back to article Wi-Fi of more than a billion PCs, phones, gadgets can be snooped on. But you're using HTTPS, SSH, VPNs... right?

A billion-plus computers, phones, and other devices are said to suffer a chip-level security vulnerability that can be exploited by nearby miscreants to snoop on victims' encrypted Wi-Fi traffic. The flaw [PDF] was branded KrØØk by the bods at Euro infosec outfit ESET who discovered it. The design blunder is otherwise known as …

  1. sanmigueelbeer
    1. diodesign (Written by Reg staff) Silver badge

      Thanks, added to the story.

      C.

    2. NonSSL-Login

      Yet another backdoor in Chinese products to snoop on traffic..oh wait, Broadcom & Cisco are American, must be a bug! /Sarcasm

      How useful this could be depends on how well the client OS/software reconnects and re-transmits and how many errors get shown on the desktop I would guess. Repeated warnings vs silent recovery would make a huge difference in whether someone investigates the reconnects or not.

      You can make a wifi de-auther using a ESP8266 board which is about the size of a flat finger but i'm not sure if it possible to modify that project to read the known encryption key traffic after. Something to look in to!

  2. Tom Paine

    Unpopular opinion

    (Devil's advocacy!)

    MitM attacks on unencrypted network traffic do happen, but unless you're the target of a nation state, they're not really worth worrying about.

    There, I said it!

    Now -- of course -- I've been making myself and the sec dept unpopular for donkey's years by whining on about telnet and FTP to management, just as much as the next grunt in the infosec trenches, but in retrospect the benefit was more about compliance than actual security benefit. (And of course it helps getting stuff patched, or skipped of its EOL, making at least some token effort to harden configs, etc.

    1. diodesign (Written by Reg staff) Silver badge

      "MitM attacks on unencrypted network traffic do happen"

      This isn't about that at all, so you're more strawman builder than Satan's attorney.

      This is about forcing a nearby device to encrypt data with a key you know (0x00000000), and you can snoop on this data over the air to decrypt it.

      C.

      1. Nate Amsden

        Re: "MitM attacks on unencrypted network traffic do happen"

        Really seems like the poster is implying the concept is similar and the end result is the same, regardless if you are using an unencrypted wifi connection or you exploit something that allows you to decrypt the packets, you get the data the same. The likelihood of something like that happening is very low. Probably should be more concerned about connecting to public wifi in general and the infrastructure in place there(the stuff that sees the traffic after it is terminated on the AP with whatever wifi encryption is used etc).

        I go out of my way to avoid public wifi in general, out of just a little paranoia. I'll usually tether to my phone at hotels/etc even if it means a slower experience unless for whatever reason that is completely unusable (signal strength wise). I don't do any media streaming so generally my network data usage is quite low.

        1. foxyshadis

          Re: "MitM attacks on unencrypted network traffic do happen"

          Someone could park outside your house and spew dissociation packets. This vulnerability has nothing to do with public/private wifi, it's your device's failure case that's the problem.

          1. Muscleguy

            Re: "MitM attacks on unencrypted network traffic do happen"

            Do they need to know the name of your wifi to spew them or will my non broadcasting router still accept the spew despite being hidden?

            Most of my neighbours are using bog standard out of the box named equipment which will be much tastier targets than sniffing for our hidden wifi.

            1. Anonymous Coward
              Anonymous Coward

              Re: "MitM attacks on unencrypted network traffic do happen"

              Most of my neighbours are using bog standard out of the box named equipment which will be much tastier targets than sniffing for our hidden wifi.

              Yeah, the proliferation of WiFi networks starting with "BT" or "Virgin" or "SKY" are dead giveaways.

              My visible one is called 'DeadMansHandle'. The hackers can go for that with my blessing. Nothing other than guests use it.

              1. Peter Gathercole Silver badge

                Re: "MitM attacks on unencrypted network traffic do happen"

                Even your hidden ESSIDs for WiFi networks are visible, they just don't broadcast their name.

                I use Kismet on Linux to get a picture of the WFii networks around me, which shows a very alarming situation where I stay when I'm working away from home. There are over 20 networks within range, over both 2.4 and 5GHz bands. Causes significant congestion and connectivity problems when everybody is streaming media in an evening.

                WiFi just doesn't appear to be that suitable for large blocks of flats.

