What a week - security wise. Many vulnerabilities have been uncovered. You are most likely affected by one or more of these. Read on and start updating all your devices.
Wi-Fi WPA2 vulnerability
Years ago, we all moved our Wi-Fi to WPA security protocol as WEP was deemed unsecure. Now vulnerability is found in WPA1/2 too, making it possible for malicious attackers to inspect and modify the tracking between computer and access point.
The vulnerability is known as KRACK (Key Reinstallation Attacks) and are in the Wi-Fi standard, so all devices are affected – laptops, access points, printers, phones… anything with Wi-Fi. The vulnerability is at client side, but many access points acts are repeaters etc., so do patch all Wi-Fi devices, otherwise the communication might be compromised.
Bleeping Computers are keeping a list of affected devices and firmware and driver updates to mitigate the problem.
Microsoft fixed the issue on October 10th and rolled out the update on Patch Tuesday, so if you are keeping your device up-to-date, then you are all safe. Apple has not yet released a patch.
RSA key generation vulnerability
It does not sound intimidating, but this is a major vulnerability affecting Google Chromebooks, HP, Lenovo and Fujitsu PCs and laptops, SmartCards, routers, IoT devices – all devices that has a hardware secure chip (like TPM) from Infineon Technologies produced since 2012.
RSA keys are used to securely store secrets such as passwords, encrypt data (e.g. BitLocker) and generate certificate keys used in secure communication and sender/receiver attestation. It also affects digital ID’s such as those used by the Estonian government, based on SmartCard technology.
The RSA generated prime numbers are not truly random, making it possible to crack the private key via the public key. Depending on the size of the RSA key, they estimate it takes:
- 512-bit RSA keys - 2 CPU hours (the cost of $0.06)
- 1024-bit RSA keys - 97 CPU days (the cost of $40-$80)
- 2048-bit RSA keys - 140.8 CPU years, (the cost of $20,000 - $40,000)
Based on an Intel E5-2650 v3@3GHz Q2/2014. 97 CPU days are nothing, as the crack can run in parallel and compute resources have become cheap with all the Cloud offerings.
Read more about the ROCA CVE-2017-15361 vulnerability.
Securing my devices
It is time to update all my devices, but it is going to take time.
This is the list of devices I need to update: 5 Laptops, 1 Chromebook, 1 Xbox One, 1 Windows tablet, 2 iPads, 2 iPhones, 1 Android, 1 Windows Phone, 1 Ubiquity Access Point, 1 Sagemcom router (Owned by the ISP), 1 Amazon Echo, 1 Samsung TV, 1 Panasonic TV and countless IoT devices
Who am I kidding. Some of my devices are old (like my TVs), so the manufacturer will properly never release a patch.
Like it is not worrisome enough, then a privilege-escalation vulnerability in Linux kernel was also discovered. This means even more stuff to update.