stijn.ghesquiere
Posts: 26
Joined: Sat May 19, 2012 9:44 pm

KRACK Key Reinstallation Attacks raspbian patch?

Mon Oct 16, 2017 5:05 pm

Is Raspbian already patchable for this serious WIFI attack?

https://www.krackattacks.com/

Heater
Posts: 15974
Joined: Tue Jul 17, 2012 3:02 pm

Re: KRACK Key Reinstallation Attacks raspbian patch?

Mon Oct 16, 2017 5:16 pm

I'm sure an up date is working it's though the system to fix this on the Pi soon enough.
Memory in C++ is a leaky abstraction .

User avatar
HawaiianPi
Posts: 5846
Joined: Mon Apr 08, 2013 4:53 am
Location: Aloha, Oregon USA

Re: KRACK Key Reinstallation Attacks raspbian patch?

Mon Oct 16, 2017 9:53 pm

The issue was patched in Debian, so Raspbian Jessie/Stretch should be fine as long as your system is up to date.

Code: Select all

sudo apt-get update && sudo apt-get dist-upgrade -y
Microsoft also issued a patch on October 10th, in case anyone is worried about their Windows 10 system.

You'll need to check with your router maker for a firmware patch.
My mind is like a browser. 27 tabs are open, 9 aren't responding,
lots of pop-ups...and where is that annoying music coming from?

ejolson
Posts: 5398
Joined: Tue Mar 18, 2014 11:47 am

Re: KRACK Key Reinstallation Attacks raspbian patch?

Tue Oct 17, 2017 3:56 am

I didn't see the Debian security update in Raspbian 10 hours ago, but it seems to be there now. The usual "apt-get update; and apt-get upgrade" as mentioned above should install the patches. Whether there will be more updates needed is yet to be seen.

User avatar
HawaiianPi
Posts: 5846
Joined: Mon Apr 08, 2013 4:53 am
Location: Aloha, Oregon USA

Re: KRACK Key Reinstallation Attacks raspbian patch?

Tue Oct 17, 2017 5:03 am

ejolson wrote:
Tue Oct 17, 2017 3:56 am
... Whether there will be more updates needed is yet to be seen.
Well, routers need to be patched as well, and that probably won't happen for older models and cheap no-name brands. I have a service ticket open with Asus to see if/when they will release an update for mine (or if they already have, there was a patch in June that covered multiple security issues).

In the meantime I now have both WiFi and Bluetooth turned off in my phone because I'm still waiting for the Bluetooth fix, and now this. Fortunately I have unlimited data on my plan, so it shouldn't be a problem (and only a minor annoyance to turn BT on while I'm driving).

But my Linux (including Raspbian) and Windows computers, at least, have been patched.
My mind is like a browser. 27 tabs are open, 9 aren't responding,
lots of pop-ups...and where is that annoying music coming from?

mikerr
Posts: 2827
Joined: Thu Jan 12, 2012 12:46 pm
Location: UK
Contact: Website

Re: KRACK Key Reinstallation Attacks raspbian patch?

Tue Oct 17, 2017 8:53 am

Raspbian Jessie and Stretch are patched now

https://raspberrypi.stackexchange.com/q ... 3880#73880

Not wheezy though ?

As for routers, mikrotik were quick and already patched:

https://forum.mikrotik.com/viewtopic.php?t=126695
Android app - Raspi Card Imager - download and image SD cards - No PC required !

jamesh
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 26673
Joined: Sat Jul 30, 2011 7:41 pm

Re: KRACK Key Reinstallation Attacks raspbian patch?

Tue Oct 17, 2017 9:42 am

HawaiianPi wrote:
Tue Oct 17, 2017 5:03 am
ejolson wrote:
Tue Oct 17, 2017 3:56 am
... Whether there will be more updates needed is yet to be seen.
Well, routers need to be patched as well, and that probably won't happen for older models and cheap no-name brands. I have a service ticket open with Asus to see if/when they will release an update for mine (or if they already have, there was a patch in June that covered multiple security issues).

In the meantime I now have both WiFi and Bluetooth turned off in my phone because I'm still waiting for the Bluetooth fix, and now this. Fortunately I have unlimited data on my plan, so it shouldn't be a problem (and only a minor annoyance to turn BT on while I'm driving).

But my Linux (including Raspbian) and Windows computers, at least, have been patched.
Issue first raised in July, so I doubt your router is patched. Or indeed, will ever be patched, if I were being particularly cynical.

Worth nothing that there are no known actual exploits of this security hole, and the BT one is very unlikely to be an issue for you. But keep Wifi/BT off if you think you will be any safer than you were before...
Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Contrary to popular belief, humorous signatures are allowed.
I've been saying "Mucho" to my Spanish friend a lot more lately. It means a lot to him.

