SUBSIM Radio Room Forums



SUBSIM: The Web's #1 resource for all submarine & naval simulations since 1997

Go Back   SUBSIM Radio Room Forums > General > General Topics > PC Hardware/Software forum
Forget password? Reset here

Reply
 
Thread Tools Display Modes
Old 10-16-17, 06:35 AM   #1
Onkel Neal
Born to Run Silent
 
Onkel Neal's Avatar
 
Join Date: Jan 1997
Location: Cougar Trap, Texas
Posts: 21,274
Downloads: 534
Uploads: 224


Default 41 percent of Android phones are vulnerable to 'devastating' Wi-Fi attack

Not good

https://www.theverge.com/2017/10/16/...-wpa-2-details

Quote:
A new exploit can allow attackers to read Wi-Fi traffic between devices and wireless access points, and even modify it to inject malware into websites. Researchers have started disclosing security vulnerabilities today, and it looks like Android and Linux-based devices are the worst affected by multiple vulnerabilities. Researchers also claim some of the attack works against all modern Wi-Fi networks using WPA or WPA 2 encryption, and that the weakness is in the Wi-Fi standard itself so it affects macOS, Windows, iOS, Android, and Linux devices.


Wonder how long until updates can handle this?
__________________
SUBSIM - 26 Years on the Web
Onkel Neal is online   Reply With Quote
Old 10-16-17, 01:17 PM   #2
Rockin Robbins
Navy Seal
 
Join Date: Mar 2007
Location: DeLand, FL
Posts: 8,899
Downloads: 135
Uploads: 52


Default

Actually for this to be exploited someone would have to sit in range of your wi-fi for hours, patiently waiting to obtain the password. It can take more than 8 hours.

Then he can log into your system and find out what you posted to Facebook. This is big news for huge targets with lots of money. It's less than nothing for the rest of us.

Why would a criminal cyber-genius spend thousands for the equipment to sit in your driveway for eight hours sniffing your logon credentials for no gain? Why would they pick your driveway of the 50 million driveways in the United States alone?

This is only a concern for places crooks are absolutely positive there is money to be had. In that case there are dozens of less risky things than snatching packets whilst physically waiting to be apprehended with hacking tools in their car.

These security wonks have stopped thinking. Crooks want a safe and easy sting. They aren't going to put their butts on the line in your driveway to get your Amazon password, or even your bank password. Too little upside with too much downside.

If they do it in their underwear from the safety of their bunker in Turkmenistan there's no risk. They don't have to put their bodies in peril for six or eight hours waiting to be arrested in your driveway. And they don't need your wi-fi passwords!

This may not be fake news, but it IS fake danger.
Rockin Robbins is offline   Reply With Quote
Old 10-16-17, 01:34 PM   #3
Rockin Robbins
Navy Seal
 
Join Date: Mar 2007
Location: DeLand, FL
Posts: 8,899
Downloads: 135
Uploads: 52


Default

Ran into a situation exactly like this on a Flat Earth You Tube channel. I was saying the the present day Flat Earth Enthusiasts (gotta be nice!) are the first organized group of people in 3,000 years to try to teach the Earth is flat. No Christian and no Jew for that long has taught Flat Earth.

Of course, some bright guy pops up (they always do) and posts "Yeah, redacted, redacted, you're just a redacted redacted. If you had a brain in your redacted strange part of the human body, you'd know that in Christopher Columbus' day everybody thought Columbus would sail off the edge of the redacted world. You redacted redacted. You're a shill for the redacted redacted."

Well, I said. The journey du jour for that time was to sail around Cape Hope, into the Indian Ocean and across to China. This took celestial navigation. Celestial navigation demands a spherical earth, of a known size, spinning on its axis at a known rate, and an astrolabe or sextant, which also can't work on a flat earth. Believe me when I say they did not believe in a flat earth at all! That's a fairy tale introduced into American textbooks in the 19th century.

