Apparently using a vPN can protect against the Krack Attack! Is it true and even logical?

[seankay]

As much as I have read, the only fix is to patch and the providers or companies need to release the patch for all the vulnerable devices but this post suggests that using a VPN can also help if the provider whose device you own has not yet released the patch or ain't releasing it. Does it makes sense?

[Mando]

2 hours ago, seankay said:

As much as I have read, the only fix is to patch and the providers or companies need to release the patch for all the vulnerable devices but this post suggests that using a VPN can also help if the provider whose device you own has not yet released the patch or ain't releasing it. Does it makes sense?

short answer....No mate.

claim by the maker of purevpn that their own product solves the issue.....hmmm whats that smell.....its bovine in nature.....moooooooooooo! 

 

how are you able to connect to a VPN before authenticating with said hotspot??? if i wa son a vpn to an online server, why would i need to connect to a wireless router???? im already online!

 

Unless im reading their "miltary grade vpn" (???) wrong....

 

[Joe User]

Yes, using a VPN can help. You'll basically have an encrypted tunnel over un-encrypted WiFi.

 

This only applies if your phone/computer is making the connection to the VPN server, if you're using your router to establish the VPN, it won't help.

 

 

 

[goretsky Supervisor]

Hello,

It seems a lot of VPN vendors are using the KRACK security vulnerabilities as part of their marketing.

 

Microsoft has already released an update for Windows to fix this, Apple has one in beta versions of its operating systems, various silicon (chipset) vendors and device manufacturers are rolling out updates as well.  Just make a note of what Wi-Fi devices you have, and check with the manufacturer/chipset vendor for updates.

 

Regards,

 

Aryeh Goretsky

 

[seankay]

Thanks guys for the details. I was just wondering if I am right. If I connect a VPN on my device say that is connected to the ethernet and then use it as the wireless source then it makes sense. Other wise there's no way it does? Am I right?

[seankay]

55 minutes ago, goretsky said:

Hello,

It seems a lot of VPN vendors are using the KRACK security vulnerabilities as part of their marketing.

 

Microsoft has already released an update for Windows to fix this, Apple has one in beta versions of its operating systems, various silicon (chipset) vendors and device manufacturers are rolling out updates as well.  Just make a note of what Wi-Fi devices you have, and check with the manufacturer/chipset vendor for updates.

 

Regards,

 

Aryeh Goretsky

 

Thanks for the info. According to this chart there're still many routers like TP LInk Apple Airport etc. for which the patch is not out. So, the only option is to shut them off?

[+BudMan MVC]

You guys do understand that most of this is scare mongering by the news right..

 

They suggest that your cc and passwords could be gotten.  In what scenario would you be sending these in the clear?

 

What a vpn from the client device could do is encrypt not already encrypted traffic that you would be sending in the clear and could be open for the attacker to see.

 

Also patching routers and AP and such is not all that big of a deal since they are only open to the attack if they are being used as wifi clients..  IE if your AP was using a wireless uplink vs a wire.  Or if your wifi router was part of a wds network and acting as a client to another wifi network, etc.

 

Not saying that the attacker could not run a mitm attack on you as well for anything sent over https - but this drastically increases the difficulty of the attack..   Also keep in mind that that attacker has to be within range of your wifi in the first place..  So you see any cars outside house with guys in black hunched over their laptops?  Or the script kiddie next door to you - but there are of yet any reports of this attack in the wild.

 

As almost always this attack is being over hyped.  Not always a bad thing to get people to pay attention to security and update their ###### to current code.. But the sky is not falling people - not as of yet.  And no you don't need to go get yourself a vpn because of this issue.

[Mando]

3 minutes ago, BudMan said:

You guys do understand that most of this is scare mongering by the news right..

 

They suggest that your cc and passwords could be gotten.  In what scenario would you be sending these in the clear?

 

What a vpn from the client device could do is encrypt not already encrypted traffic that you would be sending in the clear and could be open for the attacker to see.

