WPA2 security breach


  • Hello all.Is there any ETA to patch the WPA2 security breach that is going to be published to
    day?


  • Would also be interested in hearing about this - according to ArsTechnica, Ubiquiti already have patches available for some of the enterprise equipment, so hopefully it won't be a huge effort to get the fix integrated into Amplifi. Right now, all Amplifi users (in common with pretty much every other consumer wifi) have essentially an open home network.


  • There may be nothing for them to do: "Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates. "


  • I'm still trying to understand how much help is provided by patching the AP. Sounds like this attacks the clients and not the AP itself.

    I mean, it might be possible for the AP to manipulate the client into never duplicating nonces but that might also raise questions into whether or not that opens up new attack vectors.

    That said, there are probably still some areas where AmpliFi should be updated. For example, I don't know if it's possible that mesh node communication is impacted (probably not) or if the AmpliFi app could provide a test/check to indicate whether or not your Android/iOS device is affected. But at this time, it's seeming like the bulk of the patching is going to have to fall on our client devices, unfortunately. It sure would be easier if I only had to patch 1 set of devices to be secure instead of 30 different devices!

    Note: I don't know the inner details of this attack. This posturing is based on information provided by those who do and I'm just interpreting those interpretations. Hopefully Ubiquiti will share more information soon.

    References:

    1. UBNT post stating they have a patch in place (for something, although it's unclear to me exactly what and how much protection it provides).
    2. Disclosure website with lots of info understandable to normal tech people but lacking in details currently

  • The krack faq also continues with:
    "In general though, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming)."

    This implies that routers / access points could be attacked - I'm also posturing here; would be good to hear something from Amplifi one way or the other...


  • @steve-strong said in WPA2 security breach:

    would be good to hear something from Amplifi one way or the other...

    I ABSOLUTELY agree! Hopefully somebody from UBNT can let us know something. I'm very interested in what their thinking is right now.

    Pure speculation on my end but I kinda think if they're struggling to be able to fully protect for these attacks on the AP side, then it would be nice to quickly get an option where at least they can detect such attacks and block devices when they're being attacked. That would at least change the attack from a major security attack to a less-concerning denial-of-service attack. That would make this far less desirable to exploit even if it's not ideal, at least until more clients can be updated and perhaps until they find a better server-side mitigation.


  • You need to update clients and AP's to be fully protected. This Aruba FAQ explains it well:

    http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-007_FAQ_Rev-1.pdf


  • @peter-farrar said in WPA2 security breach:

    You need to update clients and AP's to be fully protected. This Aruba FAQ explains it well:

    http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-007_FAQ_Rev-1.pdf

    I've read that but there are many questions I still have that it doesn't touch on. I think all agree that the most straight-forward way is to patch all devices running in some kind of client mode (most routers/access points have client functionality, too).

    However, there might be additional possibilities that are less straightforward. For example:

    This attack is mostly a Man-in-the-Middle (MITM) attack that tricks the client into resending identical nonces (a single-use random number) to the MITM party so they can snoop before passing the data on to the actual access point. While the client is oblivious to this (until patched but face it, patching all clients will be very difficult or even impossible), what I don't know is if the Access Point (AP) can detect the behavior of the MITM party. If they can in fact detect this behavior, then it's perhaps possible that the AP then drops the client traffic until it stops sending duplicate nonces. In this behavior, the attack is no longer able to spoof data but would only then be a denial-of-service (DOS) attack. Which I think might be "good enough". Why is this good enough? Because if you're within proximity of a wifi network, it's already pretty easy to just flood the wireless spectrum with noise to the point where you take wifi networks down. And given that you have to be within proximity of the wifi network in order to perform this new DOS attack, incentive drops tremendously to perform the attack.

    So again, while I agree with you that this vulnerability is an attack on clients, I still argue that some very smart people (smarter than me) might still be able to solve the problem with just patched routers and APs. And I know Ubiquiti has some very smart people working for them!


  • They updated their UNIFI firmware for APs yesterday. I would assume they are working on it for Amplifi as well. Again, would be nice to have someone from Amplifi chime in on this.

    @UBNT-Chance @UBNT-Gunars @UBNT-Jack


  • There is no doubt that Ubiquiti will patch AmpliFi at some point soon. The bigger problem is all the unpatched devices that are going to be around for years to come. There will be huge amounts of Android phones/tablets that will remain unpatched. As @Shane-Milton says above there really needs to be someway to prevent it in the AP if possible.


  • Looks like 2.4.3 is imminent:

    http://www.kb.cert.org/vuls/id/CHEU-AQNN6B


  • Feedback on this question via Twitter: Tweet


Log in to reply
 

Looks like your connection to AmpliFi was lost, please wait while we try to reconnect.