Major Wi-Fi Vulnerabilities Uncovered Put Millions of Devices at Risk, Including Macs and iPhones

[bearda]

definitely ios 11.04 today

I would like to see a statement from Apple on the status of all their product lines, but I wouldn't be surprised if the fix for this was in one of the previous minor updates for iOS. They've known about this for some time, and multiple vendors have already silently patched the issue.

 

[M.PaulCezanne]

Will Apple patch an a/c Airport Extreme? Or is it time to purchase a new router? Suggestions for seamless Mac use?

Having been burned by my Time Capsule after the latest MacOS update (I couldn't recover my files), I went out and bought a new router and NAS machine, both of which were NetGear. The router is their R9000 X10 - which is kind of cool as it provides for ethernet port aggregation between two NICs. And I got NetGear's ReadyNAS 212 storage - which coincidentally also is set up for port aggregation, which means the speed of throughput is double what it normally would be. It's a sweet setup. Bonus: it recognizes Apple products, and has a built in component to specifically allow for Time Machine backups.

It's early days yet (I just set everything up during the past week), but so far I'm pretty happy with both (expensive as they were).

Goes without saying, but keep that firmware updated. Netgear wifi routers suffered from some nasty vulnerabilities last year.

Apparently, a lot of former Airport users like Synology's RT2600ac. No port aggregation but a big "app-store"-like repository for all kinds of packages to customize for a lot of use scenarios. I have no personal experience with it but it's come up a lot in my own Airport replacement search.

 

[ignatius345]

re: unsecured public wifi networks:

 

[Gherkin]

Microsoft has already released a patch and Apple hasn't even said anything yet. Kinda disappointed here. Hopefully they say something soon.

 

[robotica]

Your sarcasm aside that plan only works if you live in a one room studio. For the rest of us who live in homes with multiple rooms, some on multiple floors, and no Cat-5 running in our walls Ethernet isn't really a solution, no matter if it's built-in or requires a dongle.

The first thing I did when I moved was hardcable every room.

 

[canadianreader]

VPN is very useful in this case

 

[Chupa Chupa]

The first thing I did when I moved was hardcable every room.

Congratulations. You either have tons of spare cash or very few rooms. To retrofit my house with one outlet in every major room would cost me $4K -- that would be for the wiring. Repairing the holes and repainting to decent match would be a couple grand more. I know this because I got a couple estimates when moved in and was turning the loft into a home theater. For most of us it's just not practical, sorry. If I was building a new house, sure.
[doublepost=1508172418][/doublepost]

Goes without saying, but keep that firmware updated. Netgear wifi routers suffered from some nasty vulnerabilities last year.

It does. Unfortunately a huge % of consumers ignore these kind of updates either because they think updates are a nuisance and overdone or don't realize they exist. Technology exists to push updates to devices now without any consumer intervention. Manufacturers really should do that where possible -- allowing for an opt-out for more tech inclined users and IT departments that understand the importance of updates.

 

[RMo]

I've been seeing a lot of misinformation about this. This vulnerability only affects CLIENTS. So unless your AP is bridging to another AP, updating the AP will do no good. The clients themselves must be updated.

Then why did Vanhoef (one of the researchers) say, "a patched client can still communicate with an unpatched access point"? Sounds like both need to be patched for it to be fully fixed, though it's not clear to me what an unpatched AP would do besides not participate in helping an unpatched client fall victim to this problem (though I assume this could be used by someone who knows what they're doing to gain access to an otherwise password-protected network).

Time for AirPort Extreme firmware update...

Yeah, I hope Apple updates several generations back of these devices, like when they went back to iOS 6 for the Heartbleed bug due to its severity. Or, at the very least, I hope they haven't given up on these devices entirely, otherwise I'll have to accelerate my search for another vendor.

 

[WolfSnap]

One thing I know, Apple won't be sending any security update to my iPhone 4.

You know, there are newer iPhones available now...

 

[DeepIn2U]

Not surprised! Get your cables on! Use HTTPS! No Banking on WiFi!

Lmao ...
I recall learning to use Fedora Core 2 & 3 about 16yrs ago (?) with an Atheros DLink WiFi (802.11b/g) card - since back then manufacturers did not release nor create compatible drivers for Linu - and a similar application to wireShark (cannot recall the name although layout was similar) to decipher data.

I first checked data on a specific wifi network, limited connection. Then I spoofed the MAC address of one of the PCs connected (effectively bumping off that PC). Then used a similar app to wire shark to look at the data that computers on the network was sending receiving. Since the app was a trial I could only view partial data.

 

[zaphon]

Then why did Vanhoef (one of the researchers) say, "a patched client can still communicate with an unpatched access point"? Sounds like both need to be patched for it to be fully fixed, though it's not clear to me what an unpatched AP would do besides not participate in helping an unpatched client fall victim to this problem (though I assume this could be used by someone who knows what they're doing to gain access to an otherwise password-protected network).