Heater
Posts: 15974
Joined: Tue Jul 17, 2012 3:02 pm

Re: KRACK Key Reinstallation Attacks raspbian patch?

Tue Oct 17, 2017 10:09 am

jamesh,
Worth nothing that there are no known actual exploits of this security hole,
Apart from the ones described in the article linked to and demonstrated in the video shown there.
Memory in C++ is a leaky abstraction .

User avatar
HawaiianPi
Posts: 5846
Joined: Mon Apr 08, 2013 4:53 am
Location: Aloha, Oregon USA

Re: KRACK Key Reinstallation Attacks raspbian patch?

Tue Oct 17, 2017 10:17 am

jamesh wrote:
Tue Oct 17, 2017 9:42 am
Issue first raised in July, so I doubt your router is patched. Or indeed, will ever be patched, if I were being particularly cynical...
I thought I had read the the issue first became know in June, but I just double checked and you were correct about July. However, Asus has been very good about keeping my router up to date. I have received several firmware updates to improve the router's function and security (the most recent being this past June), so I would be very surprised if they are not working on an update for this.
My mind is like a browser. 27 tabs are open, 9 aren't responding,
lots of pop-ups...and where is that annoying music coming from?

jamesh
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 26673
Joined: Sat Jul 30, 2011 7:41 pm

Re: KRACK Key Reinstallation Attacks raspbian patch?

Tue Oct 17, 2017 10:18 am

http://www.theregister.co.uk/2017/10/17 ... n_patches/

From the article
No doubt we're going to see KRACK used in anger, but honestly it'll take a while. There's no easy-to-use exploit code out there, yet – in fact, there's no practical exploit code at all – but it will come, and even when it does the world won't end.
Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Contrary to popular belief, humorous signatures are allowed.
I've been saying "Mucho" to my Spanish friend a lot more lately. It means a lot to him.

Heater
Posts: 15974
Joined: Tue Jul 17, 2012 3:02 pm

Re: KRACK Key Reinstallation Attacks raspbian patch?

Tue Oct 17, 2017 10:27 am

That is very true. But judging by the video demo it looks easy enough to do manually. Surely such a thing can be scripted soon enough?

I do agree though. The world will not end when that happens.
Memory in C++ is a leaky abstraction .

Massi
Posts: 1691
Joined: Fri May 02, 2014 1:52 pm
Location: Italy

Re: KRACK Key Reinstallation Attacks raspbian patch?

Wed Oct 18, 2017 6:51 pm

just patched my bounch of PIs and my ddwrt router
big question: since this is based on the 4 ways handshake, is there any possibility that a patched router could protect the whole network?
i have a couple of old sourveillance cam that are not gonna be updated..

Heater
Posts: 15974
Joined: Tue Jul 17, 2012 3:02 pm

Re: KRACK Key Reinstallation Attacks raspbian patch?

Wed Oct 18, 2017 7:11 pm

I think you are screwed.

My understanding of the attack is that the attacker can dupe the WIFI client into reconnecting to the attackers clone of an access point. After which all the hanky panky with hand shake does on.

My conclusion is that fixing your actual access point does not help. Your client, the camera, is still duped.

Anyway, if you have an old surveillance that is accessible from the internet it has probably been part of a bot net for ages already!

https://krebsonsecurity.com/2016/10/hac ... et-outage/
Memory in C++ is a leaky abstraction .

Massi
Posts: 1691
Joined: Fri May 02, 2014 1:52 pm
Location: Italy

Re: KRACK Key Reinstallation Attacks raspbian patch?

Wed Oct 18, 2017 7:52 pm

Heater wrote:
Wed Oct 18, 2017 7:11 pm
Anyway, if you have an old surveillance that is accessible from the internet it has probably been part of a bot net for ages already!

https://krebsonsecurity.com/2016/10/hac ... et-outage/
ahaha :)
well, this seems not the case.
I also try to access it via internet only through a reverse proxy and https, i can't do much more than this :)

well, at least i live at the highest floor of the building, i should worry of not many guys :)

Massi
Posts: 1691
Joined: Fri May 02, 2014 1:52 pm
Location: Italy

Re: KRACK Key Reinstallation Attacks raspbian patch?

Thu Oct 19, 2017 5:45 am

just for reference, dd-wrt developers are talking about a possibility to fix the issue router side. This would be a great thing not only for my case, but also for enterprises..

Massi
Posts: 1691
Joined: Fri May 02, 2014 1:52 pm
Location: Italy

Re: KRACK Key Reinstallation Attacks raspbian patch?