What did happen was Chris went to Ferdinand and Isabella to hawk the idea that maybe the earth wasn't 7900 miles in diameter. What if we could go the other way around and get to China before we starved to death. That was what they were REALLY afraid of. But Christopher Columbus was pushing a number more like 2,000 miles. If true he's sail west for three weeks and shazaam! Everybody's rich! Easy peasy!

It wasn't that Ferdinand and Isabella really bought the story so much as how cheap it was to verify, and if, on the off-chance, crazy Chris was right, kaching!!! Everybody's rich!! Little downsize and huge upside, it's the ultimate gamble.

Of course Chris was wrong. The earth really is 7900 miles in diameter just like they already had known since 300 BC. Two kinda large continents blocked Columbus' way to China. Nobody got rich. On his third journey, Chris' crew sent him back to Europe in chains, disgraced. Maybe now some people celebrate Christopher. In his day he was about as popular as typhoid fever.

So today all the Flat Earth Enthusiasts are parotting the story about the ships sailing off the edge of the ocean. The real danger was starving to death at sea for six months.
Rockin Robbins is offline   Reply With Quote
Old 10-17-17, 04:34 AM   #4
Skybird
Soaring
 
Skybird's Avatar
 
Join Date: Sep 2001
Location: the mental asylum named Germany
Posts: 40,338
Downloads: 9
Uploads: 0


Default

My home WLAN is set to minimum emission range (1 wall already is problematic), and my smartphone has a 100% prepaid card, usually I switch its WLAN off when I do not need it (also mobile internet connection is off all the time). I have a deep mistrust against public WLAN hotspots, I would never use them. Since more and more stores use to track and ID customers by their WLAN devices when they enter the shop, I switch it off when leaving the house, if it is not already. Hard to break into this if the attacker needs really several hours and close range to succeed.

However, the example has been set. I say since longer time that Linux systems (Android is a Linux) should not be considered "untouchable". If I understood it correctly, no security scanner can protect you against this abuse.

General rule: switch WLAN on only when you need it, on your device. Use the timer of your router to switch it off in times you sleep or are not at home, have its energy signature reduced as much as possible. I never understood why many people have their computers on even when they sleep or leave the house. Do they think the Earth stops revolving around the sun if they go offline for some hours? You can download all mails in your box next time you boot it, or not?
__________________
If you feel nuts, consult an expert.
Skybird is online   Reply With Quote
Old 10-17-17, 02:52 PM   #5
vienna
Navy Seal
 
Join Date: Jun 2005
Location: Anywhere but the here & now...
Posts: 7,488
Downloads: 85
Uploads: 0


Default

Those are good points for enhancing individual security. However, I would add the fact a surprising number of apps have the capability to turn on the WiFi port(s) on their own, under certain conditions. If you have the WiFi turned off and happen to have one of these apps, they can override your choice and reopen the connection; for example, say you have an app from some big box store or other and you walk into the store with WiFi off; the store's system will detect your presence and reestablish contact. If you really want to be certain about your security, you should re-check the WiFi status from time to time...





<O>
__________________
__________________________________________________ __
vienna is offline   Reply With Quote
Old 10-17-17, 04:40 PM   #6
Skybird
Soaring
 
Skybird's Avatar
 
Join Date: Sep 2001
Location: the mental asylum named Germany
Posts: 40,338
Downloads: 9
Uploads: 0


Default

Quote:
Originally Posted by vienna View Post
say you have an app from some big box store or other and you walk into the store with WiFi off; the store's system will detect your presence and reestablish contact.
That was new to me, and I would be seriously pissed if I get attacked like this, for an attack it definitely is. I rate this as a criminal violation, because if I turn off WLAN, I have declared my will and expressed clearly a certain prohibition regarding the way others may approach me, and when someboy else without my consent forces my device to switch in on again, it is a a non-consensual and unlegitimised intrusion of my privacy, comparable to a stranger all of a sudden standing in my flat. Such an intruder has expect nothing good from me. A store doing like you described is like an attacker kicking in my locked appartment door by force. Or sneaking in through a window in the basement.

