Using WPA2 wireless? Patch up ASAP!

[VirtualLarry]

troublesome... at least my primary desktops are wired.

 

[freeskier93]

Usually have to upload it to each AP with SSH then run a script that applies it. Not so much that it's hard, just I always forget the exact steps so end up spending some time fidding around. I don't see any option in the controller to upgrade, but probably have to upgrade the controller too. Think I had to last time as it would not pickup the AP.

Upon quick google search I don't think they have the fix out yet, they are still testing, so I'll probably wait a bit before I do an upgrade.

3.9.3.7537 isn't a stable release yet but is availabe if you manually upgrade, here are the release notes and direct download links.

https://community.ubnt.com/t5/UniFi...37-for-UAP-USW-has-been-released/ba-p/2099365

To manually upgrade through the controller web interface; verify you have automatic updates disabled then under the device config tab expand "Manage Device" and there is a seciton for custom upgrade.

If you're on 5.5.x or older for the controller you need to ignore the any prompts/notifications to "upgrade" beacuse it will try to downgrade you to 3.8.x firmware. This will get you stuck in a boot loop because 3.9.x doesn't allow downgrades. If you are running controller 5.6.x you still need to ignore the updgrade because it will try to downgrade you to an older firmware version of 3.9.x.

I went ahead and upgraded my controller to 5.6.19 and then manually upgraded my AP AC Lite to 3.9.3.7537, runs just fine.

 

[Red Squirrel]

Oh wait, my controller is 3.2.10, I guess that is considered quite old if they are at 5.5.x. Guess I'll probably need to update that too.

 

[John Connor]

 

[BarkingGhostar]

I would hope that while waiting on OEM to fix their firmware the act of turning off SSID, using MAC filtering, etc., might stem the tide of anyone looking to victimize you personally. Then again, it would have to be personal as what good are you and your low income fruit compared to much more rich targets? With the exception of cell phones and tablets (and Amazon FireTV Stick), everything else in my home is hardwired. But even that will not protect me from Equifax.

 

[pcslookout]

I guarantee you your local wifi is way more 'secure' and less likely to be 'hacked' than all those places you order stuff from every day that keep all your information. Sometimes I really like living in the middle of nowhere by old people. I don't have to worry about all this fear mongering.

Old people can be hackers too.

 

[pcslookout]

iOS already patched long ago! Good!

 

[RLGL]

Given their wonderful history with security updates, I'll bet that Verizon will recommend disabling Wi-Fi on your phone and upgrading your data plan to "patch" this issue

This is thee very reason I use my phone for calls and texting only, maybe a pic or two. I have no financial anything on my phone. No banking app or credit card numbers or pay apps

 

[pcslookout]

This is thee very reason I use my phone for calls and texting only, maybe a pic or two. I have no financial anything on my phone. No banking app or credit card numbers or pay apps

Your still at risk!

 

[purbeast0]

marked

 

[s0me0nesmind1]

I'm a bit confused, what exactly needs to be patched (Aside from the router obviously)

For example, if someone has an electronic lock on their door that connected to Wifi, will that need to be patched? If so, what would they patch? The Firmware?

As far as a desktop computer - someone mentioned windows released an update - I thought the fix would be a firmware or driver update for your wireless card?

 

[dave_the_nerd]

I'm a bit confused, what exactly needs to be patched (Aside from the router obviously)

For example, if someone has an electronic lock on their door that connected to Wifi, will that need to be patched? If so, what would they patch? The Firmware?

Yup. Most of these routers and embedded devices are running stripped down version of Linux.

As far as a desktop computer - someone mentioned windows released an update - I thought the fix would be a firmware or driver update for your wireless card?

Apparently not. Drivers and chipset firmware are lower level stuff, I guess.

 

[Carson Dyle]

It's interesting to note that in the demonstration video, he also uses an HTTPS stripper to exploit broken secure web sites in order to demonstrate the risk. It rather confuses the basic WPA2 security issue, but it also points up the fact that on secure web sites that are NOT broken, then the risks are minimal to non-existent.

 

[Yakk]

Gargoyal with OpenWRT firmware is patched.

 

[spacejamz]

Is there anything that should be done to minimize risk for home networks until updated firmware for our routers get released? MAC Filtering will make any difference?

 

[Yakk]

MAC address spoofing is probably easier than this new hack. It won't do anything imo.

Even with updated router firmware, the clients that need to be patched also.

 

[[DHT]Osiris]

Is there anything that should be done to minimize risk for home networks until updated firmware for our routers get released? MAC Filtering will make any difference?

Go wired, or restrict your WiFi antennae power to not penetrate your external walls. Otherwise no, needs to be patched on AP and clients.

 

[spacejamz]

Are transactions for https:// sites on devices connected via WPA2 still 'safe'?

 

[JimKiler]

all this talk about home routers, do you guys live in apartment buildings or townhouses? I would be more worried about connecting to wifi at say McDonalds than at home.

 

[Red Squirrel]

Are transactions for https:// sites on devices connected via WPA2 still 'safe'?

Apparantly even HTTPS is broken (not related to this) so even that can be decrypted now, but it depends on the specific server setup.

 

[Red Squirrel]

all this talk about home routers, do you guys live in apartment buildings or townhouses? I would be more worried about connecting to wifi at say McDonalds than at home.

It's not so much about the risk of connecting to it, but the risk to your network. If your router is vulnerable and you don't have proper vlan segregation someone can hack your wifi and have full access to your network. If your wifi is on a separate vlan and you have firewall rules to restrict access to critical stuff like file servers then it's probably not as bad.

 

[[DHT]Osiris]

Are transactions for https:// sites on devices connected via WPA2 still 'safe'?

https itself is safe (by various definitions of safe), depending on the implementation of it. Having said that, over 50% of implementation methods are likely insecure. In addition, many pseduo-common internal protocols used between hosts on a localized network aren't secure (by nature, weren't designed that way), and can pretty easily lead to some kind of root-level access given enough time.

 

[Yakk]

all this talk about home routers, do you guys live in apartment buildings or townhouses? I would be more worried about connecting to wifi at say McDonalds than at home.

Yup, any public wifi an unpatched phone can hook onto is a much bigger worry than a home router with limited range in a detached home. Still, I patched my router with the latest Gargoyal build. An apartment building can be slightly more worrisome, but it's the phones the bigger issue.

 

[dave_the_nerd]

all this talk about home routers, do you guys live in apartment buildings or townhouses? I would be more worried about connecting to wifi at say McDonalds than at home.

Yes, I live in a townhouse, and can see about 20 wifi networks from my living room.

 

[Red Squirrel]

Wait so if client devices have to be patched too, how does that work for phones? Will regular updates actually fix that or does it require more effort?