 

Also patching routers and AP and such is not all that big of a deal since they are only open to the attack if they are being used as wifi clients..  IE if your AP was using a wireless uplink vs a wire.  Or if your wifi router was part of a wds network and acting as a client to another wifi network, etc.

 

Not saying that the attacker could not run a mitm attack on you as well for anything sent over https - but this drastically increases the difficulty of the attack.. 

well said sire, and to add, they have to be in range, now on a SOHO wireless router, just look in your garden?? or outside your gate, any nerdy looking mofos hanging round with tech??? scaremongering in reality as Budman says.

[+BudMan MVC]

What I would be concerned most with is iot devices that never get patched.  I have looked into mine.. Echo, Nest, smart lightbulbs and power switches by tp-link have all announced they will be rolling out updates soon.  The only one I have yet to see an announcement by is logitech (harmony hub)..

 

As mentioned all ready the major OS players MS, Apple, Debian, etc.. all have patches in the works if not already available..

 

Look out for firmware updates for stuff like your printers (if connected via wifi) and stuff like video camera's that are wifi.. Good luck with some camera made in china that you got for 5$ on ebay, etc.  Which had bad code in them already!!  Video camera's are horrific from a security standpoint for their coding.

 

What this incident should have you looking into security of these iot sort of devices.. Isolate them to their own vlans, etc.. Push for these vendors to support wpa enterprise so that you can use other auth methods vs just psk.  And make it easier to assign them specific vlans via dynamic vlans, etc. As with any discovery of flaws in security - it can be a good thing if people take the opportunity of the flaw to pay more attention to security.. And not just forget after this scare has passed.

[adrynalyne]

2 hours ago, BudMan said:

What I would be concerned most with is iot devices that never get patched.  I have looked into mine.. Echo, Nest, smart lightbulbs and power switches by tp-link have all announced they will be rolling out updates soon.  The only one I have yet to see an announcement by is logitech (harmony hub)..

 

As mentioned all ready the major OS players MS, Apple, Debian, etc.. all have patches in the works if not already available..

 

Look out for firmware updates for stuff like your printers (if connected via wifi) and stuff like video camera's that are wifi.. Good luck with some camera made in china that you got for 5$ on ebay, etc.  Which had bad code in them already!!  Video camera's are horrific from a security standpoint for their coding.

 

What this incident should have you looking into security of these iot sort of devices.. Isolate them to their own vlans, etc.. Push for these vendors to support wpa enterprise so that you can use other auth methods vs just psk.  And make it easier to assign them specific vlans via dynamic vlans, etc. As with any discovery of flaws in security - it can be a good thing if people take the opportunity of the flaw to pay more attention to security.. And not just forget after this scare has passed.

My Sony TV got a patch yesterday. Was a little surprised. No idea if it was for this but wouldn’t be surprised if it was. My Samsung TV otoh...silence. 

[+BudMan MVC]

Was it in the release notes for the patch?  If so that is quite impressive on their turn around.. That would be for sure thumbs up for them if so...

 

I find it unlikely your update was for krack... According to here.

 

https://github.com/kristate/krackinfo

 

Samsung was notified by cert on 28 aug.. And they have not official response.. I can not believe they would release fixes for stuff like their TVs and have not made an official announcement.

[adrynalyne]

26 minutes ago, BudMan said:

Was it in the release notes for the patch?  If so that is quite impressive on their turn around.. That would be for sure thumbs up for them if so...

 

I find it unlikely your update was for krack... According to here.

 

https://github.com/kristate/krackinfo

 

Samsung was notified by cert on 28 aug.. And they have not official response.. I can not believe they would release fixes for stuff like their TVs and have not made an official announcement.

It’s Sony, they don’t know what release notes are so I dunno. 

 

https://esupport.sony.com/US/p/swu-download.pl?mdl=XBR55X850D&upd_id=11313&os_group_id=18

 

They are super vague. Probably doesn’t contain fix. I’m wired anyway

[+BudMan MVC]

Sony - DOH... How did I miss read that as Samsung

 

But I don't show any official response from Sony either..  But since that firmware came out on Oct 3rd.. It would really be unlikely it contained fix for krack..