2 by forcing nonce reuse]

                  They promised to fix for some time critical issues. This is one!

                  They promised to maintain security updates for month or few, it ended quite some time ago now.

                  @mariogrip Could you comment about this issue?

                  Volla Phone X

                  G 1 Reply Last reply 24 Oct 2017, 10:05 Reply Quote 0
                  • G Offline
                    guru @Talkless
                    last edited by 24 Oct 2017, 10:05

                    Are there any plans for an OTA r3 to address this security issue?
                    Thanks, matthias

                    1 Reply Last reply Reply Quote 1
                    • T Offline
                      Talkless
                      last edited by 15 Nov 2017, 18:14

                      From Community Update 15:

                      People have been asking about the KRACK and BlueBorne vulnerabilities lately, and for good reason. These are highly public explots. Both have been fixed in the RC and Devel channels, with the fixes landing in Stable with the next OTA.

                      Yay!

                      Marking this thread as solved.

                      Volla Phone X

                      1 Reply Last reply Reply Quote 1
                      • First post
                        Last post