Jump to content


Photo
- - - - -

WPA2 Cracked?


  • Please log in to reply
17 replies to this topic

#1 therion

therion

    Member

  • Members
  • PipPip
  • 15 posts

Posted 16 October 2017 - 06:50 PM

This article details an attack on wpa2. The second tells about VPNS leaving users insecure. It does not list them the ones it allegedly tested. Can anyone from Air comment on the points in the second, and tell whether or not Air is sufficiently protected against such?

https://www.krackattacks.com

This is the link specific to VPNs

https://arstechnica.com/information-technology/2017/01/majority-of-android-vpns-cant-be-trusted-to-make-users-more-secure/

Sent from my LG-LS777 using Tapatalk

-Veritas


#2 DarkSpace-Harbinger

DarkSpace-Harbinger

    Advanced Member

  • Members
  • PipPipPip
  • 33 posts
  • LocationThe Bleak Lands

Posted 16 October 2017 - 09:27 PM

First, the article mentioning VPN's is many months old by now.

 

Second, if your worried that AirVPN isn't encrypting your traffic i would implore you to use Wireshark or similar packet sniffing tools to look for yourself.

 

Third, i cannot vouch for OpenVPN exactly, but i would believe any failure to encrypt or other nefarious activities is the sole responsibility of the VPN provider and isn't a flaw in OpenVPN itself.



#3 therion

therion

    Member

  • Members
  • PipPip
  • 15 posts

Posted 17 October 2017 - 12:24 AM

Well, appreciate the response, you kinda missed the point, but thanks anyway. Decent info

Sent from my LG-LS777 using Tapatalk

-Veritas


#4 shaunschwarzenegger

shaunschwarzenegger

    Newbie

  • New Members
  • Pip
  • 1 posts

Posted 17 October 2017 - 12:26 AM

It is troubling, WPA2 is a very common form of Wi-Fi protection.



#5 Treiberschreiber

Treiberschreiber

    :() { :|: & }; :

  • Members
  • PipPipPip
  • 2430 posts
  • LocationGermany

Posted 17 October 2017 - 02:17 PM

The second link seems to analyze VPN apps locked to some provider. As AirVPN didn't publish an Android app of their own but falls back to general-purpose VPN apps such as the official one and Schwabe's OpenVPN for Android, it's impossible to give you the answer you desire. I've been using OpenVPN for Android for many years now and Mr. Schwabe fixed vulnerabilities in his app very fast. :)

As for the WLAN vulnerabilities, some distributions of Linux have fixed wpa_supplicant, including Debian for example. I'm more worried about Android phones out there, anyway. :D

Sent via Tapatalk. Means, I don't have a computer available now.

Always remember:
There's a guide to AirVPN,

Amazon IPs are not dangerous here,
running TOR exits is discouraged,

using spoilers for your logs is the proper way to heaven.
Same issues are rare! Search for solutions and if not successful open your own threads.

~ Furthermore, I propose that your paranoia is to be destroyed. ~

 


#6 therion

therion

    Member

  • Members
  • PipPip
  • 15 posts

Posted 17 October 2017 - 03:01 PM

The second link seems to analyze VPN apps locked to some provider. As AirVPN didn't publish an Android app of their own but falls back to general-purpose VPN apps such as the official one and Schwabe's OpenVPN for Android, it's impossible to give you the answer you desire. I've been using OpenVPN for Android for many years now and Mr. Schwabe fixed vulnerabilities in his app very fast. :)

As for the WLAN vulnerabilities, some distributions of Linux have fixed wpa_supplicant, including Debian for example. I'm more worried about Android phones out there, anyway. :D

Sent via Tapatalk. Means, I don't have a computer available now.

Thanks so much! Appreciate your response :) Literally never considered that aspect. Thank for the lengthy explanations very helpful.

Sent from my LG-LS777 using Tapatalk

-Veritas


#7 serenacat

serenacat

    Advanced Member

  • Members
  • PipPipPip
  • 211 posts

Posted 17 October 2017 - 10:35 PM

"worried about Android phones out there"

Some of the mainstream press covers updates coming from Apple/Microsoft/Linux, and warnings about free wifi hotspot routers.

