This is wonderful. WPA2 has a critical flaw. One more reason to continue to distrust wireless.
[Update a few minutes later]
Well, apparently, so far Netgear is not on the case, so not clear what the implications are for our Orbi mesh. Guess until our phones get patched, good idea to not use wifi.
[Update a while later]
Here’s more information. My new phone is Android 7, so it’s affected, but I don’t generally use it with wifi. I’ll definitely avoid it, or at least avoid it for anything mission critical (like bank accounts), until it patches.
[Update a while later]
Now wondering about the Sony Blu-Ray player. Does this make it vulnerable to becoming a DDOS attacker? Wonder if there’s any way to patch it, and if there is, or will be a patch?
[Mid-morning update]
Nothing on line about patching the player; I’ve tweeted a request to @SonyElectronics. Meanwhile, here’s more info at Ars Technica.
[Update a few minutes later]
Here is the web site for the attack technique, with a lot of technical detail.
Guess I have another reason to check my WiFi Router’s vendor page for firmware updates. Glad I don’t own or run any network servers.
FYI Rand for your bank accounts you are undoubtedly running HTTPS anyway, so that’s another layer on top of your WPA2 encryption and likely far superior to anything that’s running on your router. But some folks aren’t happy unless they are using a wire, so there’s that. The claim is this flaw is patch-able and there are no known exploits in the wild (yet). So we wait… It’s a horse race. Around turn 4 its Patches in the lead with Exploits trailing by a half….
C’mon Patches!
Yah. The only sane assumption is that anything going over the internet is exposed anyway, so I’m not sure this actually makes anything worse in practice (I guess they’ll know that you were talking to your bank…). Everything should be using connection-level encryption anyway…
The default assumption should just be there is no security. Encrypt everything. Don’t give out any data you don’t absolutely have to. Assume the people that hold your data have disgruntled employees.
Security people will tell you you shouldn’t do online banking on your phone anyway.
It’s the only way I have to deposit a check without mailing it to my bank.
Wifi networks are vulnerable to this when a malicious person is logged in. At home at least, if you don’t run an open guest network, you should be safe — but checking who’s connected isn’t a bad habit.
In my case, anyone wanting to access my home network would have to be on the premises and have the passcode.
Obviously, open wifi networks at stores or restaurants are another matter.
And this is why everything should use SSL (by which I mean TLS 1.2) anyway.
Everything that can possibly be remotely sensitive in any way.
Doesn’t matter nearly as much (at all, for most people) if people can see your WiFi traffic if the traffic itself is securely encrypted.
(And it sure would be nice if there was a basically automated way to do a local VPN over WiFi that “everything” supported, but that’s a pipe dream until people care.)