Can something like this also be done by identifying the presence of a smartphone due to the mobile phone cell it is currently situated in, even if its WLAN and mobile internet connections are turned off? One needs to remember all the time that a smartphone perate in three different radio circuits, minimum: phone, mobil internet, WLAN.

I once have red somewhere that the NSA even has methods to turn on a smartphone that was completely switched off, although this, as I remember it, needed a quite targetted an deliberate effort. At least for the time being.

And are RFID chips - in plastic cards - really blocked from getting passively read by a close-by detector if you put aluminium metal foil around it?

Tin foil hats - that joke maybe already has lost it legitimacy, eh?
__________________
If you feel nuts, consult an expert.
Skybird is online   Reply With Quote
Old 10-17-17, 04:58 PM   #7
mapuc
Fleet Admiral
 
Join Date: Sep 2003
Location: Denmark
Posts: 17,709
Downloads: 37
Uploads: 0


Default

About 3-4 times per year I open my WIFI on the Smartphone and I always do it at home. I do it to get new updates to what I have, antivirus and other stuff.

I do not watch it all the time when I'm shopping or doing other things when I'm outside.

Furthermore, if my WIFI should be turned on by some apps or program, maybe, maybe I would not detect at once but I would sooner or later I would detect it. ´cause it has never happen to me.

I'll ask some of my online friends if their WIFI have turned on without their knowledge.

Markus
mapuc is online   Reply With Quote
Old 10-17-17, 08:01 PM   #8
vienna
Navy Seal
 
Join Date: Jun 2005
Location: Anywhere but the here & now...
Posts: 7,488
Downloads: 85
Uploads: 0


Default

To be clear, the apps in question do not turn on shut down phones; they only turn on the WiFi function on an already on phone. As for the question of the unauthorized access to your cell's WiFi, if you install an app that is capable of independent turn on, they almost always tell the user of that ability during the install process and/or in some form of EULA available to the user(s); basically, like a lot of other forms of online consumer offers, you often end up giving up some control in order to get the end "benefit"...






<O>
__________________
__________________________________________________ __
vienna is offline   Reply With Quote
Old 10-18-17, 06:41 AM   #9
Rockin Robbins
Navy Seal
 
Join Date: Mar 2007
Location: DeLand, FL
Posts: 8,899
Downloads: 135
Uploads: 52


Default

Again, the problem isn't your phone. The malware attacks the router. And the malware is useless. No crook is going to put his body in your driveway when he can hack you in his underwear from Uganda.

Travel is expensive. You have to buy clothes. You have to come up with a vehicle. You must sit in someone's driveway or in front of their house for hours. No crook is going to do this. You don't have enough good stuff for him to be interested in.

Now if you are a small business, things might be different. You have no IT department, you are very busy running your business and probably wouldn't notice a wardriver in front for several hours, and probably DO have something worth taking.
Rockin Robbins is offline   Reply With Quote
Old 10-19-17, 03:41 AM   #10
vienna
Navy Seal
 
Join Date: Jun 2005
Location: Anywhere but the here & now...
Posts: 7,488
Downloads: 85
Uploads: 0


Default

Quote:
Originally Posted by Skybird View Post

...

Can something like this also be done by identifying the presence of a smartphone due to the mobile phone cell it is currently situated in, even if its WLAN and mobile internet connections are turned off? One needs to remember all the time that a smartphone perate in three different radio circuits, minimum: phone, mobil internet, WLAN.

I once have red somewhere that the NSA even has methods to turn on a smartphone that was completely switched off, although this, as I remember it, needed a quite targetted an deliberate effort. At least for the time being.

And are RFID chips - in plastic cards - really blocked from getting passively read by a close-by detector if you put aluminium metal foil around it?

