Details are scarce at the moment as more details will be published soon. But I would recommend everybody to stop using WiFi completely by disabling it at home, and not connecting to anything in public either. It seems to be a protocol level exploit, so it's not yet sure whether this can easily be patched. Stay safe, all!
"This is a core protocol-level flaw in WPA2 wi-fi and it looks bad. Possible impact: wi-fi decrypt, connection hijacking, content injection."
I was just coming here to report this to the forum. To see that it has already been solved speaks volumes about the power of an active open-source community.
That is very good news! Will patching the router firmware be sufficient to mitigate this attack, or will the clients also need to be updated? And thank you very much to the developers for all their hard work! Amazing to see a fix already pushed
Hi! Total noob question: how do I install these patches? I currently run LEDE Reboot 17.01.0-rc2 r3131-42f3c1f / LuCI e306ee6c93c1ef600012f47e40dd75020d4ab555 branch (git-17.033.24085-e306ee6)
(In any case, strange that you are still using the release candidate 17.01.0-rc2 instead of the actual releases 17.01.0, 17.01.1 17.01.2 or 17.01.3 ...)
For Fedora I assume these fixes will be incorporated through regular updates or "dnf update"?
What about our 2 android phones?
And what about my Windows laptop?
Can this exploit still be triggered if the AP is patched, but the clients are not? And is there any way to check whether my devices are vulnerable or not?
You're missing important security patches in that case. If things break from one release to another, please report it to LEDE bugtracker so a fix can be pushed https://bugs.lede-project.org/
Running outdated versions is never a good solution
Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients.
For ordinary home users, your priority should be updating clients such as laptops and smartphones.
@AmbientSummer Interesting. But then why does the AP require these updates? Does this also effectively solve the issue? Or will the clients also need an update?
"you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes)" and something something "fast roaming".
Seems pretty clear that all clients need to upgrade. Some AP boxes just happen to also be configured as clients of an upstream AP.
The official FAQ seems to recommend concentrating on the clients and not worrying too much about the AP. Which is good for the millions of unpatchable APs out there! I think you're right to want a bit more clarification though.
I suppose Windows will be updated via "Windows Update" patches.
In my opinion the problem will be for TV/Phones.
Many brands don't update their firmware because they prefer to sell you a new TV/Phone/etc... with a patched version of wifi, instead of updating the old devices.