WPA2 KRACK: Kobo official response?

[slate]

Very quiet indeed.

[DNSB]

Quote:

Originally Posted by slate

Very quiet indeed.

Given that both Amazon's and Kobo's eInk reader run Linux and there are patches already available for Linux, I would not be surprised to see new firmware to fix the vulnerability fairly soon.

Given the nature of the Krack vulnerability, I'd worry more about your wireless router than your Kobo device.

[jackastor]

Quote:

Originally Posted by DNSB

Given that both Amazon's and Kobo's eInk reader run Linux and there are patches already available for Linux, I would not be surprised to see new firmware to fix the vulnerability fairly soon.

Given the nature of the Krack vulnerability, I'd worry more about your wireless router than your Kobo device.

I doubt that this will ever be an issue for anyone here.

[DNSB]

Quote:

Originally Posted by jackastor

I doubt that this will ever be an issue for anyone here.

I hate to be the voice of gloom and doom, but KRACK is already an issue for me. Network administration/security in an education environment is kinda fun—invite the hackers in and give them user names and passwords to give them a jumpstart. In our wireless environment, disabling fast BSS transitions mitigates the issue but real fixes are not here yet.

As the old saw goes, Ask not whether you're paranoid, ask whether you're paranoid enough!

[ReaLx3m]

Quote:

Originally Posted by DNSB

I hate to be the voice of gloom and doom, but KRACK is already an issue for me. Network administration/security in an education environment is kinda fun—invite the hackers in and give them user names and passwords to give them a jumpstart. In our wireless environment, disabling fast BSS transitions mitigates the issue but real fixes are not here yet.

As the old saw goes, Ask not whether you're paranoid, ask whether you're paranoid enough!

DDWRT Already has patched router firmwares, so that would be one way to go around that. As imo many manufacturers will never patch many of router models, especially older ones.

[DNSB]

Quote:

Originally Posted by ReaLx3m

DDWRT Already has patched router firmwares, so that would be one way to go around that. As imo many manufacturers will never patch many of router models, especially older ones.

I'm using DDWRT on my wireless router at home and would recommend it for most people who have some technical skills.

[Quoth]

It's an unpatched client approved to use your WiFi that creates the vulnerability.

[piratepanda]

Quote:

Originally Posted by DNSB

I'm using DDWRT on my wireless router at home and would recommend it for most people who have some technical skills.

DDWRT is still alive? OpenWRT or LEDE seem to be more active to me but I might be wrong

[DNSB]

Quote:

Originally Posted by FrustratedReader

It's an unpatched client approved to use your WiFi that creates the vulnerability.

The way I read it, you need the router vulnerable or KRACK will not work.

[eenk]

The bug affects wpa_supplicant and hostap. The latter most probably isn't used on the Kobo eink readers, but the former is for connecting to wireless LANs. However, the attack mentioned does not in a compromise of the WPA2 passphrase, but instead a single session can be read. For a ebook reader I would guess that its WLAN is off most of the time, and only sporadically switched on for syncing. At least as a temporary user measure this shouldn't be a burden on users. And even if a session gets compromised at the data link level, I fail to see what damage could be done? A firmware download is rare, and then the attacker doesn't get any valuable information I would think. Sending a hacked firmware inband doesn't seem to be really possible, but I might be wrong here. Seeing reading statistics also doesn't strike me as too dangerous unless in those cases where someone doesn't want even Kobo to see them. So the danger of Krack on ebook readers doesn't strike me as even low.

[eenk]

Quote:

Originally Posted by DNSB

The way I read it, you need the router vulnerable or KRACK will not work.

wrong. the attack is on the client side, also called station side afaik. Also, most wireless APs, that's the other side, implement the client side, so APs usually won't be vulnerable.

[DNSB]

Quote:

Originally Posted by piratepanda

DDWRT is still alive? OpenWRT or LEDE seem to be more active to me but I might be wrong

The DD-WRT site itself seems to be out of date but such sites as MyOpenRouter have newer versions and a Google search is even better. My Netgear R7000P was quite happy with an update from early 2017 but I'm now trying to decide if I want to update to an Oct. 2017 release. So far I haven't seen the internet connection being lost bug reported by some on my current version and I would really prefer not to see it. I'm a bit nervous about either OpenWRT or LEDE since they don't seem to differentiate between the R700P and it's older cousin the R7000 while MyOpenRouter does have warnings that the two are different enough to need separate versions.

If it wasn't for my love for the usage graphs, I might not have bothered to install DD-WRT on the 7000P. I have enough fun with wireless at work these days to keep me satisfied.

[DNSB]

Quote:

Originally Posted by eenk

wrong. the attack is on the client side, also called station side afaik. Also, most wireless APs, that's the other side, implement the client side, so APs usually won't be vulnerable.

From what I've read, the nonce reuse vulnerability needs to be on both ends of the connection to allow the man in the middle attack to work. It would appear that Apple and Microsoft—for supported products—are releasing/have released patches while some Linux distributions have patches available. Pretty much leaving Android devices as the potential victims.

[roebeet]

Client patching is the more important of the two -- router is only important if it's being in a client mode. And as mentioned Linux-based devices may be more vulnerable to the four-way handshake vulnerability.

Assuming that our Kobo's are affected I'm hoping the company will chime in on that and if/when updated firmware is being tested / released. Or if this last firmware update had already patched for it. In my case the biggest concern I have right now is the user logon aspects of my device over Wifi and especially purchasing anything via the device. A low risk of course given that an attacker would need to be in close proximity of the Wifi signal, but still a concern.

[DNSB]

Quote:

Originally Posted by roebeet

Client patching is the more important of the two -- router is only important if it's being in a client mode. And as mentioned Linux-based devices may be more vulnerable to the four-way handshake vulnerability.

Not quite sure what you mean by the router being in a client mode unless you are referring to an AP being used in bridge mode. The KRACK vulnerability hijacks the 4 way handshake and appears to require that both sides allow recycling transmit and receive packet numbers (aka nonces) by the man in the middle. So the client/station/whatever and the AP/master must both be vulnerable for this to work as described in the original paper to allow eavesdropping on a wireless session. With the vulnerability on one side only, the results are not as useful to an attacker (not my opinion, I'm quoting from a Palo Alto engineer who has a heck of a lot more experience with network security than I).

To quote from the krackattacks.com website:

Currently, all vulnerable devices should be patched. In other words, patching the AP will not prevent attacks against vulnerable clients. Similarly, patching all clients will not prevent attacks against vulnerable access points. Note that only access points that support the Fast BSS Transition handshake (802.11r) can be vulnerable.

That said, it is possible to modify the access point such that vulnerable clients (when connected to this AP) cannot be attacked. However, these modifications are different from the normal security patches that are being released for vulnerable access points! So unless your access point vendor explicitly mentions that their patches prevent attacks against clients, you must also patch clients.

The first paragraph is why we have disabled Fast BSS Transitions on our corporate network.