It can be patched on both sides, and only one side needs patched to be safe. So either the client can be patched or the AP, or both.

 

[Analog Kid]

All your network are belong to us.

Great start to the week...

 

[iolairemcfadden]

Man wouldn't it be nice to have a control center setting in iOS 11 to completely turn of Wi-Fi?

 

[iapplelove]

So there is nothing we can do until the manufacture updates their products?

 

[mdatwood]

Ubiquiti had a number of compatibility issues with Apple hardware in their AC Pro line that kind of swore me off them for a bit. I still have two of them in the closet but I kind of game up on them after months of beta firmware updates trying to resolve the issues. When it did work their throughput to individual clients also tended to be about half of my AirPort Extreme (they tend to be optimized for a bunch of simultaneous clients rather than a small number of high speed connections).

Not saying they make bad equipment, but there are some tradeoffs involved. I love their routers, but have never been impressed by their wireless gear.

Interesting. I have an EdgeX router and an AP Lite and it's been some of the best equipment I've used. The initial AP settings were set conservatively, so I changed them and it's been the fastest equipment I have owned. The AP replaced an Airport Extreme I had. The PoE also made it easy to put the WAP in the best location to serve my house. The only downside I have experienced with the equipment is that you have to be technical - there is no plug and play.

 

[gnasher729]

Yes. Way too many people are glossing over this. It is the clients, e.g., Macs, iPads, and iPhones that need to be updated. Not the routers.

Actually, the problem can be fixed by fixing either the device or the router.

WPA 2 has a feature that when the negotiation between client and router fails after three of four steps, then they can start negotiating after step 3, and this goes wrong. If either client or router refuses to renegotiate everything is fine.

 

[bearda]

Interesting. I have an EdgeX router and an AP Lite and it's been some of the best equipment I've used. The initial AP settings were set conservatively, so I changed them and it's been the fastest equipment I have owned. The AP replaced an Airport Extreme I had. The PoE also made it easy to put the WAP in the best location to serve my house. The only downside I have experienced with the equipment is that you have to be technical - there is no plug and play.

Like I said, I love their routers. I've got an EdgeRouter-POE serving the house right now and I've deployed them in plenty of other locations. Dealing with this thread kind of made me back away, though. 93 pages of debugging and a LOT of beta firmware to try and diagnose the issues. I consider myself a fairly technical guy (I have a fair amount of experience developing network traffic analysis appliances for large enterprises) but that doesn't mean I want to spend a lot of time tweaking settings trying to find the magic combination to attain acceptable performance when there are solid alternatives that are less work to manage. It sounds too much like taking my job home with me. I ended up putting my AirPort back in place as an AP only. Looks like it may be time for me to start looking at new options again if Apple remains silent.

https://community.ubnt.com/t5/UniFi...s-with-UAP-AC-PRO/td-p/1431847/highlight/true

 

[Vulkan]

The flaw is in the Wi-Fi standard itself.

Which means Windows and every other OS that uses WiFi has to patch...

 

[Yvan256]

You know, there are newer iPhones available now...

You know, iPhones aren't free...

 

[Avenged110]

Lol. I'm still on iOS 6. What's another massive security flaw when you have no SSL? At least I generally use Ethernet on my Macs for important stuff.

 

[wolfshades]

re: unsecured public wifi networks:

That's a great idea. Makes me wonder if there's an IFTTT app that will take care of it.

 

[Shawn Parr]

Not according to the articles I've read. Any client involved in the handshake is vulnerable and that includes the WiFi router/access point as it is a client.

Wireless APs can have two modes, AP mode and STA mode. They are only effected when in STA mode. STA mode has the AP acting as a client, so this is typically when you have an AP connecting to the network via a wireless backhaul (don't have cabling available) and/or in a mesh type setup. It also effects if you have 802.11r fast roaming enabled and are in AP mode, but this is usually only found in higher end enterprise setups, and sometimes in mesh setups (Eero, Google WiFi, etc, although I don't know if either of those actually implement r).

That being said, it looks like a patched AP only in AP mode can mitigate the attack so that an unmatched client can be safe on that network. But the client IS the more important part to get patched.

 

[belvdr]

It can be patched on both sides, and only one side needs patched to be safe. So either the client can be patched or the AP, or both.

This is not quite true. The device making the final step of the connection needs patched. This is normally the client device, but in the case of roaming clients with 802.11r, it is the AP.

 

[switcher3365]

I got an email from my router's manufacturer about a firmware update last week. That is the first time I have ever received an email from them about a firmware update.

I wonder if it was about this.


Update: I looked on the manufacturer's website, and it appears as though the update was about this.

 

[Marx55]

Nothing like a wired connection. Whenever possible, of course.