But not the risks from all the smartphones which will never get security updates due to the forced obsolete policies of manufacturers and carriers, and no updates for IOT smarthome devices.

One might expect malware which uses this as a breakin vector, but bundles more insidious keyloggers or ransomware or bots or coinminers for payload.

And "greyweb" code for highschool "pranksters" to turn on various TV and audio devices at full volume at random times, or all the heating from aircons, ovens and stoves, in own and neighbouring apartment blocks, as a dangerous "prank" or deliberate attack.



#8 Baygon777

Baygon777

    Newbie

  • New Members
  • Pip
  • 2 posts

Posted 18 October 2017 - 12:32 AM

So it will still possess a significant risk even if we use OVPN on Android huh? Even if we connect to Airvpn in it. Guess I'm gonna go with my mobile connection then! On another note, I believe sticking with wired connection or only browsing https pages is recommended on PC, though I'm sure that AirVPN is more than enough since it also encrypt your traffic data before sending it out. 



#9 serenacat

serenacat

    Advanced Member

  • Members
  • PipPipPip
  • 211 posts

Posted 18 October 2017 - 07:46 AM

"significant risk even if we use OVPN on Android"

Now I have read up more about the problem at:

https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/?comments=1&start=0

rather than just the news media over breakfast.That is a good writeup of the vulnerability.

Better to have OVPN/Air on end devices such as smartphones/tablets/PCs rather than the router/accesspoint for an extra trusted encryption layer on the wifi links. Perhaps Air should allow more concurrent connections per account ? Still problems with plaintext captured within the local home/office wifi network not routed through the VPN.



#10 therion

therion

    Member

  • Members
  • PipPip
  • 15 posts

Posted 19 October 2017 - 03:41 AM

"significant risk even if we use OVPN on Android"
Now I have read up more about the problem at:
https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/?comments=1&start=0
rather than just the news media over breakfast.That is a good writeup of the vulnerability.
Better to have OVPN/Air on end devices such as smartphones/tablets/PCs rather than the router/accesspoint for an extra trusted encryption layer on the wifi links. Perhaps Air should allow more concurrent connections per account ? Still problems with plaintext captured within the local home/office wifi network not routed through the VPN.

I've been a long time supporter of Air. I'd also love of they allowed more connections. Anyone else? Perhaps we could petition for more? At the very least, I'd be willing to pay a little more for more connections.

Sent from my LG-LS777 using Tapatalk

-Veritas


#11 in1t3r

in1t3r

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 19 October 2017 - 02:50 PM

Well the krackattack is more troubling openvpn is software use by many companies and many users its source code is available on the github so it have many eyes peer review. Implementation on the android might be susceptible to a problems but that is usually not the biggest problem with android and cell phones as there are many other attacks that could compromise integrity of your phone or your network usage on the android. The other big flaw is usage of Java language which is susceptible to many flaws so the main problem is not the protocol itself but its proper implementation.

 

Basically your cellphone is secure only when all of your radio devices are off and even then there are simple ways to sniff your traffic on the device once the malicious code get onto the device once it turn on again.

I don't trust Android as I don't like Java I know to program in Java and I know about quite a bit of ways to misuse app sandboxing on android. Also there is a problem with network based attacks like SS7 attacks and problems with a firmware which is usually closed sourced by the chip manufacturer so if you are trying to be private on android or iPhone that is impossible. You can just mitigate some of the possible attack surfaces. That is why a pure Linux phone like the Librem will be quite a bit of improvement for users who want privacy and still want to use cellphones I mean so called "smartphones". With the other old school phones you are in an even bigger problem as they are usually not updated for newer standards so you are using them only for a voice communication that is prone to interception. So the only smart way of using the voice communication on Android is usage of Signal or Telegram if you trust telegram people and there encryption system. End2End encryption is the only way to make sure your message sent from A to B that are seen by the eavesdropper cannot be actually decrypted so the eavesdropper can only know that you are using encryption for communication. Which then in turn can make you a target for a infection of the device. 

So anyway my point was do not use android or iOS based things for any important communication as they are prone to be really easy target for any type of hackers.