                1. Nick Ryan Silver badge

                  Re: "MitM attacks on unencrypted network traffic do happen"

                  Other than being a fundamental problem with WiFi and sharing the available bandwidth along with the handshaking and cooperation protocols between all functioning devices in a channel... most auto-channel selection algorithms are so braindead that all they do is pick the same channel as every other Access Point in the area. End result? 12 devices on one channel and nothing on any of the others...

                  Yes, I'm aware that there is often badly behaving non-standard WiFi kit such as doorbells, garage remotes, baby-cams and so on abusing WiFi frequencies but the keenness for auto channel systems to use the same channel as every other device in the area seems to go way beyond such things.

                  WiFi tends to suck in any congested area - offices, high density housing and so on

            2. Nate Amsden

              Re: "MitM attacks on unencrypted network traffic do happen"

              My home wifi broadcasts. I wanted to disable it but then read that caused the clients to broadcast at least when they are not connected. I do have mac filtering enabled. I know it's not difficult to spoof macs, but it helps with the casual case of someone trying to connect, on top of an ok password.(16 letters 1 number 1 special char rest is average complexity).

            3. Roland6 Silver badge

              Re: "MitM attacks on unencrypted network traffic do happen"

              >Do they need to know the name of your wifi to spew them or will my non broadcasting router still accept the spew despite being hidden?

              I see the myth of hidden SSID's as a security feature still persists. The laugh is that it is even less secuire than NAT.

              Whilst your home AP doesn't send out it's SSID in the usual way, it still does periodically send it out ...

              However, the biggest issue, is that instead of your AP sending out the SSID - all your devices have to now constantly broadcast your SSID in an attempt to locate your home network. It is a trivial job to build a listener AP that picks up these requests and then broadcasts the appropriate SSID, in response to which your device will automatically try to connect... Depending on the security and key strength you've used a session can be up and running in minutes...

              Personally, the best security mechanism I've determined is to camouflage your bog-standard out-of-the-box router by changing its SSID(s) to something else eg. Hogwarts (but not your actual address), as then an attacker has to do a MAC address lookup and some guesswork to try and determine which manufacturers router you might be using and thus what vulnerabilities might exist..

              Now when out-and-about your devices will be listening for your SSID and not advertising it.

              Obviously, if you use well known public hotspots, you are still vulnerable when out-and-about to people running spoof AP's for these services. However, at least they can't use services like Wigle to geolocate where your home AP might be...

              1. phuzz Silver badge

                Re: "MitM attacks on unencrypted network traffic do happen"

                "I see the myth of hidden SSID's as a security feature still persists."

                It's about as secure as not putting a number on the front of your house, in an attempt to stop burglars.

            4. rcxb Silver badge

              Re: "MitM attacks on unencrypted network traffic do happen"

              will my non broadcasting router still accept the spew despite being hidden

              It's not "hidden" it's just not "advertising." That means your WiFi isn't broadcasting out its name every few seconds, when otherwise doing nothing. Whenever there's any traffic on your WiFi at all, the SSID is being sent out on every one of those packets, and is trivial to find. Disabling advertisements does nothing but make things harder for the already-inept.

              Just go install WiFi Analyzer on your mobile to see all the "hidden" devices in your area.

          2. Nate Amsden

            Re: "MitM attacks on unencrypted network traffic do happen"

            True but even more unlikely. Last i recall there were over 50 SSIDs broadcasting within range of my laptop. I'll add my home wifi is restricted similar to DMZ, no access to my internal network. I use a nice asus AP in 'AP' mode which hangs off a port on my openbsd firewall which handles dns, dhcp, and general network routing.

            99.9% of the time my laptop where i do the bulk of my computing sits on my desk connected to ethernet. I do make use of a few powerline ethernet adapters that are on my internal network. I feel those are less vulnerable than wifi but not perfect. They have some limited encryption, but more importantly are protected to some degree being the signal has a hard time crossing an electrical breaker. Add the unlikely scenario that there is an attacker i feel pretty safe. Though the thought has crossed my mind locking that network segment down more.

            I'm sure my setup is overkill I don't have much if anything worth trying to steal. So the paranoia is not justified. BUT as a systems and network person for over 20 years its not difficult to setup and runs without trouble for years at a time.

            (Posted from my phone on home wifi about to get out of bed 630am here)

            1. Mage Silver badge
              Boffin

              Re: powerline ethernet adapters

              They are radios. Someone nearby can connect without the wiring. The mains provides power and helps the transmission. They'll connect over an air gap if one end is on a generator!

              1. Roland6 Silver badge

                Re: powerline ethernet adapters

                >They are radios. Someone nearby can connect without the wiring. The mains provides power and helps the transmission. They'll connect over an air gap if one end is on a generator!

