geffers
Posts: 289
Joined: Sun Jun 24, 2012 6:25 am
Location: UK
Contact: Website

PiVPN and WPA Vulnerability

Sun Oct 22, 2017 5:58 pm

The recent scare concerning KRACK and WPA2 seems now to be a very good reason to use the PiVPN setup.

Whilst I think this vulnerability has been over hyped it is nevertheless a security problem which, to the best of my knowledge can be nullified by using a VPN service.

Reason I say over hyped is because this has gone unnoticed for over 10 years and now if you read many of the posts it is being recommended to switch off wifi when not being used and use ethernet where possible.

I have a dedicated R-Pi running PiVPN, good job for a Pi 1 or Pi 2 if you have one laying around.

Installation script at http://www.pivpn.io/ although I downloaded the script to check first which is easy enough.

geffers

broe23
Posts: 823
Joined: Thu Jan 28, 2016 9:35 pm
Location: Central IL
Contact: Website

Re: PiVPN and WPA Vulnerability

Sun Oct 22, 2017 6:47 pm

Everyone is overhyping this Man in the Middle. Those who get scared every time one of these flaws is announced, just helps to make it less congested on the Internet. Linux based OS's are protected from this man in the middle, because of the fact that the fixes roll out faster than Microsoft can do it for their OS's. Run at WPA2/PSK AES for WIFI.
Ren: Now listen, Cadet. I've got a job for you. See this button? Ren: Don't touch it! It's the History Eraser button, you fool! Stimpy: So what'll happen? Ren: That's just it. We don't know. Maybe something bad, maybe something good.

bensimmo
Posts: 1914
Joined: Sun Dec 28, 2014 3:02 pm
Location: East Yorkshire

Re: PiVPN and WPA Vulnerability

Sun Oct 22, 2017 6:56 pm

It not Linux or Windows or iOS that are the problem. They'll be fixed.
It's Android. Chances are they won't.

Either way, less likely to happen than somebody just connecting to an open WiFi anyway.

broe23
Posts: 823
Joined: Thu Jan 28, 2016 9:35 pm
Location: Central IL
Contact: Website

Re: PiVPN and WPA Vulnerability

Sun Oct 22, 2017 7:19 pm

bensimmo wrote:
Sun Oct 22, 2017 6:56 pm
It not Linux or Windows or iOS that are the problem. They'll be fixed.
It's Android. Chances are they won't.

Either way, less likely to happen than somebody just connecting to an open WiFi anyway.
Google already issued the fixes for Android. Those who root or jailbreak their devices, are always going to be the most vulnerable. Those tablets and phones that will not get Oreo, will continue to get security patches. Same with those iOS devices that will not get 11, will still get issued the patches. Connecting to Open wifi is going to get you into trouble and easy to be hacked.
Ren: Now listen, Cadet. I've got a job for you. See this button? Ren: Don't touch it! It's the History Eraser button, you fool! Stimpy: So what'll happen? Ren: That's just it. We don't know. Maybe something bad, maybe something good.

User avatar
HawaiianPi
Posts: 1404
Joined: Mon Apr 08, 2013 4:53 am
Location: Aloha, Oregon USA

Re: PiVPN and WPA Vulnerability

Sun Oct 22, 2017 7:26 pm

bensimmo wrote:
Sun Oct 22, 2017 6:56 pm
It not Linux or Windows or iOS that are the problem. They'll be fixed.
It's Android. Chances are they won't.

Either way, less likely to happen than somebody just connecting to an open WiFi anyway.
Actually, it's routers that need to be fixed, and that won't happen for older models or no-name brands.

Google will release a fix, but it will almost certainly only be for the most recent 2-3 versions of Android. Anyone with a phone on an older version will not get as official patch, but rooted devices might get a patch that could be installed with something like Xposed framework, or you could look for a custom ROM that's been patched.
My password is the last 8 digits of Pi.

geffers
Posts: 289
Joined: Sun Jun 24, 2012 6:25 am
Location: UK
Contact: Website

Re: PiVPN and WPA Vulnerability

Sun Oct 22, 2017 8:40 pm

Appreciate it is mainly Android phones the problem and easy to use OpenVPN on them.

I've got an Android phone and tablet, both running Kit-Kat 4.4 and not sure if they'll get an update.

Reluctant to update firmware as my tablet was virtually unusable when I upgraded from kit-kat to lollipop, re-imaged back to kit-kat and was then fine.

