Gadgetory

it's Monday October 16th and you know what that means nothing of any real significance it's time for the 359 podcast however I'm BVG and today we have Roger Chang and Alfred Eng and we are here to instill fear in every Monday is something big happening besides being episode 299 of the 350 that's not huge tomorrow's huge but no we're talking about crack we're gonna be time the crack my favorite yeah no no not that kind of Silicon Valley's got a real problem that's true we'll be talking about the latest Wi-Fi vulnerability Alfred our security expert will will break it all down for you we're also about 5g if we have enough time I don't know we're gonna spent a lot of time on crack you can stop by the bed bath beyond just forever so everyone knows this is crack with a k' with the care it's not the drugs all capitalized so it's different yeah so anyways as always if you have any questions I'm sure you will leave them in the comment section but I will pick out the best and we will get to them in three minutes and 59 seconds from 3:00 to welcome to the 359 I'm Rutter Chang I'm Alfred Eng so we're talking about crack no not the drug it's short for ki reinstallation attack and chances are your Wi-Fi hotspot is vulnerable Alfred you wanna break this down for us yeah so the research was released earlier this morning it's a wpa2 flaw it's a you know type of security for Wi-Fi this comes when you through a 4 Way handshake system that this Wi-Fi system uses in the third step usually it sends the password over and it does this handshake there were like four different authentic authentic haters and it comes back to your device in this one it can continuously inject like a false password or you know just essentially getting rid of the encryption port on the third step the third part of the handshake okay and then at that point it allows any attacker to basically look at your network traffic hijack your connections and inject content onto basically your Wi-Fi stream so they can put like a link that you didn't click on into your into your browser or anything like that it should be important to note that this they need to be nearby for this to happen but you know can the range of you know any Wi-Fi connection you can be like down the block and still still attack somebody using this crack vulnerability a lot of the advice that I have been seeing so far is even though can decrypt traffic from your network to your device it can't decrypt you know stuff on secure website so if you're going on HTTPS websites yeah which is the majority of internet your connections could still be secure but the point is they can still inject content into your stream anyway so I mean look just idea that someone can kind of sneak in there through your your Wi-Fi connection is not great I mean are we basically screwed cause a lot of people a lot of these hotspots all use wpa2 so what is the fix for this or is there yeah wpa2 is very common you know like you said there's a lot of devices that do use it a lot of security researchers have already said don't stop using wpa2 you know what else I've heard is really popular lately ethernet cables maybe look let's face it a lot of our devices are wireless mobile that's not really practical it barring the Ethernet solution is there something we can do make sure the devices are patched up or what yeah what's so fix a lot of companies have already issued patches for this after the announcement so companies have known about this for about three months or so but they were working on a fixed towards it before was made publicly public knowledge hmm so you know patch your systems as soon as possible the issue is though for a lot of IOT devices they don't get patches frequently they don't get that many updates so if you have like a smart doorbell that you know you don't want to get patched or anything maybe consider getting like a normal doorbell and said it's a lot of like smartphone op objects that are particularly vulnerable to this all right next up we wanted to talk a little bit about 5g Steven Shanklin has a nice feature on 5g it seemed like it's coming sooner than we thought it was projected initially as 2020 when we talked to folks who say that really the first half of 2019 you might actually start to see 5g phones and that's kind of surprised when most people thought that 5g would show up in your home and sort of fixed broadband connection or with Internet of Things type devices but phones might actually get so that the key the phone is if you're in a crowded area you know like a baseball game or whatever usually your connection sucks with 5g you've got a whole bunch of capacity so your your unlimited data plan will still go super fast even if you're in that crowded room the other benefit of this would be you would not be affected by this crack outbreak nice segways LTE has actually had you know really good security we have time that it's been out nobody's really been able to hijack like an LTE network like that so in that sense of it you know that's another thing you can do if you have the luxury of being on LTE all the time just don't use your Wi-Fi on your mobile devices or run it off of LTE if you can afford to but with Phi G they would definitely make it much easier yep alright for more these stories and more check us out on CNN promoter Jang I'm Alpha ding thanks for listening I have got a lot of work to do in the chat we have for a while we have really wanted and it's awesome thanks everybody for your great comments I'm gonna try to filter through these so that we can actually address some of the questions cuz everybody's really is going back to crack I just like saying that yeah especially when it comes to smart home devices IOT devices we talked a little bit of this before the podcast began like does this mean that I should be trusting more I guess name-brand smart home makers or or is everyone yeah I mean you have to have more of a liability to update it has their name brand you know there's a difference between oh like going on Amazon as an update versus like there's a you know the scrutiny behind you know no-name whatever I don't want her right right right some no-name Amazon like okay all of five people are affected by this but if Ness doesn't update then it's okay this is an entire ecosystem of IOT devices there are you know gonna be mismanaged on this so it does sort of reinforce the idea that when you're buying smart home stuff you do have to buy your the shop smartly you have to be a little bit more choosy about what kinds of equipment who you're buying from I mean the other issue the bigger issue that I'm looking at is you know Wi-Fi enabled like ATMs and cash registers and everything like that because that a lot of you vulnerabilities you know when it comes to something like a store like I don't know Whole Foods or Pizza Hut or Target all of which were breached because of bad you know security on their end on their hardware that's like I think where the biggest issue is you know when these like major companies like these breaches happen and you go there and you buy your quinoa or something and next thing you know you're like credit-card information is stolen because of a vulnerability like this because that terminal is also using wpa2 yeah right got it that's I mean that's what that's how most of these breaches happen got it so there you go like that's I think that's the bigger concern with this one is as you're saying like it's not