                Not seen any real problems with the HomePlug AV2 compatible adaptors (I run one within 12-inches of my HiFi's FM aerial) and connect my HiFi to the mains using the mains pass through socket - I do this just to see for myself the reality of the claims people make...

                Although this is the UK and not the US, so this might introduce some important differences.

                .

                As for those complaining about noise on their audio system - if your audio system is that good why doesn't it already have at least ferrite collars or a filtering mains adaptor.

                The only problem I've seen is that they don't mix well, so best to use plugs from the same vendor and all runing the same firmware release. As for security, well as usual don't use the manufacturers default password/phrase and keep it long!

              2. ExampleOne

                Re: powerline ethernet adapters

                A proper power line adapter is not a radio, it is using the electrical power circuits as a medium. This is why surge protectors, breakers, UPS units, etc. cause issues with the connection.

                1. Mage Silver badge

                  Re: powerline ethernet adapters

                  No, they are radios in the sense that DSL is, just not tested as such. Only the very fastest models will interfere with FM. It's MW & SW they interfere with. In some cases the lighting wires radiate and DSL can suffer interference (same band), but that's rare.

                  Surge protectors, breakers, UPS units etc rarely cause problems but poorly filtered SMPSUs will stop them working.

                  At least they are encrypted.

                  Some get RFI certification by either not connecting to data or testing only unit.

              3. phuzz Silver badge

                Re: powerline ethernet adapters

                Powerline ethernet works great in some buildings, but if your house is more than a hundred years old, then get ready for all sorts of fun. Like finding you have multiple separate loops in the same room, none of which can be used to connect to each other. Or, having to run an ethernet cable between two rooms, to bridge two separate circuits.

                (And you're probably trying out powerline ethernet because old houses and wifi often don't work well together)

    2. doublelayer Silver badge

      Re: Unpopular opinion

      As has been pointed out, that's not really at issue here. But also, it's not correct either. Of the various methods of getting attacked, MITMing is lower on the list of concerns, but it doesn't require nation-state level effort, and it doesn't have nation-state limited value. An attacker can set up a WiFi MITM device for relatively cheap. If it works for them, they can hope to grab some passwords, access tokens, or credit card numbers from you. True, at this point we've likely encrypted nearly everything that is that sensitive, but we've done this because at one point we didn't and we realized what a disaster it could be for people to pluck them out of our unencrypted network traffic. Not to mention that there are other things you can do with a functioning MITM system; I've only discussed the possibilities involved in reading network traffic, but sending some unexpected traffic to the user also offers some interesting possibilities, albeit at a higher risk to the attacker.

    3. DuncanLarge Silver badge

      Re: Unpopular opinion

      This is not a MitM attack anymore than stealing my car when I'm not in it is a hijacking.

  3. Chairman of the Bored

    Nice attack

    And I always thought that the only good use of a deauth was to clear the crowd off an AP so I could win a race condition and get access. Yes, that's a d__k move, but sometimes a guys got to go aggressive...

    1. Anonymous Coward
      Anonymous Coward

      Re: Nice attack

      Hmmm I can use deauth for stopping my neighbors playing spotify loudly at 2am!

      1. Korev Silver badge
        Joke

        Re: Nice attack

        You could also use death too, it'd be permanent too

      2. Anonymous Coward
        Anonymous Coward

        Re: Nice attack

        My neighbours use an old school hifi, and a plugged in, VERY LOUD, alarm clock. :(

    2. Roland6 Silver badge

      Re: Nice attack

      Agree, this exploit nicely breeches secure Enterprise WiFi configurations.

      Expect there are/will be many running government networks who will be looking at this in detail: if you're not running an approved VPN over your WiFi...

  4. Anonymous Coward
    Anonymous Coward

    "... and there are plenty of places for code updates to snag and never see the light of day."

    Pacific Ocean?

  5. Timmy B

    We all should keep a link to this article...

    For the next time our respective governments all tell us that only criminal types use a VPN....

    1. Sir Runcible Spoon
      Black Helicopters

      Re: We all should keep a link to this article...

      "For the next time our respective governments all tell us that only criminal types use hack a VPN...."

      TFTFY

    2. DuncanLarge Silver badge

      Re: We all should keep a link to this article...

      > For the next time our respective governments all tell us that only criminal types use a VPN

      Or Tor.

    3. Kibble 2
      WTF?

      Re: We all should keep a link to this article...

