Prism2v2 Wifi PCMCIA cards & KRACK vulnerability?

[spudje]

So a month ago a WIFI WPA2 vulnerability has been published: https://blog.mojonetworks.com/wpa2-vulnerability And now, we with our old devices may be left at (limited) risk.

Assume our Prism2v2 pcmcia cards we use for our A600/A1200s to hook up to our WLAN also contain this vulnerability, how do we fix?

Is this something that has to be done on the firmware level. I fear we then can forget about a fix on an old piece of hardware like this? Or is this something that can be fixed in the prism2v2 device driver? How realistic is it to expect an update there? Or finally is this something that can be fixed in the TCP/IP stack (doubtful), so e.g. Roadshow. I guess just from an active development community the TCP/IP stack update seems the most realistic one to happen, if only it could be fixed on that level.

[Amiga1992]

I was under the impression the main risk is on routers.
But yeah, the fix has to be done at firmware level, so if they need it, then, well, that's the end of it.

Do those cards even support AES2? If you are using WEP, you already are vulnerable to a myriad of attacks.

[spudje]

No, it's actually a vulnerable way of implementing WPA2 on the clients that is the risk here!

Yes they support WPA2-PSK AES, they don't support WPA2 enterprise unfortunately, which is not vulnerable.

[AmigaBoy]

Quote:

Originally Posted by Akira

I was under the impression the main risk is on routers.

Nope. It's a replay attack during the handshake on all WPA2 enabled devices. You have to update drivers/firmware for every single device. If a device is too old to receive an update, it (and your network) will forever be vulnerable.

[Amiga1992]

OK thanks for that, then.
So, Amiga networking is, as far as we know, forever unsafe, then. As long as you use Wifi.

Time to wire them up.

[spudje]

Yes, bring on that Vampire v4 for the A1200 and a working ethernet driver

[Daedalus]

There are already PCMCIA wired ethernet controllers that work fine on the A1200 without a Vampire.

[spudje]

I know, I even have one, but it's an ugly impractical solution the cable sticking out on the side. I hopefully find a nicer way to wire the ethernet cable into the A1200 to the vampire.

[modrobert]

Quote:

Originally Posted by AmigaBoy

Quote:

Nope. It's a replay attack during the handshake on all WPA2 enabled devices. You have to update drivers/firmware for every single device. If a device is too old to receive an update, it (and your network) will forever be vulnerable.

Actually, the KRACK attack is kind of limited. The hype is mainly because most people misunderstand the scope of it.

A WiFi router will only be affected if it acts as a "client", for example when configured as a repeater or similar role, when configured as a standard router it is not affected.

Some things to consider...

There is no way for the KRACK attack to be used in order to retrieve the router WiFi password, so that is safe.

If you have several patched (up to date) computers/mobile devices logged in as "clients" on the WiFi network, these will not be affected just because you have one vulnerable computer on the network.

The attacker, after triggering the vulnerable client handshake, will only be able to decrypt traffic between the vulnerable client and the router. In effect this means that if your Amiga is the only vulnerable client on the WiFi network, after much effort trying to decrypt that slow 802.11b (11mbit) traffic, these are the only packets the attacker can see, between the Amiga and the router, every other updated client on your WiFi network is safe. Keep in mind the attacker can only do this decryption while actively being in range of your WiFi network. If you are not sending any packets from a vulnerable client, then there is nothing to decrypt.

Also, if you are using HTTPS on a vulnerable client (doubt you will do that from classic Amiga though, it's too slow), then the attacker will have to break that encryption separately, and that is just as hard as it is to break HTTPS in general, no benefit of using the KRACK attack.

In other words, just avoid doing your bank business online using a plaintext HTTP browser on the Amiga and you will most likely be fine.

More info here, straight from the source:
https://www.krackattacks.com/

[AmigaBoy]

Quote:

Originally Posted by modrobert

If you have several patched (up to date) computers/mobile devices logged in as "clients" on the WiFi network, these will not be affected just because you have one vulnerable computer on the network.

The attacker can masquerade as that device and intercept/modify packets once they have access. The only way to ensure complete security is go wired, or update every device on the network.

Quote:

Originally Posted by modrobert

just as hard as it is to break HTTPS in general

There's tools that break HTTPS. I haven't looked into them, but I assume there's brute forcing involved.

But as you said, all of this is only relevant if you're within the Wi-Fi's range. If you live in a remote area, you've probably got nothing to worry about.

[modrobert]

Quote:

Originally Posted by AmigaBoy

The attacker can masquerade as that device and intercept/modify packets once they have access. The only way to ensure complete security is go wired, or update every device on the network.

Yes, an attacker can inject packets but only in the session between the vulnerable client and the router, not with other patched clients on the same WiFi network.

Quote:

Originally Posted by AmigaBoy

There's tools that break HTTPS. I haven't looked into them, but I assume there's brute forcing involved.

Yes, but those tools works regardless if KRACK is used or not, and it's not trivial.