#12 Treiberschreiber

Treiberschreiber

    :() { :|: & }; :

  • Members
  • PipPipPip
  • 2430 posts
  • LocationGermany

Posted 19 October 2017 - 07:14 PM

Well the krackattack is more troubling openvpn is software use by many companies and many users its source code is available on the github so it have many eyes peer review. Implementation on the android might be susceptible to a problems but that is usually not the biggest problem with android and cell phones as there are many other attacks that could compromise integrity of your phone or your network usage on the android. The other big flaw is usage of Java language which is susceptible to many flaws so the main problem is not the protocol itself but its proper implementation.

Basically your cellphone is secure only when all of your radio devices are off and even then there are simple ways to sniff your traffic on the device once the malicious code get onto the device once it turn on again.

I don't trust Android as I don't like Java I know to program in Java and I know about quite a bit of ways to misuse app sandboxing on android. Also there is a problem with network based attacks like SS7 attacks and problems with a firmware which is usually closed sourced by the chip manufacturer so if you are trying to be private on android or iPhone that is impossible. You can just mitigate some of the possible attack surfaces. That is why a pure Linux phone like the Librem will be quite a bit of improvement for users who want privacy and still want to use cellphones I mean so called "smartphones". With the other old school phones you are in an even bigger problem as they are usually not updated for newer standards so you are using them only for a voice communication that is prone to interception. So the only smart way of using the voice communication on Android is usage of Signal or Telegram if you trust telegram people and there encryption system. End2End encryption is the only way to make sure your message sent from A to B that are seen by the eavesdropper cannot be actually decrypted so the eavesdropper can only know that you are using encryption for communication. Which then in turn can make you a target for a infection of the device.

So anyway my point was do not use android or iOS based things for any important communication as they are prone to be really easy target for any type of hackers.

With this mentality, please cease usage of all mobile devices, including computers. :)

Sent via Tapatalk. Means, I don't have a computer available now.

Always remember:
There's a guide to AirVPN,

Amazon IPs are not dangerous here,
running TOR exits is discouraged,

using spoilers for your logs is the proper way to heaven.
Same issues are rare! Search for solutions and if not successful open your own threads.

~ Furthermore, I propose that your paranoia is to be destroyed. ~

 


#13 serenacat

serenacat

    Advanced Member

  • Members
  • PipPipPip
  • 211 posts

Posted 19 October 2017 - 08:04 PM

I think top priority for offices such as legal firms should be to run ethernet cable to printers usually accessed by wifi as entire documents and printed emails would be easily copied when wpa2 "crackers" are for sale on the "darkweb", and used by "private investigators"/"guns for hire" operators. Wifi frequencies allow directional focus with much longer range with quite small antennas hidden behind darkened vehicle windows etc. Interception of file share / file server traffic would require more complex reassembly and not sure of encryption options. Plenty of work for the cable guys (funny movie).

A drug gang near here, that got busted by a "turncoat", avoided police and court evidence by only meeting after stripping down to swimming trunks and swimming a few hundred meters out in the harbour. Not so easy in cold climates or if sharks lurking, but pretty good privacy. Heads down whispers over a good meal and wine in a restaurant is much nicer, preferred by corrupt politicians.



#14 LZ1

LZ1

    It's nice to be nice to nice people

  • Members
  • PipPipPip
  • 1479 posts

Posted 19 October 2017 - 08:06 PM

"significant risk even if we use OVPN on Android"
Now I have read up more about the problem at:
https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/?comments=1&start=0
rather than just the news media over breakfast.That is a good writeup of the vulnerability.
Better to have OVPN/Air on end devices such as smartphones/tablets/PCs rather than the router/accesspoint for an extra trusted encryption layer on the wifi links. Perhaps Air should allow more concurrent connections per account ? Still problems with plaintext captured within the local home/office wifi network not routed through the VPN.

I've been a long time supporter of Air. I'd also love of they allowed more connections. Anyone else? Perhaps we could petition for more? At the very least, I'd be willing to pay a little more for more connections.

Sent from my LG-LS777 using Tapatalk

Hello!

