Personal computing discussed

Moderators: Steel, notfred

 
just brew it!
Gold subscriber
Administrator
Posts: 49736
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Time to update everything WiFi

Sat Oct 21, 2017 9:07 pm

meerkt wrote:
I thought the Windows update was where it was fixed, not WLAN drivers?

Unless I'm mistaken, it sounds like the vulnerable handshake is done in the WLAN driver on Windows. For older WLAN drivers, I imagine it's possible the driver is coming from Microsoft, in which case both are true.

For Linux/Android it sounds like the vulnerable bit of the protocol is being handled by a shared component that is not driver-specific.
Nostalgia isn't what it used to be.
 
ludi
Darth Gerbil
Posts: 7452
Joined: Fri Jun 21, 2002 10:47 pm
Location: Sunny Colorado front range

Re: Time to update everything WiFi

Sun Oct 22, 2017 12:01 am

JustAnEngineer wrote:
ludi wrote:
JustAnEngineer wrote:
My Zenbook UX32VD's Centrino-N 6235...
Consider an Intel 3165 (dual-band AC+BT).
The Centrino-N 6235 is a 2x2 dual band ABGN+BT half mini PCIe M.2 card. The 7260 and 3160 look similar. Which would be the easiest drop-in replacement?
https://ark.intel.com/products/family/5 ... s-Products

Either, assuming the BIOS doesn't have a lock-out table. The 3160 is cheap ($10 shipped) but the 7260 has dual-band for about twice the price ($20-25), although that's still not too expensive as laptop upgrades go.
Abacus Model 2.5 | Quad-Row FX with 256 Cherry Red Slider Beads | Applewood Frame | Water Cooling by Brita Filtration
 
meerkt
Gerbil Elite
Posts: 811
Joined: Sun Aug 25, 2013 2:55 am

Re: Time to update everything WiFi

Sun Oct 22, 2017 5:02 pm

just brew it! wrote:
Unless I'm mistaken, it sounds like the vulnerable handshake is done in the WLAN driver on Windows. For older WLAN drivers, I imagine it's possible the driver is coming from Microsoft, in which case both are true.


I'm talking about this Microsoft update:
https://portal.msrc.microsoft.com/en-US ... 2017-13080

But maybe that's not the whole thing? Other CVE-2017-130xx are mentioned here:
https://blogs.cisco.com/security/wpa-vulns
 
BIF
Gold subscriber
Minister of Gerbil Affairs
Posts: 2247
Joined: Tue May 25, 2004 7:41 pm

Re: Time to update everything WiFi

Sun Oct 22, 2017 5:07 pm

Dposcorp wrote:
I am smarter then all of you.

My wifi network is open to all, no password, so will never get hacked.

Social engineering anti-attack FTW!!!!!!!!1


I have an extra router. I was wondering how I might be able to set up a honey-pot type of trap for hackers who might be trying to access home routers from the street.
 
just brew it!
Gold subscriber
Administrator
Posts: 49736
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Time to update everything WiFi

Sun Oct 22, 2017 5:15 pm

meerkt wrote:
just brew it! wrote:
Unless I'm mistaken, it sounds like the vulnerable handshake is done in the WLAN driver on Windows. For older WLAN drivers, I imagine it's possible the driver is coming from Microsoft, in which case both are true.

I'm talking about this Microsoft update:
https://portal.msrc.microsoft.com/en-US ... 2017-13080

But maybe that's not the whole thing? Other CVE-2017-130xx are mentioned here:
https://blogs.cisco.com/security/wpa-vulns

Yeah, sounds like some of the functionality is part of Windows, but some is not. From about 3/4 of the way down the first page you linked:
Microsoft wrote:
The provided security updates address the reported vulnerability; however, when affected Windows based systems enter a connected standby mode in low power situations, the vulnerable functionality may be offloaded to installed Wi-Fi hardware. To fully address this potential attack vector, you are also encouraged to contact your Wi-Fi hardware vendor to obtain updated device drivers.

