[Nottingham] WPA2 is falling

Martin martin at ml1.co.uk
Tue Oct 17 14:44:03 UTC 2017

On 17/10/17 14:05, Jason Irwin via Nottingham wrote:
> On 17/10/17 13:05, John wrote:
>> 'Smart' TVs ? They'll just expect you to buy a new one. And that will
>> still have a shed load of other vulnerabilities ..
> Probably...

Never trusted any of those things :-P - not got one :-)

(Then again, not got anything TV-like in any case! Life is too short.)

>> Can someone get onto Virgin (other **** ISP's are available) ? Good luck
>> with getting them to roll out a firmware update. Mind you, my ASUS AP
>> has not been patched yet.
> Meh, I only use their !!!!!!! as the modem.

Yep. Modem mode only here. Bit of a shame to waste the rest of the
functionality, but then again, far better to enjoy FLOSS reliability
using a little something somewhat more reliable!

BTW: Cable is good for symmetric 10 Gigabit/s with DOCSIS 3.1:


Shame about the monopoly price jump...

Also shame BT will be keeping most of the UK on the decades old obsolete
thousands of times slower ADSL 'stop-gap' over the old telegraphy system
of old wires...

And fibre is faster, more reliable, and has just got to be lower
electrical costs and remove many an ugly roadside box... So?...

> In shock news, it seems MS and Apple had the patches out before any
> GNU/Linux distro. No idea about Android, although the OEMs/carriers will
> probably be the cause of the major delays.

There's a bit of a giggle with the detail:

Release the KRACKen patches: The good, the bad, and the ugly on this
WPA2 Wi-Fi drama

... using Android 6.0 or Linux with wpa_supplicant 2.4 or later, it's
super easy to hijack the wireless connection. Due to a programming
cockup, this software uses a zero key – ie, an encryption key that's all
zeroes – when under attack by KRACK...

... Windows and iOS are largely unaffected by KRACK in that it is rather
difficult to exploit the protocol flaws due to Microsoft and Apple's
[mal-] implementations of WPA2 – and, in any case, patches are either
available or incoming. Linux, Android 6.0 and above, OpenBSD 6.1, and
macOS 10.12 and 10.9 are most at risk from KRACK's eavesdropping
techniques due to the way they handle encryption key reuse in WPA2...

On the Unix-y front, OpenBSD has a fix ready, as do Linux distros
including Debian.

And for such things, this is where FLOSS really is better than the
money-making by obfuscation silliness:

Finally, don't forget that the IEEE makes the whole process of
evaluating and scrutinizing its standards for things like the WPA2
design blunder relatively difficult...

IT history of silliness repeated...

For goodly Rounded discussion Thursday ;-)


- ╔═══════════════════╦══════════════════════════════════════════╗
- ║   Martin Lomas    ║ OpenPGP (GPG/PGP) Public Key: 0xCEE1D3B7 ║
- ║ martin@ ml1 co uk ║ Import from   hkp://subkeys.pgp.net   or ║
- ║ ----------------- ║ http:// ml1 .co .uk/martin_ml1_co_uk.gpg ║
- ╚═══════════════════╩══════════════════════════════════════════╝

More information about the Nottingham mailing list