just your home it's not just your own personal products or devices it is that's the thing like think about how many places use wpa2 I was taking the train into work today and you know on the MTA they have like the Wi-Fi I'm not using that are you kidding yeah so yeah usually when issues like this happen you know it you you should take a like obviously take a look at your own devices first but then you know kind of look around you I like little gate look at your local Starbucks of the Wi-Fi that they use right and any cafe that you go to the airport it's things like you have to be considering like are they updating so what about your home Wi-Fi like I've got I've got a Verizon FiOS modem believe he use wpa2 like what what do I do with the switch there yeah you can switch it yeah the bulk of the questions in the chat is yeah what specific devices are vulnerable I think it's anything that any wpa2 yeah so if you have as our just said if you have a router or something that runs on the PDA wpa2 switch it yeah change it around that's like it looks like a pretty simple fix and you know stay away from websites that don't have HTTPS which you should always do anyway mine at the C net fortunately is a HTTPS as I as I'm like what like three months ago like nice plug yeah so what you're saying is potentially anything there's really nothing that's kind of white listed on this it could be a router it could be Phillips hue yeah I'm just going through the list of some of the contributions from the chat right now my mat dacher says does crack affect all wpa2 including enterprise installations that use 802 dot 1x authentication I'll have to look in into that I mean like this broker I'm like 5 a.m. this morning right you're still a lot of details emerging from this and does this actually could kind of affect a mobile hotspot on a phone asks Donna yeah I mean if it says it's running on wpa2 encryption yeah potentially yeah so the general consensus is am I screwed it's like yeah it's not quick bit over not trying to be inflammatory like this is legit terribly the idea behind the whole like issue like so there's you know monitoring your content and if you're on a website that doesn't have HTTP you know you could enter your password in and then they'd be able to just snatch that out of like the Wi-Fi right but there's also yeah the issue of like injecting content so let's say you go to google.com but you're on like a network like this they can kind of send you a website that looks like it's Google and then ask you to like log in and then get your password that there's like a lot of issues that come with this okay Rob asks how do I know if my router uses wpa2 and how do I switch you can go into your router settings for that I mean I believe it's different for every router for money well your router should have an IP address listed somewhere in the manual printed on the bottom you should find it easier like if you have like like I have my finest bottom the information is printed on sticker on the modem it's so then when I set your Wi-Fi password you can also set the type of encryption that you want it to have change it from wpa2 most likely would help fix that what and what is the alternative like what's the one there's like tlk PS and there's always like other stuff I like it's not coming to me right now but right there there's a lot of options okay Michael Brown is asking how can you tell if your Wi-Fi has been breached I mean it's hard to tell there there's no like warning sign out there or anything like that that's the issue of like Wi-Fi breaches is that they're very you know hidden because your Wi-Fi doesn't know the difference like it just thinks that someone else has connected to it so I mean the best operating procedure then is just assume you've already been hacked and just change everything I mean the most like like to me I don't think you know the average person is gonna be targeted by this but either way you just want to keep yourself safe you you know the don't think that like people aren't gonna be after you right I guess you know most of the times attackers look for something that's like the easiest thing to hit and if you have a vulnerability like this yeah and I think that do you put the subway acts like if you see free public Wi-Fi you should probably stay off of it yeah yeah yeah basically stay away from any like kind of like watering hole attacks so a lot of times attackers look for places where a lot of people will be in connect to the Wi-Fi yeah how I don't know is it alligators or lions how to attack people at water animals at water alligators yeah sure yeah yeah weird analogy it's called the watering hole attack let's keep coming up on that analogies I was gonna call it the Goldilocks syndrome like you say no one is safe they think oh they're not gonna could be after me I just if the door is open yeah that's basically it and you know I think it's really important to pay attention in these kind of breaches or not breaches but just like announcements of these vulnerabilities and patches making sure that your products are the latest because when you're a large business and you don't patch that's what happened to Equifax and that's why I have the country's social security number it was one guys fault the corner just subdued yeah poor schlub yeah so for in Equifax this case they had it was the Apache server like flaw that was announced in March and they didn't patch it and I think that's used it I think that's what makes this scary is that there are gonna be plenty of Equifax is in this situation that we plan to come back to ignore this is way easier to break into them than the issue of Equifax so that's what you know obviously every person out there should should you know patch their own systems but but we also have to hope that everyone else yes yeah yeah is like even if you do everything right you could still be breach because some like super market that you go to update their self true full disclosure I mean I've use wpa2 at home for as long as I can remember and I didn't know buy this until I came into work this morning's was like crap alright no one no one really knew that it's time broke this right but I mean if I had actually checked the headlines before I walked up the door this morning would have a different story but I mean I don't even know if the time I had what I'm going to switch to but it's a cat suddenly we're suddenly all have to be Wi-Fi security a spurts well this is all information we're gonna have a ton of coverage FAQ is explainers how to's on how to make your networks a little bit more secure how to defend yourself so definitely check that check it all out seen it Alfred you may be getting some calls for me tonight oh boy frantic calls I'm just gonna be on stream like the whole day because like Skype the whole thing and just like my panic attacks as I'm home calling Alfred tears my timer is on wpa2 also no all right I think that's as far as we can get right now like we said it's still kind of early it is a lot as the stuff is still breaking we're gonna have plenty more to talk about the next few days the problem is the updated yeah but thanks for tuning in and Roger you want to send us out yeah as always if you liked anything you saw or heard here check us out on CNET our podcast is also available on iTunes TuneIn stitcher SoundCloud Feedburner and Google Play Music we'll see you all tomorrow see you tomorrow thanks everyone stay safe you