Quote:

Originally Posted by AmigaBoy

But as you said, all of this is only relevant if you're within the Wi-Fi's range. If you live in a remote area, you've probably got nothing to worry about.

What I meant about being in range is that WiFi behaves a bit like Ethernet packet wise, an attacker have to actually catch some packets from a vulnerable client (Eg. Amiga) at the precise moment when the victim is doing that bank login (or whatever). Decrypting a few irrelevant packets doesn't mean the attacker "have the keys to the kingdom".

Again, read the info on the site I linked in previous post, it's written by the security researchers who discovered the flaws and named it KRACK. Granted, the researchers in this case tend to apply some naive "better safe than sorry" attitude because the website has been hammered with traffic and questions about the vulnerabilities, so they try to keep it simple.

It's important not to encourage the fearmongering, be realistic.


PS: The security researchers uploaded the exploit info to an academic institution website on the 19th of May, 2017. However, KRACK was not announced until 1st November, 2017. The academic institution who had these files for review between May and November is known to be compromised by NSA, CIA and others, so they have no doubt used this exploit in the wild during the time until announcement.

[Daedalus]

Quote:

Originally Posted by AmigaBoy

The only way to ensure complete security is go wired, or update every device on the network.

The only way to ensure complete security is to isolate all machines completely. It's all about balancing convenience versus risk. If you're occasionally using the connection to download a few LHAs from Aminet, you really have very little to worry about. It's not like you'll be doing much serious internet use on an A1200 anyway, anything even remotely interesting will surely be done using other, updated devices.

[Sir_Lucas]

@spudje
What I think here is that you are overreacting. No one uses online banking or any other serious stuff with their Amigas. Someone will break my WPA2 password to steal what, my aminet patches, whdload games, modules?

What about WPA/TKIP cards/protocol? Is it safe to use?

[spudje]

Well, my only realistic concern is a potential attacker retrieving my samba credentials, as that is what is exchanged between Amiga and NAS over wifi. He could then break in, steal my NAS and access my data, or hack it via the internet. I know, pretty paranoia, but still Guess I'll make myself a separate SMB account for my amiga clients with only limited access to the NAS.

[modrobert]

Quote:

Originally Posted by Sir_Lucas

What about WPA/TKIP cards/protocol? Is it safe to use?

No, older WPA is affected, as well as "enterprise".

For instance, the attack works against personal and enterprise Wi-Fi networks, against the older WPA and the latest WPA2 standard, and even against networks that only use AES.

Quote:

Originally Posted by spudje

Well, my only realistic concern is a potential attacker retrieving my samba credentials, as that is what is exchanged between Amiga and NAS over wifi. He could then break in, steal my NAS and access my data, or hack it via the internet. I know, pretty paranoia, but still Guess I'll make myself a separate SMB account for my amiga clients with only limited access to the NAS.

I think that's a legit concern, it could be done in theory at least.

What I did was letting the Amiga use my open guest "/temp" SMB (Samba) resource. It's not ideal to have a read/write access to a SMB share without requiring a valid user login, but at least there are no user login credentials leaking when the WiFi network is under attack.

[Sir_Lucas]

Quote:

Originally Posted by spudje

Well, my only realistic concern is a potential attacker retrieving my samba credentials, as that is what is exchanged between Amiga and NAS over wifi. He could then break in, steal my NAS and access my data, or hack it via the internet. I know, pretty paranoia, but still Guess I'll make myself a separate SMB account for my amiga clients with only limited access to the NAS.

The only thing that I can suggest to make you feel a bit less paranoid is to remove your WIFI PCMCIA card from your Amiga, put it into a drawer and get an ETHERNET wired card. Either cnet or 3com drivers will solve all your issues.

[illy5603]

Quote:

Originally Posted by Akira

OK thanks for that, then.
So, Amiga networking is, as far as we know, forever unsafe, then. As long as you use Wifi.

Time to wire them up.

I use an IOGEAR Universal Wi-Fi N Adapter GWU627W6 and plug my wired ethernet card into it so it is plugged into something modern that will hopefully stay updated.

[rare_j]

Quote:

Originally Posted by spudje

Well, my only realistic concern is a potential attacker retrieving my samba credentials, as that is what is exchanged between Amiga and NAS over wifi. He could then break in, steal my NAS and access my data, or hack it via the internet. I know, pretty paranoia, but still Guess I'll make myself a separate SMB account for my amiga clients with only limited access to the NAS.

I think for a long time smb has supported password encryption during authentication. So that would need to be broken as well.

[modrobert]

Quote:

Originally Posted by rare_j

I think for a long time smb has supported password encryption during authentication. So that would need to be broken as well.

Good point, looks like password encryption was added to smbfs back in 2000.

https://sourceforge.net/projects/ami...smbfs%201.102/

[spudje]

Oh that's good to know, thought this never made it into Amiga SMB versions. I'll should look into this!