So it sounds like it interacts with power management in a way that may cause it to rely on (broken) device drivers.
Nostalgia isn't what it used to be.
 
ludi
Darth Gerbil
Posts: 7452
Joined: Fri Jun 21, 2002 10:47 pm
Location: Sunny Colorado front range

Re: Time to update everything WiFi

Sun Oct 22, 2017 9:59 pm

Just checked on my dad's HP laptop today after the family lunch, and he had the 3160, so I pointed him to the Intel download site and that was a painless fix.
Abacus Model 2.5 | Quad-Row FX with 256 Cherry Red Slider Beads | Applewood Frame | Water Cooling by Brita Filtration
 
meerkt
Gerbil Elite
Posts: 811
Joined: Sun Aug 25, 2013 2:55 am

Re: Time to update everything WiFi

Mon Oct 23, 2017 11:45 am

just brew it! wrote:
So it sounds like it interacts with power management in a way that may cause it to rely on (broken) device drivers.

Plus, Cisco lists a whole bunch of related CVEs.

I don't think there's an updated Intel driver for my NIC. Alas.
 
ludi
Darth Gerbil
Posts: 7452
Joined: Fri Jun 21, 2002 10:47 pm
Location: Sunny Colorado front range

Re: Time to update everything WiFi

Mon Oct 23, 2017 11:57 am

meerkt wrote:
just brew it! wrote:
So it sounds like it interacts with power management in a way that may cause it to rely on (broken) device drivers.

Plus, Cisco lists a whole bunch of related CVEs.

I don't think there's an updated Intel driver for my NIC. Alas.

What do you have now?
Abacus Model 2.5 | Quad-Row FX with 256 Cherry Red Slider Beads | Applewood Frame | Water Cooling by Brita Filtration
 
Ryu Connor
Gold subscriber
Global Moderator
Posts: 4215
Joined: Thu Dec 27, 2001 7:00 pm
Location: Marietta, GA
Contact:

Re: Time to update everything WiFi

Mon Oct 23, 2017 3:12 pm

meerkt wrote:
I don't think there's an updated Intel driver for my NIC. Alas.


I'd note Intel Wi-Fi adapters aren't the only one that needs driver updates. Broadcom, MediaTek, Atheros, and RealTek also will need to update their Wi-Fi drivers.

Many of those companies don't even have publicly distributed drivers. So, yeah, that's gonna end well. This KRACK flaw is going to linger for years upon years before finally being stamped out.

Any device or network you haven't personally secured will be suspect and should be assumed to have the same security as an open network.
All of my written content here on TR does not represent or reflect the views of my employer or any reasonable human being. All content and actions are my own.
 
meerkt
Gerbil Elite
Posts: 811
Joined: Sun Aug 25, 2013 2:55 am

Re: Time to update everything WiFi

Mon Oct 23, 2017 6:08 pm

ludi wrote:
meerkt wrote:
I don't think there's an updated Intel driver for my NIC. Alas.
What do you have now?
Now?

Ryu Connor wrote:
Any device or network you haven't personally secured will be suspect and should be assumed to have the same security as an open network.

Would be useful to have an Android tool to test/demonstrate it on vulnerable networks.
 
just brew it!
Gold subscriber
Administrator
Posts: 49736
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Time to update everything WiFi

Mon Oct 23, 2017 6:49 pm

Ryu Connor wrote:
Any device or network you haven't personally secured will be suspect and should be assumed to have the same security as an open network.

That's been my default assumption all along. It's why I do the encrypted SOCKS proxy thing on my laptop. Yeah, it means I am implicitly trusting the provider of the VPS I run the proxy on, but at some level you've gotta trust someone, and I trust them more than I collectively trust the providers of random WiFi hotspots.
Nostalgia isn't what it used to be.
 
JustAnEngineer
Gold subscriber
Gerbil God
Posts: 17735
Joined: Sat Jan 26, 2002 7:00 pm
Location: The Heart of Dixie

Re: Time to update everything WiFi

Mon Oct 23, 2017 9:27 pm

There hasn't been much from D-Link yet:
http://supportannouncement.us.dlink.com ... e=SAP10075
They're apparently waiting for Broadcom to send them some updated firmware.
i7-6700K, NT06-Pro, GA-Z170N-Gaming5, 32 GiB, RX Vega56, SM951, 5TB HDD, Blu-ray, FTZ01, SX800-LTi, C32HG70, RK-9000BR, MX518
 
Vhalidictes
Gold subscriber
Gerbil Jedi
Posts: 1682
Joined: Fri Jan 07, 2005 2:32 pm
Location: Paragon City, RI

Re: Time to update everything WiFi

Mon Oct 23, 2017 11:40 pm

JustAnEngineer wrote:
There hasn't been much from D-Link yet:
http://supportannouncement.us.dlink.com ... e=SAP10075
They're apparently waiting for Broadcom to send them some updated firmware.


