Official site of this exploit has gone live: https://www.krackattacks.com/

Hi Charles,

I registered here specifically because of this issue, as it will put a majority of wifi users' data at risk!

The important take-away from that article is that this flaw is present in the WPA standard, which means that it affects all devices that support it. The only way to have a secure network now is one of the following:

1. Go back to using ethernet cables.
2. Disable the wifi capability of the PlusNet hub, and buy a wifi router from a vendor that has already announced a patch for this problem. Additionally, wifi client devices also need to be patched (smartphones, tablets, laptops). EDIT: see update below *

I'm going to be using a long-assed network cable for the foreseeable future... 

As for PlusNet: what is the company doing to protect its customers' network privacy? Has the vendor of PlusNet's hubs/routers been contacted? Are they going to provide a patch? If yes, how is this patch going to be provided to us?

--------------------------

*EDIT:

After re-reading the FAQ the researchers wrote, the following is really the important part in mitigating this problem quickly:

What if there are no security updates for my router?

Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates. We strongly advise you to contact your vendor for more details. In general though, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming). For ordinary home users, your priority should be updating clients such as laptops and smartphones.

So patching the hubs/routers is important, but the priority should be to install the latest security patches for mobile device operating systems (Windows, Mac, Linux, Android, etc). 

Android devices may be especially at risk given how quickly vendors seem to declare them end-of-life, and have no centralized update policy...

Lastly: patching phones, tablets & laptops isn't something PlusNet can do, and it is not PlusNet's responsability. We as owners of the devices must make sure they are up-to-date!

It may be useful if PlusNet could send out some sort of warning as I imagine plenty of customers are likely to remain unaware of this problem...also let all all your friends and family know!

Reading the above, it seems that likely all wifi routers supplied by plusnet are vulnerable, and until either they, or all wifi clients on them are fixed, the network is essentially insecure.

The title is misleading, you can also inject packets pretending to be the clients or router, it's not only eavesdropping.

If the router is patched, there is no need to fix the clients.

If the router is not patched, you need to fix every single client, or someone can easily attack the internal network as that client, and read its traffic.

(for values of 'easy' where that is 'cares enough to learn' or waits a day or two at most for readily available crack solutions).

This is a proximity attack, it does nothing if the attacker is not within your network range. (which, with a good antenna can be quite a lot further than you think)

I do hope plusnets router makers are on the ball on this and updates are readily available.

One mitigation of course is to disable wifi on your AP and use a suitable patched AP instead. Openwrt has apparently already rolled out a patch.

I do hope plusnets router makers are on the ball on this and updates are readily available.

I had already posted a reply in this thread where I also asked what PlusNet was doing about this issue (ie: whether the hub vendor had been contacted, and how/if a patch would be supplied).

Unfortunately my post was here only for a couple of hours, then it was promptly deleted. Doesn't bode well...  

(Moderator has released the post)

I've just spoken to an IT friend of mine, and Apple have released a firmware update for iPhones.

They didn't mention the exploit - just other stuff in the notes.

I find it a bit coincidental a new release has been made so quickly, at this time.

---

@easuter wrote:

 

Unfortunately my post was here only for a couple of hours, then it was promptly deleted. Doesn't bode well...

---

Hi @easuter, your original post wasn't deleted or moderated, but was caught in a spam filter.

I've released that post and should now display in the thread above, apologies for that  

Hi @dvorak, thanks for clearing that up, and my apologies for the accusation; I've edited my post.

Cheers

As for PlusNet: what is the company doing to protect its customers' network privacy? Has the vendor of PlusNet's hubs/routers been contacted? Are they going to provide a patch? If yes, how is this patch going to be provided to us?

+1. I've also registered here specifically to find out what PlusNet is planning to do to protect us as customers. Will there be a patch for our routers? How will it be provided? Does the company have any official advice in the mean time?

Many thanks in advance.

Hi @sfw,

I've updated my original reply. While it is important that the access points receive updates, the immediate threat is unpatched wifi client devices, ie: smartphones, laptops, tablets.

Cheers

@dvorak, Yeah pretty much. Routers can be patched to mitigate some of the possible attacks (ie: if the router is in repeater mode, or fast roaming is enabled), but the the main attack vector is the client device.

I somewhat disagree.

If you are going out in public with your device, and connecting to unknown APs, then your behaviour should not change much, because you were already vulnerable to all of the bad things that could happen with this attack if the AP is compromised.

If you are only using VPN/https/ssh, the effects of this attack just mean that the threats widen from the AP provider (and any hackers who took over the AP)  to people sitting next to you.

In the case of unfixed APs, all of the older and not-going-to-be updated devices are now a complete hole into your internal network, allowing outsiders into your network full of devices that are not easy or possible to secure.

I need to read the details with more coffee onboard though.

I don't disagree with you regarding public networks; I don't use free wifi hotspots nor do I connect to any access points I don't trust. 

However the takeaway I get from going over the researchers' website (not the Ars article) is that the priority for mitigating this flaw should be to patch the client devices. I'm not saying the APs shouldn't also be updated, but realistically I don't see many vendors actually providing firmware updates, let alone actually getting millions of users to deploy the patches if they are provided...

---

Alex wrote:

I find it a bit coincidental a new release has been made so quickly, at this time.

---

Nothing suspicious about that, it's called responsible disclosure. Linux has been patched already too...