 

Not going to happen and it has been asked for repeatedly.  You can find out why in the First Questions section of the New User guide in my signature.


Open This Spoiler If: A Website Is Blocked, You Want To Help AirVPN, Find The Beta/Experimental Client Or You're A New User Wanting Help/Information

Spoiler

Did you make a guide or how-to for something? Then contact me if you want me to index it in my new user guide, so that the community can find it more easily.

Tired of Windows? Why Linux Is Better.


#15 therion

therion

    Member

  • Members
  • PipPip
  • 15 posts

Posted 19 October 2017 - 08:06 PM

I think top priority for offices such as legal firms should be to run ethernet cable to printers usually accessed by wifi as entire documents and printed emails would be easily copied when wpa2 "crackers" are for sale on the "darkweb", and used by "private investigators"/"guns for hire" operators. Wifi frequencies allow directional focus with much longer range with quite small antennas hidden behind darkened vehicle windows etc. Interception of file share / file server traffic would require more complex reassembly and not sure of encryption options. Plenty of work for the cable guys (funny movie).
A drug gang near here, that got busted by a "turncoat", avoided police and court evidence by only meeting after stripping down to swimming trunks and swimming a few hundred meters out in the harbour. Not so easy in cold climates or if sharks lurking, but pretty good privacy. Heads down whispers over a good meal and wine in a restaurant is much nicer, preferred by corrupt politicians.

... What??...

-Invictus-

-Veritas


#16 in1t3r

in1t3r

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 20 October 2017 - 08:19 AM

Well the krackattack is more troubling openvpn is software use by many companies and many users its source code is available on the github so it have many eyes peer review. Implementation on the android might be susceptible to a problems but that is usually not the biggest problem with android and cell phones as there are many other attacks that could compromise integrity of your phone or your network usage on the android. The other big flaw is usage of Java language which is susceptible to many flaws so the main problem is not the protocol itself but its proper implementation.

Basically your cellphone is secure only when all of your radio devices are off and even then there are simple ways to sniff your traffic on the device once the malicious code get onto the device once it turn on again.

I don't trust Android as I don't like Java I know to program in Java and I know about quite a bit of ways to misuse app sandboxing on android. Also there is a problem with network based attacks like SS7 attacks and problems with a firmware which is usually closed sourced by the chip manufacturer so if you are trying to be private on android or iPhone that is impossible. You can just mitigate some of the possible attack surfaces. That is why a pure Linux phone like the Librem will be quite a bit of improvement for users who want privacy and still want to use cellphones I mean so called "smartphones". With the other old school phones you are in an even bigger problem as they are usually not updated for newer standards so you are using them only for a voice communication that is prone to interception. So the only smart way of using the voice communication on Android is usage of Signal or Telegram if you trust telegram people and there encryption system. End2End encryption is the only way to make sure your message sent from A to B that are seen by the eavesdropper cannot be actually decrypted so the eavesdropper can only know that you are using encryption for communication. Which then in turn can make you a target for a infection of the device.

So anyway my point was do not use android or iOS based things for any important communication as they are prone to be really easy target for any type of hackers.

With this mentality, please cease usage of all mobile devices, including computers. :)

Sent via Tapatalk. Means, I don't have a computer available now.

 

Well my dear unfriendly user of VPN I have been using and setting up encrypted tunnels before you have born. And from your attitude I can see that you don't know anything about cryptography and its use in privacy protection. Btw to not forget to add there is another interesting breach last week and that was break of RSA keys that are based on infinion library don't worry Linux is not affected by this as linux use openssl implementation and GNU implementation.

So to simplify you can cease usage of your devices I was just telling you truth I use encrypted tunneled connections every day for every of my devices but that doesn't mean that I like you do not follow researches and publications on different type of attacks on wide variety of software and hardware. I'm a Linux system admin so that is my professional job to research and track what attack surfaces become open and how to mitigate them or in case of hacking how to leverage them. Simply you being ignorant to the new type of attacks will not make you safer on the web nor protect your information. Watch at least youtube defcon and especially blackhat channel also follow some other conferences around the world.

