openmw.org

Important stuff, read: https://www.krackattacks.com/

There was a firmware update already available for my wifi AP to address this. Check your networks!

Oh shit. Both client and AP must be patched for communication to remain secure. That effectively means that any public wifi must be considered as insecure even if it is encrypted with WPA2, since you don't know whether the administrator of that network has patched their router.

Even worse, there are enormous amounts of old Android phones still in active use that are no longer receiving updates. I have one myself, and it doesn't even have an active custom ROM community behind it. I guess it time to decommission it.

This is also very bad because most people with personal wifi routers won't ever update them.

Could this be used to create a botnet that spreads uncontrollably between nearby wifi networks in cities and uses smartphone users to travel between distant ones? Attacking by (for example) injecting itself into downloaded executables.

Theoretically, any traffic that goes through HTTPS or SSH or whatever should be fine, as those protocols make no assumptions about the security of the network used. If people are installing things that they got via plain old HTTP, then they were likely at risk already.

This is a good example of why layers of security are important. If you treated every network like it was public, e.g. use a VPN/TOR + HTTPS Everywhere, you are probably fine.

Personally, I think BlueBorne was (is) much scarier than this. Think of how a bad guy could have taken over every bluetooth phone/laptop in the world silently and then enabled a virus... or for all we know, that's already happened and we don't know it yet.

jirka642 wrote: ↑17 Oct 2017, 11:06 Could this be used to create a botnet that spreads uncontrollably between nearby wifi networks in cities and uses smartphone users to travel between distant ones? Attacking by (for example) injecting itself into downloaded executables.

Well... being able to read someone's traffic definitely doesn't automatically give you root on their device. But depending on what insecure traffic they are transmitting, it could give you the key you need to get root.

K0kt409P wrote: ↑17 Oct 2017, 10:23Even worse, there are enormous amounts of old Android phones still in active use that are no longer receiving updates. I have one myself, and it doesn't even have an active custom ROM community behind it. I guess it time to decommission it.

I dropped the extra money to get a Nexus 5X so I could get the latest android always direct from google, and I don't regret it for a minute. I may switch to something like LineageOS because I am getting sick of google sticking their fingers in everything on my phone, but at least I've got security updates...

scrawl wrote: ↑17 Oct 2017, 14:20This is a good example of why layers of security are important. If you treated every network like it was public, e.g. use a VPN/TOR + HTTPS Everywhere, you are probably fine.

Definitely!