Thu Oct 19, 2017 9:33 am

Massi wrote:
Thu Oct 19, 2017 5:45 am
just for reference, dd-wrt developers are talking about a possibility to fix the issue router side. This would be a great thing not only for my case, but also for enterprises..
here it is..
https://w1.fi/cgit/hostap/commit/?id=6f ... 45ed8e52d3

User avatar
HawaiianPi
Posts: 5846
Joined: Mon Apr 08, 2013 4:53 am
Location: Aloha, Oregon USA

Re: KRACK Key Reinstallation Attacks raspbian patch?

Thu Nov 02, 2017 11:05 pm

Yay, finally got my router firmware patch for KRACK (and several other issues). Asus was a little slow, but it's nice to still have support, especially when you consider my router is several years old. So if you've got an Asus router, check for a firmware update (actually, check no matter what brand router you have).

With Debian/Raspbian and Windows 10 patched that just leaves my phone (all my other devices run a recent Debian based Linux or Windows 10). Google supposedly has a fix in their November security patch, but who knows how long that'll take to trickle down through device maker and carrier approvals (my TMo Note 4 running Android 6.0.1 is currently on the August 1, 2017 security patch).
My mind is like a browser. 27 tabs are open, 9 aren't responding,
lots of pop-ups...and where is that annoying music coming from?

broe23
Posts: 903
Joined: Thu Jan 28, 2016 9:35 pm
Location: Central IL
Contact: Website

Re: KRACK Key Reinstallation Attacks raspbian patch?

Fri Nov 03, 2017 9:02 am

jamesh wrote:
Tue Oct 17, 2017 9:42 am
HawaiianPi wrote:
Tue Oct 17, 2017 5:03 am
ejolson wrote:
Tue Oct 17, 2017 3:56 am
... Whether there will be more updates needed is yet to be seen.
Well, routers need to be patched as well, and that probably won't happen for older models and cheap no-name brands. I have a service ticket open with Asus to see if/when they will release an update for mine (or if they already have, there was a patch in June that covered multiple security issues).

In the meantime I now have both WiFi and Bluetooth turned off in my phone because I'm still waiting for the Bluetooth fix, and now this. Fortunately I have unlimited data on my plan, so it shouldn't be a problem (and only a minor annoyance to turn BT on while I'm driving).

But my Linux (including Raspbian) and Windows computers, at least, have been patched.
Issue first raised in July, so I doubt your router is patched. Or indeed, will ever be patched, if I were being particularly cynical.

Worth nothing that there are no known actual exploits of this security hole, and the BT one is very unlikely to be an issue for you. But keep Wifi/BT off if you think you will be any safer than you were before...
A lot of Gateways and Access Points will not see a patch, since there are a lot of chips out there that are not vulnerable to this attack. The first thing that was issued was that users are now supposed to be using AES encryption for WPA/WPA2. My Engenius A/P is not vulnerable, due to it is using a chip that is not vulnerable to the Man in the Middle flaw.

broe23
Posts: 903
Joined: Thu Jan 28, 2016 9:35 pm
Location: Central IL
Contact: Website

Re: KRACK Key Reinstallation Attacks raspbian patch?

Fri Nov 03, 2017 9:04 am

HawaiianPi wrote:
Thu Nov 02, 2017 11:05 pm
Yay, finally got my router firmware patch for KRACK (and several other issues). Asus was a little slow, but it's nice to still have support, especially when you consider my router is several years old. So if you've got an Asus router, check for a firmware update (actually, check no matter what brand router you have).

With Debian/Raspbian and Windows 10 patched that just leaves my phone (all my other devices run a recent Debian based Linux or Windows 10). Google supposedly has a fix in their November security patch, but who knows how long that'll take to trickle down through device maker and carrier approvals (my TMo Note 4 running Android 6.0.1 is currently on the August 1, 2017 security patch).
I hope that you made sure to put Wifi in WPA2 aes. It does suck for those using older smart devices that cannot use aes.

User avatar
HawaiianPi
Posts: 5846
Joined: Mon Apr 08, 2013 4:53 am
Location: Aloha, Oregon USA

Re: KRACK Key Reinstallation Attacks raspbian patch?

Fri Nov 03, 2017 7:54 pm

broe23 wrote:
Fri Nov 03, 2017 9:04 am
I hope that you made sure to put Wifi in WPA2 aes. It does suck for those using older smart devices that cannot use aes.
I have always used AES with WPA2. I've even used AES with WPA on devices that allowed it. And yes, it does suck that there will be tons of vulnerable devices out there that may never get patched. Web enabled cameras, smart TVs, game systems, printers and many other kinds of connected devices will probably never get patched.
My mind is like a browser. 27 tabs are open, 9 aren't responding,
lots of pop-ups...and where is that annoying music coming from?

Heater
Posts: 15974
Joined: Tue Jul 17, 2012 3:02 pm

Re: KRACK Key Reinstallation Attacks raspbian patch?