Ah, the joys of OEMs. Remember back in the bad old days when video card manufacturers actually designed their own cards?

I guess the silver lining is that you can shop entirely on cost since it doesn't really matter who made the Broadcom WiFi card you're using.
 
SuperSpy
Gold subscriber
Minister of Gerbil Affairs
Posts: 2226
Joined: Thu Sep 12, 2002 9:34 pm
Location: TR Forums

Re: Time to update everything WiFi

Tue Oct 24, 2017 7:25 am

Still doing better than Realtek which is still 100% silent.
Desktop: i7-4790K @4.8 GHz | 32 GB | EVGA Gefore 1060 | Windows 10 x64
Laptop: i7 740QM | 12 GB | Mobility Radeon 5850 | Windows 10 x64
 
notfred
Maximum Gerbil
Topic Author
Posts: 4393
Joined: Tue Aug 10, 2004 10:10 am
Location: Ottawa, Canada

Re: Time to update everything WiFi

Tue Oct 24, 2017 8:37 am

meerkt wrote:
Would be useful to have an Android tool to test/demonstrate it on vulnerable networks.

There is a tool (unknown if it is an Android app or something else) that will detect the vulnerability but it hasn't been published yet:
https://www.krackattacks.com/#tools

I think it will be a while before anything gets released, not enough stuff is patched yet and if you give the script kiddies an easy tool to copy it will be slaughter.
 
ludi
Darth Gerbil
Posts: 7452
Joined: Fri Jun 21, 2002 10:47 pm
Location: Sunny Colorado front range

Re: Time to update everything WiFi

Tue Oct 24, 2017 9:07 am

meerkt wrote:
ludi wrote:
meerkt wrote:
I don't think there's an updated Intel driver for my NIC. Alas.
What do you have now?
Now?

What WiFi card/chipset is installed in your NIC? It might be replaceable with a newer version.
Abacus Model 2.5 | Quad-Row FX with 256 Cherry Red Slider Beads | Applewood Frame | Water Cooling by Brita Filtration
 
meerkt
Gerbil Elite
Posts: 811
Joined: Sun Aug 25, 2013 2:55 am

Re: Time to update everything WiFi

Tue Oct 24, 2017 9:21 am

notfred wrote:
I think it will be a while before anything gets released, not enough stuff is patched yet and if you give the script kiddies an easy tool to copy it will be slaughter.
That's okay, I shall await the script kiddies tool. :)

ludi wrote:
meerkt wrote:
ludi wrote:
What do you have now?
Now?
What WiFi card/chipset is installed in your NIC? It might be replaceable with a newer version.
Oh. I thought the "now" was a reference to past discussion, not future. It's a 2230. I suppose it could be replaced. I never understood the why/how/if of these BIOS locks, or whatever it is, but maybe my Asus laptop is free from this BS as this WNIC was sold as a Dell part.
 
ludi
Darth Gerbil
Posts: 7452
Joined: Fri Jun 21, 2002 10:47 pm
Location: Sunny Colorado front range

Re: Time to update everything WiFi

Tue Oct 24, 2017 10:06 am

meerkt wrote:
It's a 2230. I suppose it could be replaced. I never understood the why/how/if of these BIOS locks, or whatever it is, but maybe my Asus laptop is free from this BS as this WNIC was sold as a Dell part.

Okay, that looks like another half-mini-PCIe m.2 card, same thing I replaced in mine and similar to the one JAE is thinking about swapping. Search "Intel 3160" on eBay, I got mine for $10 shipped and my Dell accepted it. If it works, you'll also get a cheap upgrade from "N' to 802.11ac.
Abacus Model 2.5 | Quad-Row FX with 256 Cherry Red Slider Beads | Applewood Frame | Water Cooling by Brita Filtration
 
TwistedKestrel
Gerbil Elite
Posts: 646
Joined: Mon Jan 06, 2003 4:29 pm

Re: Time to update everything WiFi

Tue Oct 24, 2017 12:36 pm

Is this section new, or did I just not notice it before?

Can we modify an access point to prevent attacks against the client?

