[KaiserJeep]

This is a service announcement for my fellow members. What we call a "Day 1" flaw has been exploited in the WPA2 WiFi protocol. The term "Day 1" implies that the flaw is part of the basic design of the product - every WiFi Router is vulnerable, and every device that connects via WiFi is vulnerable. The vulnerability allows a 3rd party to monitor a WiFi session, read everything in both directions, and inject transactions, install malware, or simply copy things such as credit card numbers or bank account numbers.

A list of affected routers is here: https://www.bleepingcomputer.com/news/security/list-of-firmware-and-driver-updates-for-krack-wpa2-vulnerability/

If there is an available fix that is also listed. Typically, the fix will involve updated firmware for the WiFi chipset plus updated driver software for the router or the mobile device. Unless both of these have been modified since mid September 2017, you are vulnerable. If your router or device support line tells you you "don't have to worry", you definately do - nobody is immune to this until the fixes are installed, and most WiFi chipsets and device drivers do not yet (Oct.17, 2017) have available fixes. If your device is not on the above list, it is still impacted, and if it's older than 3 years, most likely will never be fixed.

Yeah, that's what I said, and I meant it. I own two "Nook" E-Readers that are several years old and the only way I will use them anymore is to read books and magazines. I will no longer trust E-Mail, Instant Messaging, or online purchasing on those old devices, and I never expect to see them updated. If your mobile devices are still being updated with new software, you may have lucked out - you only have to worry until a fix is released.

In case you are wondering, I have an older AT&T WiFi router and AT&T is among the venders not commenting on KRACK vulnerability. They face either updating or replacing millions of WiFi routers, with the resultant consequences to their bottom line.

I know you have lots of questions, but this is not the place for them. This thread can be locked by a Moderator. You can find help on the web. Until your device and your router are updated, avoid credit card transactions and online banking on your mobile devices.

[SeaGypsy]

Explains a few vague online banking security responses I'm aware of. Thanks KJ.

[KaiserJeep]

Here in Silicon Valley, there are vans and SUVs cruising our streets, joining WiFi sessions using the KRACK exploit, and ordering merchandise on people's online accounts, and shipping it to new addresses. It seems that some people cannot stop buying things via WiFi even after they have been told it's unsafe....

[MD]

I don't use wifi for any secure purpose. Haven't for some time.

[rockdoc123]

Here in Silicon Valley, there are vans and SUVs cruising our streets, joining WiFi sessions using the KRACK exploit, and ordering merchandise on people's online accounts, and shipping it to new addresses. It seems that some people cannot stop buying things via WiFi even after they have been told it's unsafe....

Is this anecdotal or has there been something reported in the press? I guess if it were to be a wide spread problem you would expect it to happen in Silicon Valley first given it is probably the densest network of wifi communications around.

[KaiserJeep]

I can tell you that we are organized into online neighborhoods, and are sharing tips about mysterious vehicles that park on our streets. Once the police respond to such reports, one never knows whether it was KRACK hacking, drug sales, hunting pedophiles and rapists, or teenagers having sex in such vehicles.

Things are very different now than a decade ago. Steal an Amazon box off of somebody's front step, find a video of your theft posted online. But I will tell you, in my area half the damn posts are about missing pets. People just will not believe that they cannot safely leave a cat or dog outside at night in an area where coyotes and bobcats prowl. I have had both critters in my backyard this year, and my rear yard fencing is 7 foot tall redwood boards in good repair - not much of a barrier for wildlife.

[Outcast_Searcher]

I'm confused. Supposedly OS vendors are working on or have implemented fixes to this. For example, I'm a Windows 7 user, and from what I've read, Windows 7, 8, and 10 have been fixed, as long as you are doing automatic updates.

So, I was assuming as a Windows user, I shouldn't need to CARE if my WIFI router has fixes or not, for this.

Also, as I understand it, sensitive/secure networking for things like financial transactions are done via secure link, i.e. HTTPS (at least by any credible, competent organization), and all such traffic is encrypted to some "reasonable" standard.

...

So if I'm a supported Windows OS user and doing banking, brokerage, or shopping transactions online -- why should I care if one or ten million SUV's are trying to exploit this bug?

......

Again -- I'm not saying you're wrong. I am a network user with no technical networking expertise. I'm just trying to understand what the risk really is.

[rockdoc123]

my understanding (from what I have read) is that both Apple (MacOs and IOS) and Windows have beta fixes that address this. They plan on pushing them to users as soon as they are out of beta.

[Outcast_Searcher]

my understanding (from what I have read) is that both Apple (MacOs and IOS) and Windows have beta fixes that address this. They plan on pushing them to users as soon as they are out of beta.

Windows supposedly has the fixes out. KJ's link's list confirmed that it went out Oct. 10th. This is consistent with other sources I've read citing what Microsoft is saying. Thus, normal users already have the fix. (Whether it is a beta fix, and whether another more permanent fix is planned, I have no idea).

I only follow Windows stuff closely -- because that is all I use, at present (being one of 7 people left in the US with no smart phone as of today).

[KaiserJeep]

The other part of that would be that if you use wired Ethernet to connect your PC and HDTVs and whatever else, you never were vulnerable to a WiFi hack. I have hardwired ethernet to my PCs and HDTVs, they are not vulnerable. My only vulnerability is via the WiFi router and the devices in my home that attach via WiFi - two old Barnes & Noble "Nook" E-readers, and the wife's Samsung smartphone, all running Android. I'm betting the phone will get updated by Samsung/Verizon. The Nooks never will. But until BOTH the router and the devices that use it are updated to reject a KRACK attack, you must avoid exposing your bank accounts and credit cards over WiFi.

My own WiFi router is built into the AT&T ISDN modem, an approximately 8-year old device that quit getting software updates years back. AT&T and the router hardware vender have no status as of yet for KRACK. They are busy figuring out if revised router firmware/software, an entirely new router box, or extending the fiber down the block into my home plus a new fiber router is the most beneficial to their bottom line. Don't hold your breath for them to get back to you.

Treat this problem with the respect it deserves. Suppose for example that you diligently update your smartphone or tablet, plus your own WiFi router. That's just not enough, it only makes the WiFi in your home secure - it does not mean that you can connect to the WiFi at the local Starbucks and do secure online banking. For the rest of your life, you have to worry about existing WiFi routers that never got updated.

[MD]

it does not mean that you can connect to the WiFi at the local Starbucks and do secure online banking. For the rest of your life, you have to worry about existing WiFi routers that never got updated.

that has always been the case. It is -never- advisable to use public wifi, including hotel "secure" wifi, for sensitive data.

[rockdoc123]

If you were to connect using a VPN would that make a difference?

[KaiserJeep]

If you were to connect using a VPN would that make a difference?

Depends upon the level of security in the crypto software of the VPN. Any encryption software that can be executed on a cellphone is easily cracked using a modern Apple or PC desktop. Those can be parked outside your home and can join your WiFi session.

MD is quite correct, one should never use a current generation mobile device for banking or purchasing, ever again. There will doubtless be new mobile devices and WiFi protocols that are secure - at least until the hackers generate the equivalent of KRACK for those networks. Their motive is to steal your bank account contents or your credit.

Hardwired PCs and current security software is what I use. Doubtless there are other solutions. How much is your bank accounts and credit worth to you? How attractive a target do they make?