 

My intention is not to scare you but to make you aware on different problems that we face and in the "cellphone" area and in the other areas of securing either different websites or in this case making sure that information I send is always encrypted and sometime anonymized. Don't forget that there are many ways to fingerprint user online so be a good fellow and read something like a good tutorial on how to stay anonymous online and if you are interesting in hacking read the Anonymous book that we made for all wannabe hackers that do not know how to keep their identities separated and why a burner identity is better then attaching everything you do to a single clear web or darkweb identity. :)

 

Btw usage of fork bomb for a username do not make you elite but do you know how to exploit machine escalate privileges and then get to the point to ran local denial of service that cannot be stopped. I mean securing against fork bomb is so easy ulimit are simple utility. Also the growing amount of ignorant Linux users like you get a into quite unsafe situation in linux market with most of the distributions running shitty systemd and making linux systems prone to much more unexpected bugs.
 

We went off topic I will stop commenting about other security and privacy problems on this thread so if someone of you want to continue conversation about that just send private message. Of course trolls will be ignored. :)



#17 Treiberschreiber

Treiberschreiber

    :() { :|: & }; :

  • Members
  • PipPipPip
  • 2430 posts
  • LocationGermany

Posted 22 October 2017 - 10:19 PM

And from your attitude I can see that you don't know anything about cryptography and its use in privacy protection.

 

No, I don't use GPG to get my mail. I don't use self-hosted cloud solutions with AES encryption, and I am most certainly not using my TLS certificate for websites. Also, no certificates for SSH authentification, who needs that kind of shit, right? I also don't work at a company who hold hard drive encryption of clients as the #1 rule.

I don't use OpenVPN at all because it's proven insecure; it's like a tumor. I don't avoid Microsoft, Google, Facebook, Amazon and whatnot because I'm a camp follower. I prefer WEP encryption for WLAN but if I really need the performance I switch encryption off completely.

You see, you're easier to identify if you encrypt your life. When Eve catches an encrypted signal among tens of thousands of unencrypted signals she'll know it's mine, so.. no. Fuck encryption.

 

Btw usage of fork bomb for a username do not make you elite but do you know how to exploit machine escalate privileges and then get to the point to ran local denial of service that cannot be stopped. I mean securing against fork bomb is so easy ulimit are simple utility. Also the growing amount of ignorant Linux users like you get a into quite unsafe situation in linux market with most of the distributions running shitty systemd and making linux systems prone to much more unexpected bugs.

 

The fork bomb is not there for show-off. But thank you for saying that people do notice it :D

 

I can understand the arguments against systemd. I was also looking for a distribution without it. Instead of ranting you could do us all a favor and throw names around. If people choose to switch, you'd contribute to the world's welfare, don't you think? Words are mighty, but limited...


Always remember:
There's a guide to AirVPN,

Amazon IPs are not dangerous here,
running TOR exits is discouraged,

using spoilers for your logs is the proper way to heaven.
Same issues are rare! Search for solutions and if not successful open your own threads.

~ Furthermore, I propose that your paranoia is to be destroyed. ~

 


#18 De Facto Pantalones

De Facto Pantalones

    Advanced Member

  • Members
  • PipPipPip
  • 39 posts

Posted 15 November 2017 - 03:10 AM

My intention is not to scare you but to make you aware on different problems that we face and in the "cellphone" area and in the other areas of securing either different websites or in this case making sure that information I send is always encrypted and sometime anonymized. Don't forget that there are many ways to fingerprint user online so be a good fellow and read something like a good tutorial on how to stay anonymous online and if you are interesting in hacking read the Anonymous book that we made for all wannabe hackers that do not know how to keep their identities separated and why a burner identity is better then attaching everything you do to a single clear web or darkweb identity. :)

Interesting thread.  Never fall in love with a username (always use a one-off, whether Saint, ne'er-do-well, or anywhere in-between).  https://www.wired.com/2015/05/silk-road-2/    Half this thread's content is way over my head, so I apologize if off-topic.  Thanks  :)  






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Servers online. Online Sessions: 13811 - BW: 45745 Mbit/sYour IP: 54.227.104.40Guest Access.