      But doesn't the government maintain a number of VPNs?

  6. Anonymous Coward
    Anonymous Coward

    A lot of WiFi traffic may be local....

    ... should people setup VPNs between their mobe and their PC? Or between their PC and their partner? Or their NAS? And that's for home network. Think about company ones, and how big local traffic may be, not all of that encrypted.

    There's a lot to capture even in local traffic....

    1. DuncanLarge Silver badge

      Re: A lot of WiFi traffic may be local....

      Some local connections can be encrypted. My router uses a self signed HTTPs cert for access to its config pages.

      I use SSH/SCP to transfer files.

      SMB can be encrypted as can NFS, in fact anything can be sent over an SSH tunnel.

      1. Anonymous Coward
        Anonymous Coward

        Re: A lot of WiFi traffic may be local....

        Sure, everything can be encrypted - but how much is really encrypted inside LANs?

        1. doublelayer Silver badge

          Re: A lot of WiFi traffic may be local....

          Well, most web traffic is HTTPS now, and most machine-to-machine protocols in heavy use are encrypted as well with SSH having replaced many more classic ones. But you're correct, a lot of traffic isn't encrypted on a LAN. For that reason, we're usually somewhat protective of who we let onto our LANs. An exploit that lets an unauthenticated user read our traffic is much worse than one that lets others on our LAN read our traffic.

  7. Prst. V.Jeltz Silver badge

    shame these chips dont see "zeroed" as below miniumum standards for an encryption key

    1. DuncanLarge Silver badge

      I suppose that would only work if they were to assume that a key is required.

      Chips forming an open network wont use a key.

  8. Blazde Silver badge
    Thumb Up

    Nice Logo

    10/10 for effort, creative, strangely descriptive, and most of all no cheesy over-dramatic thunderbolts, ghosts, zombies, or mushroom clouds.

    1. Yet Another Anonymous coward Silver badge

      Re: Nice Logo

      So we don't have to worry about it because there isn't a picture of a 'hacker' in a goody with green matrix text as the background

  9. Anonymous Coward
    Anonymous Coward

    But...

    Having singled out the iPhone (6S and later) as vulnerable, it's a bit disingenuous not to point out that Apple has patched the issue in the latest iOS updates (and ditto for MacOS). Also, it's not just Apple hardware that's affected and much of that isn't subject to such regular patching. Of course, as a vulnerability, it's one of those that exists but is a limited risk to the majority of users.

    1. WolfFan Silver badge

      Re: But...

      Just part of El Reg’s ongoing feud with Apple.

    2. Joe Gurman

      Re: But...

      Not even “the latest,” but in iOS and macOS updates from last October.

    3. James O'Shea

      Re: But...

      El Reg's attitude towards Apple has got to be so bad that I automatically discount at least 50% of anything bad they say about Apple, and automatically inflate by at least 50% the (rare) good things they say about Apple. El Reg's Apple-bashing has become quite reliable. They're like a certain movie reviewer I read; anything he likes I know that I won't, and anything he hates I know I'll like. When El Reg says something bad about Apple, there's usually a lot that's good which they don't mention. I go and have a look for myself, having been alerted to the possibilities of new features by El Reg's negative coverage. Thanks so much, Vulture Central!

      1. TheGriz

        Re: But...

        Comeon, we all know Apple is the "Evil Empire". LOL

  10. EnviableOne

    does this really matter

    seeing at KRACK exists and WPA3 is also broken

  11. JohnFen

    Problematic WPA2

    I stopped allowing non-VPN connections through my home WiFi a number of years ago (except for with the isolated open AP I run), because I don't trust WPA2 to provide anywhere near sufficient protection. There have been a few times that I've been happy that I did this, and this is one of those times.

  12. whitepines
    Angel

    Proactive security

    Our reaction to the not-so-recent forced locking of WiFi device firmware was to treat the entire WiFi network segment (yes, it's a separate physical segment) in each building as hostile. Corporate WiFi (aside from the public encrypted AP, on its own separate network segment attached to the public side of things) gets you DHCP and a VPN server connection, everything else is blocked.

    Looks like the fears were in fact justified after all, and the proactive mitigation worked perfectly in the end since we don't have to change anything or disrupt business in any way due to this inevitable vulnerability in the closed source AP firmware. Happy days...

  13. KSM-AZ

    IMNSHO,

    WPAWEPFARTTURDTWAT is useful for allowing users on the Wifi network. Not protecting what's *IN* the Wifi network. YMMV

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like