Geffers

broe23
Posts: 823
Joined: Thu Jan 28, 2016 9:35 pm
Location: Central IL
Contact: Website

Re: PiVPN and WPA Vulnerability

Sun Oct 22, 2017 9:02 pm

Security Updates now get pushed through the Google Play store, not as a full Firmware update. As for unstable, if you are doing something different than most or running older apps, yes you can see items crash. That can happen with any OS, especially poorly written third party apps.
Ren: Now listen, Cadet. I've got a job for you. See this button? Ren: Don't touch it! It's the History Eraser button, you fool! Stimpy: So what'll happen? Ren: That's just it. We don't know. Maybe something bad, maybe something good.

bensimmo
Posts: 1914
Joined: Sun Dec 28, 2014 3:02 pm
Location: East Yorkshire

Re: PiVPN and WPA Vulnerability

Mon Oct 23, 2017 9:33 am

broe23 wrote:
Sun Oct 22, 2017 9:02 pm
Security Updates now get pushed through the Google Play store, not as a full Firmware update. As for unstable, if you are doing something different than most or running older apps, yes you can see items crash. That can happen with any OS, especially poorly written third party apps.
Really? none of mine have had any security patches for a long time. Vendors don't give two hoots either.
Huawei don't care Android 6, 2016/17 phone sat at June 2016 security)
Tesco long since defunct, no update from Google on Android 5
Toshiba abandon everything shortly after thier last product. (Android 4.3)
Even Nexus are long since abandoned and don't I remember any security updates, so I had to DIY that.
And Moto Gs/Es is all but given up anything not new now they are Lenovo. These do get security updates if a year ish old. G3 AND C plus. Well 1st Jan 2017 for the G3 an Dan E on march 2016
And they are some of the larger brands.

So don't tell me Google update them!
Android is a bad in fact absolutely shite ecosystem for updates to the OS.

They have however just started sorting their store security out, how well I don't know.
Last edited by bensimmo on Mon Oct 23, 2017 8:02 pm, edited 2 times in total.

bensimmo
Posts: 1914
Joined: Sun Dec 28, 2014 3:02 pm
Location: East Yorkshire

Re: PiVPN and WPA Vulnerability

Mon Oct 23, 2017 9:38 am

Actually, it's routers that need to be fixed, and that won't happen for older models or no-name brands.
That's interesting, as the bits I read says it the clients since they are the ones that are fooled, or repeaters.
Not a router as they are not clients.
Also it's more an enterprise multi AP problem?


Either way, connecting to random wi-fi has more dangers still?

RichardRussell
Posts: 140
Joined: Thu Jun 21, 2012 10:48 am

Re: PiVPN and WPA Vulnerability

Mon Oct 23, 2017 9:50 am

bensimmo wrote:
Mon Oct 23, 2017 9:38 am
the bits I read says it the clients since they are the ones that are fooled, or repeaters. Not a router as they are not clients.
That's exactly what my ISP (Zen) has told me. Routers are not affected, unless they implement 802.11r ('fast roaming') which is very unusual. My router is too old to receive updates, but they assure me that it has no vulnerability to the 'krack' WPA2 exploit. As you say, it's clients that may need to be patched.

Massi
Posts: 1637
Joined: Fri May 02, 2014 1:52 pm
Location: Italy

Re: PiVPN and WPA Vulnerability

Mon Oct 23, 2017 10:12 am

RichardRussell wrote:
Mon Oct 23, 2017 9:50 am
bensimmo wrote:
Mon Oct 23, 2017 9:38 am
the bits I read says it the clients since they are the ones that are fooled, or repeaters. Not a router as they are not clients.
That's exactly what my ISP (Zen) has told me. Routers are not affected, unless they implement 802.11r ('fast roaming') which is very unusual. My router is too old to receive updates, but they assure me that it has no vulnerability to the 'krack' WPA2 exploit. As you say, it's clients that may need to be patched.
Routers are affected when they act as clients.

BUT

there is a possibility to secure the whole network patching the only router.
And this is drammatically useful for:
- enterprises
- network with android devices
- network with old devices

ref: https://w1.fi/cgit/hostap/commit/?id=6f ... 45ed8e52d3

I'm not able (by far) to say if this is gonna work or not, but it seems reasonable :)
This is already available on recent dd-wrt releases (and i'm quite sure also openwrt has this)

Return to “Off topic discussion”

Who is online

Users browsing this forum: jcyr, user879 and 16 guests