Yes, it is possible to modify the access point such that connected clients cannot be attacked. These modifications only prevent attacks when a vulnerable client is connected to such a modified access point. When a vulnerable client connects to a different access point, it can still be attacked.

Technically, this is accomplished by modifying the access point such that it does not retransmit message 3 of the 4-way handshake. Additionally, the access point is modified to not retransmit message 1 of the group key handshake. The hostapd project has such a modification available. They are currently evaluating to which extend this impacts the reliability of these handshakes. We remark that it's also possible to prevent attacks against clients by retransmitting the above handshake messages using the same (previous) EAPOL-Key replay counter. The attack against the group key handshake can also be prevented by letting the access point install the group key in a delayed fashion, and by assuring the access only accepts the latest replay counter (see section 4.3 of the paper for details).

https://www.krackattacks.com/#ap-mitigations
 
meerkt
Gerbil Elite
Posts: 811
Joined: Sun Aug 25, 2013 2:55 am

Re: Time to update everything WiFi

Tue Oct 24, 2017 6:05 pm

ludi wrote:
Search "Intel 3160" on eBay, I got mine for $10 shipped and my Dell accepted it. If it works, you'll also get a cheap upgrade from "N' to 802.11ac.

Thanks. I'm probably not going to change the NIC for the time being. Maybe the Windows update is enough, maybe Intel will update older drivers... I'll wait for vulnerability check tools.

BTW, the 3160 is a sidegrade. N 2x2 to AC 1x1. I don't have any AC devices, nor N 2x2, but N 2x2 is more likely to happen at some point.
Interestingly, there's also a full height 3160. I think it's 3160NGW vs 3160HMW.
 
ludi
Darth Gerbil
Posts: 7452
Joined: Fri Jun 21, 2002 10:47 pm
Location: Sunny Colorado front range

Re: Time to update everything WiFi

Tue Oct 24, 2017 6:08 pm

meerkt wrote:
ludi wrote:
Search "Intel 3160" on eBay, I got mine for $10 shipped and my Dell accepted it. If it works, you'll also get a cheap upgrade from "N' to 802.11ac.

Thanks. I'm probably not going to change the NIC for the time being. Maybe the Windows update is enough, maybe Intel will update older drivers... I'll wait for vulnerability check tools.

BTW, the 3160 is a sidegrade. N 2x2 to AC 1x1. I don't have any AC devices, nor N 2x2, but N 2x2 is more likely to happen at some point.
Interestingly, there's also a full height 3160. I think it's 3160NGW vs 3160HMW.

There's also the 7260 which is dual-band, but in my case I only wanted to risk $10 in the event there was a firmware lockout in the BIOS. Since the 3160 worked I could probably swap to a 7260, but there's not much point; I don't normally connect to the Internet faster than 60mbps and I don't do large file transfers over the wireless network.
Abacus Model 2.5 | Quad-Row FX with 256 Cherry Red Slider Beads | Applewood Frame | Water Cooling by Brita Filtration
 
JustAnEngineer
Gold subscriber
Gerbil God
Posts: 17735
Joined: Sat Jan 26, 2002 7:00 pm
Location: The Heart of Dixie

Re: Time to update everything WiFi

Tue Oct 24, 2017 9:12 pm

A dozen Torx T5 screws and two Phillips 0 screws later...
Intel 7260 fits easily into the half mini PCIe slot that the Intel 6235 previously occupied and is immediately recognized by the Intel software. :)
Internal WiFi antennas don't match the connectors on the new card. :(
I've just ordered a pair of new antennas. :oops:
i7-6700K, NT06-Pro, GA-Z170N-Gaming5, 32 GiB, RX Vega56, SM951, 5TB HDD, Blu-ray, FTZ01, SX800-LTi, C32HG70, RK-9000BR, MX518
 
Redocbew
Gold subscriber
Graphmaster Gerbil
Posts: 1350
Joined: Sat Mar 15, 2014 11:44 am

Re: Time to update everything WiFi

Tue Oct 24, 2017 9:22 pm

Yeah, it's been a number of years since I've had to swap out a mini PCIe card, but I remember having similar problems. I swapped out the wireless card in one of my past laptops which had a physical LED button for turning wireless on or off. When I swapped the card the button stopped working, and the LED became an activity indicator. When I turned it on and saw the LED blinking on and off seemingly at random I was sure I had broken something. :P
Do not meddle in the affairs of archers, for they are subtle and you won't hear them coming.
 
