41 percent of Android phones are vulnerable to 'devastating' Wi-Fi attack

[Onkel Neal]

Not good

https://www.theverge.com/2017/10/16/...-wpa-2-details

Quote:

A new exploit can allow attackers to read Wi-Fi traffic between devices and wireless access points, and even modify it to inject malware into websites. Researchers have started disclosing security vulnerabilities today, and it looks like Android and Linux-based devices are the worst affected by multiple vulnerabilities. Researchers also claim some of the attack works against all modern Wi-Fi networks using WPA or WPA 2 encryption, and that the weakness is in the Wi-Fi standard itself so it affects macOS, Windows, iOS, Android, and Linux devices.

Wonder how long until updates can handle this?

[Rockin Robbins]

Actually for this to be exploited someone would have to sit in range of your wi-fi for hours, patiently waiting to obtain the password. It can take more than 8 hours.

Then he can log into your system and find out what you posted to Facebook. This is big news for huge targets with lots of money. It's less than nothing for the rest of us.

Why would a criminal cyber-genius spend thousands for the equipment to sit in your driveway for eight hours sniffing your logon credentials for no gain? Why would they pick your driveway of the 50 million driveways in the United States alone?

This is only a concern for places crooks are absolutely positive there is money to be had. In that case there are dozens of less risky things than snatching packets whilst physically waiting to be apprehended with hacking tools in their car.

These security wonks have stopped thinking. Crooks want a safe and easy sting. They aren't going to put their butts on the line in your driveway to get your Amazon password, or even your bank password. Too little upside with too much downside.

If they do it in their underwear from the safety of their bunker in Turkmenistan there's no risk. They don't have to put their bodies in peril for six or eight hours waiting to be arrested in your driveway. And they don't need your wi-fi passwords!

This may not be fake news, but it IS fake danger.

[Rockin Robbins]

Ran into a situation exactly like this on a Flat Earth You Tube channel. I was saying the the present day Flat Earth Enthusiasts (gotta be nice!) are the first organized group of people in 3,000 years to try to teach the Earth is flat. No Christian and no Jew for that long has taught Flat Earth.

Of course, some bright guy pops up (they always do) and posts "Yeah, redacted, redacted, you're just a redacted redacted. If you had a brain in your redacted strange part of the human body, you'd know that in Christopher Columbus' day everybody thought Columbus would sail off the edge of the redacted world. You redacted redacted. You're a shill for the redacted redacted."

Well, I said. The journey du jour for that time was to sail around Cape Hope, into the Indian Ocean and across to China. This took celestial navigation. Celestial navigation demands a spherical earth, of a known size, spinning on its axis at a known rate, and an astrolabe or sextant, which also can't work on a flat earth. Believe me when I say they did not believe in a flat earth at all! That's a fairy tale introduced into American textbooks in the 19th century.

What did happen was Chris went to Ferdinand and Isabella to hawk the idea that maybe the earth wasn't 7900 miles in diameter. What if we could go the other way around and get to China before we starved to death. That was what they were REALLY afraid of. But Christopher Columbus was pushing a number more like 2,000 miles. If true he's sail west for three weeks and shazaam! Everybody's rich! Easy peasy!

It wasn't that Ferdinand and Isabella really bought the story so much as how cheap it was to verify, and if, on the off-chance, crazy Chris was right, kaching!!! Everybody's rich!! Little downsize and huge upside, it's the ultimate gamble.

Of course Chris was wrong. The earth really is 7900 miles in diameter just like they already had known since 300 BC. Two kinda large continents blocked Columbus' way to China. Nobody got rich. On his third journey, Chris' crew sent him back to Europe in chains, disgraced. Maybe now some people celebrate Christopher. In his day he was about as popular as typhoid fever.

So today all the Flat Earth Enthusiasts are parotting the story about the ships sailing off the edge of the ocean. The real danger was starving to death at sea for six months.

[Skybird]

My home WLAN is set to minimum emission range (1 wall already is problematic), and my smartphone has a 100% prepaid card, usually I switch its WLAN off when I do not need it (also mobile internet connection is off all the time). I have a deep mistrust against public WLAN hotspots, I would never use them. Since more and more stores use to track and ID customers by their WLAN devices when they enter the shop, I switch it off when leaving the house, if it is not already. Hard to break into this if the attacker needs really several hours and close range to succeed.

However, the example has been set. I say since longer time that Linux systems (Android is a Linux) should not be considered "untouchable". If I understood it correctly, no security scanner can protect you against this abuse.

General rule: switch WLAN on only when you need it, on your device. Use the timer of your router to switch it off in times you sleep or are not at home, have its energy signature reduced as much as possible. I never understood why many people have their computers on even when they sleep or leave the house. Do they think the Earth stops revolving around the sun if they go offline for some hours? You can download all mails in your box next time you boot it, or not?

[vienna]

Those are good points for enhancing individual security. However, I would add the fact a surprising number of apps have the capability to turn on the WiFi port(s) on their own, under certain conditions. If you have the WiFi turned off and happen to have one of these apps, they can override your choice and reopen the connection; for example, say you have an app from some big box store or other and you walk into the store with WiFi off; the store's system will detect your presence and reestablish contact. If you really want to be certain about your security, you should re-check the WiFi status from time to time...





<O>

[Skybird]

Quote:

Originally Posted by vienna

say you have an app from some big box store or other and you walk into the store with WiFi off; the store's system will detect your presence and reestablish contact.

That was new to me, and I would be seriously pissed if I get attacked like this, for an attack it definitely is. I rate this as a criminal violation, because if I turn off WLAN, I have declared my will and expressed clearly a certain prohibition regarding the way others may approach me, and when someboy else without my consent forces my device to switch in on again, it is a a non-consensual and unlegitimised intrusion of my privacy, comparable to a stranger all of a sudden standing in my flat. Such an intruder has expect nothing good from me. A store doing like you described is like an attacker kicking in my locked appartment door by force. Or sneaking in through a window in the basement.

Can something like this also be done by identifying the presence of a smartphone due to the mobile phone cell it is currently situated in, even if its WLAN and mobile internet connections are turned off? One needs to remember all the time that a smartphone perate in three different radio circuits, minimum: phone, mobil internet, WLAN.

I once have red somewhere that the NSA even has methods to turn on a smartphone that was completely switched off, although this, as I remember it, needed a quite targetted an deliberate effort. At least for the time being.

And are RFID chips - in plastic cards - really blocked from getting passively read by a close-by detector if you put aluminium metal foil around it?

Tin foil hats - that joke maybe already has lost it legitimacy, eh?