Fri Nov 03, 2017 8:15 pm

So the new KRACK thing makes no difference. All those things you listed are open and on line already.

See here for example: https://www.youtube.com/user/mediacccde/videos
Memory in C++ is a leaky abstraction .

User avatar
HawaiianPi
Posts: 5846
Joined: Mon Apr 08, 2013 4:53 am
Location: Aloha, Oregon USA

Re: KRACK Key Reinstallation Attacks raspbian patch?

Fri Nov 03, 2017 11:31 pm

Heater wrote:
Fri Nov 03, 2017 8:15 pm
So the new KRACK thing makes no difference. All those things you listed are open and on line already.
Well my WiFi enabled printer is easy to fix (just have to find my box of USB cables). My game system is just as easy to fix (except it's my box of Ethernet cables I need to find). We don't have a Smart TV, WiFi enabled refrigerator or Samsung Galaxy Surfboard, so I think we're good.
My mind is like a browser. 27 tabs are open, 9 aren't responding,
lots of pop-ups...and where is that annoying music coming from?

broe23
Posts: 903
Joined: Thu Jan 28, 2016 9:35 pm
Location: Central IL
Contact: Website

Re: KRACK Key Reinstallation Attacks raspbian patch?

Sat Nov 04, 2017 4:39 am

HawaiianPi wrote:
Fri Nov 03, 2017 7:54 pm
broe23 wrote:
Fri Nov 03, 2017 9:04 am
I hope that you made sure to put Wifi in WPA2 aes. It does suck for those using older smart devices that cannot use aes.
I have always used AES with WPA2. I've even used AES with WPA on devices that allowed it. And yes, it does suck that there will be tons of vulnerable devices out there that may never get patched. Web enabled cameras, smart TVs, game systems, printers and many other kinds of connected devices will probably never get patched.
The issue is that there are still a lot of legacy gear out there that will only use either WAP or WPA tkip, such as handheld scanners for inventory and such, along with some older smart devices. It is a reminder that people need to be aware of and they should be giving an inventory of hardware that they think may be vulnerable and have some help to check.

I can see a way to make some good money legally as a consultant in helping to get old legacy gear replaced if it can, or even making sure that all wireless gear is properly setup if able to do aes. Welcome to our kids Y2K.

broe23
Posts: 903
Joined: Thu Jan 28, 2016 9:35 pm
Location: Central IL
Contact: Website

Re: KRACK Key Reinstallation Attacks raspbian patch?

Sat Nov 04, 2017 4:44 am

HawaiianPi wrote:
Fri Nov 03, 2017 11:31 pm
Heater wrote:
Fri Nov 03, 2017 8:15 pm
So the new KRACK thing makes no difference. All those things you listed are open and on line already.
Well my WiFi enabled printer is easy to fix (just have to find my box of USB cables). My game system is just as easy to fix (except it's my box of Ethernet cables I need to find). We don't have a Smart TV, WiFi enabled refrigerator or Samsung Galaxy Surfboard, so I think we're good.
I personally cannot stand all of the extra bells and whistles that people want for them to see what is in their fridge or to remind them that the oven is on. We have a smart TV, but really it is not that smart, since Samsung has the worse interface and slow as molasses in Winter. Our home theater receiver is not even smart, since we use a NVIDIA shield that just got updated to the next firmware, but Google and NVIDIA still refuse to fix the issue with Pluto showing six copies of channels from the Pluto app and you cannot setup to have it access a NAS for network storage. Otherwise it is all good in the hood.

broe23
Posts: 903
Joined: Thu Jan 28, 2016 9:35 pm
Location: Central IL
Contact: Website

Re: KRACK Key Reinstallation Attacks raspbian patch?

Sat Nov 04, 2017 4:54 am

HawaiianPi wrote:
How does this make you feel all warm and fuzzy. At least I could breathe a sigh of relief that my EAP-1750H is not vulnerable. "This particular vulnerability has no direct impact on any EnGenius APs operating in “access point” mode. However, EnGenius access points that are used as client devices (i.e. Electron™ APs operating in “client bridge” mode) or any access points that are used for point-to-multipoint communications (i.e. Electron™ APs operating in “WDS bridge” or “WDS station” mode) are potentially impacted by this vulnerability in the IEEE 802.11 protocol. Furthermore, some advanced applications and features, such as mesh networking and fast roaming (i.e. 802.11r), may also be potentially vulnerable to this issue."
Ren: Now listen, Cadet. I've got a job for you. See this button? Ren: Don't touch it! It's the History Eraser button, you fool! Stimpy: So what'll happen? Ren: That's just it. We don't know. Maybe something bad, maybe something good.

Return to “General discussion”