ludi
Darth Gerbil
Posts: 7452
Joined: Fri Jun 21, 2002 10:47 pm
Location: Sunny Colorado front range

Re: Time to update everything WiFi

Tue Oct 24, 2017 10:44 pm

JustAnEngineer wrote:
A dozen Torx T5 screws and two Phillips 0 screws later...
Intel 7260 fits easily into the half mini PCIe slot that the Intel 6235 previously occupied and is immediately recognized by the Intel software. :)
Internal WiFi antennas don't match the connectors on the new card. :(
I've just ordered a pair of new antennas. :oops:

What was the physical difference? All the pictures I can find of the 6235 and 7260 indicate they should be identical.
Abacus Model 2.5 | Quad-Row FX with 256 Cherry Red Slider Beads | Applewood Frame | Water Cooling by Brita Filtration
 
JustAnEngineer
Gold subscriber
Gerbil God
Posts: 17735
Joined: Sat Jan 26, 2002 7:00 pm
Location: The Heart of Dixie

Re: Time to update everything WiFi

Wed Oct 25, 2017 4:17 am

The itty-bitty antenna connectors on the old card have a smaller barrel diameter than those on the new one.
i7-6700K, NT06-Pro, GA-Z170N-Gaming5, 32 GiB, RX Vega56, SM951, 5TB HDD, Blu-ray, FTZ01, SX800-LTi, C32HG70, RK-9000BR, MX518
 
notfred
Maximum Gerbil
Topic Author
Posts: 4393
Joined: Tue Aug 10, 2004 10:10 am
Location: Ottawa, Canada

Re: Time to update everything WiFi

Wed Oct 25, 2017 8:31 am

Found a thread about it:
http://forum.notebookreview.com/threads ... lp.731735/

IPEX MHF4 connectors on the old card vs Hirose U.FL connectors on the new.
 
ludi
Darth Gerbil
Posts: 7452
Joined: Fri Jun 21, 2002 10:47 pm
Location: Sunny Colorado front range

Re: Time to update everything WiFi

Wed Oct 25, 2017 11:14 am

notfred wrote:
Found a thread about it:
http://forum.notebookreview.com/threads ... lp.731735/
IPEX MHF4 connectors on the old card vs Hirose U.FL connectors on the new.


JustAnEngineer wrote:
The itty-bitty antenna connectors on the old card have a smaller barrel diameter than those on the new one.

Bummer, guess I got lucky on mine. Sorry to have misled you, hopefully the upgrade to AC support is worth the extra effort.
Abacus Model 2.5 | Quad-Row FX with 256 Cherry Red Slider Beads | Applewood Frame | Water Cooling by Brita Filtration
 
columba
Gerbil In Training
Posts: 1
Joined: Sun Oct 29, 2017 11:30 pm

Re: Time to update everything WiFi

Sun Oct 29, 2017 11:59 pm

Hey guys, LEDE 17.01.04 has released and KRACK has been patched. Hope it helps!
 
Ryu Connor
Gold subscriber
Global Moderator
Posts: 4215
Joined: Thu Dec 27, 2001 7:00 pm
Location: Marietta, GA
Contact:

Re: Time to update everything WiFi

Mon Oct 30, 2017 8:52 pm

meerkt wrote:
Thanks. I'm probably not going to change the NIC for the time being. Maybe the Windows update is enough, maybe Intel will update older drivers... I'll wait for vulnerability check tools.


Having had a chance to delve into the guts of this exploit, I've discovered that JBI's interpretation earlier was correct. The Windows fix was for CVE-2017-13080, this fixes an implementation issue with the way Multicast and Broadcast traffic is secured under WPA2.

Intel drivers tackled CVE-2017-13080 - 13081. Why did Intel do 13080 again if Microsoft fixed it? Resumption from sleep or devices that do connected standby need the driver to do the work.
All of my written content here on TR does not represent or reflect the views of my employer or any reasonable human being. All content and actions are my own.
 
meerkt
Gerbil Elite
Posts: 811
Joined: Sun Aug 25, 2013 2:55 am

Re: Time to update everything WiFi

Wed Nov 01, 2017 10:16 pm

What happens on sleep wakeup without the fix?

Who is online

Users browsing this forum: No registered users and 1 guest