...


Even with the internet and WLAN functions turned off, yes, a cell phone can be located if it has GPS built in; even without GPS, pinging and triangulating off nearby towers can get someone a pretty close approximation of your position and/or location...

The NSA has long been reputed to have the ability to turn on turned off devices, but the NSA has been very coy about actually admitting the capability; given it is the NSA, the good bet would be "Yes". However, in order to legally do such an action, the NSA would need a warrant from a FISA court, which would mean a very limited access, both in scope and time and the NSA, or any other agency, would have to give the court very, very specific reasons and/or evidence to back up a warrant request...

I've read varied views on the efficacy of aluminum foil to block RFID; some (usually those wanting to sell their nigh-priced alternatives) claim foil does little to block RFID. The most consistent view I've seen is foil will block most RFID readers at long range, but at closer range, say, a couple of inches, the reader may detect an RFID device; what is interesting, in most of the tests I've seen, a majority of the more thorough tests have shown, while the RFID devices are detectable, the foil actually prevents the RFID device from transmitting back to the reader, essentially a one-way situation, sort of like a diode...





<O>
__________________
__________________________________________________ __
vienna is offline   Reply With Quote
Old 10-19-17, 05:24 AM   #11
em2nought
Ocean Warrior
 
Join Date: Mar 2004
Posts: 3,182
Downloads: 0
Uploads: 0
Default

I wonder if I've downloaded an app that turns my wifi on? I've noticed it on a few times lately when I didn't intentionally turn it on. hmm? I wonder if it's that bank app, it's probably counting my money, and telling the police to seize it as in asset forfeiture. lol

At work I have everything on cat 5 with no need for wireless so I have it turned off, until now that is. I'm thinking of introducing a few security cameras to the mix and I believe they'll require wireless. Maybe I can just turn it on each night, and then off the next morning.
__________________
Looks like we need a Lemon Law for Presidents now! DNC sold us a dud, and they knew it.
em2nought is offline   Reply With Quote
Old 10-19-17, 05:58 AM   #12
Skybird
Soaring
 
Skybird's Avatar
 
Join Date: Sep 2001
Location: the mental asylum named Germany
Posts: 40,338
Downloads: 9
Uploads: 0


Default

I have GPS off by default, to. Though to ease battery drain, not so much for secuirty concerns. But if I do establish an online connection, the web would know with utmost preicison then where I am, if GPS is on, the web could read out the precise position data. So I only have it on when I need it: both GPS, and internet connections.

I recommend for navigation OsmAnd over Google. Not only doe sit have the far b etter and more updated maps, but it doe snot need online connectivity, can be used via downloaded offline maps and GPS alone. Google Maps does not want to work without online status, even when it is not needed. They want the user to be easily trackable.

GPS alone however is fully passive, I believed I understood!? If it emits no signals, how can it be used to track you?

Its all no impenetratable walls, its about setting up hurdles nd trapwires.

The FISA courts operates outside any countercontrol mechanisms, and below the radar of anyone or anything thta is not the closest circle of the president. Which means they can do what they want, practically. Wich means they are only as responsible as the president thinks he is. Which raises a fundamental principle problem, for it unites legislation, jurisdiction and partly even executive in one and the same hand. These three are not for no reason separated in Western state theory. Considering that the FISA and FISC bodies were created to overview the work of the intelligence services, makes it all even more dangerous. These courts very easily can become part of what they were created to control. To me, their creation always appeared to be more an alibi only and even an indirect strengthening of he intelligence services autonomy (which to huge degrees they de facto have). Lesson of the story: you cannot fight bureaucracy by adding new bureaucracy that should fight bureauracy.
__________________
If you feel nuts, consult an expert.
Skybird is online   Reply With Quote
Reply

Tags
android, attack

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 07:39 AM.


Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright © 1995- 2024 Subsim®
"Subsim" is a registered trademark, all rights reserved.