AmberCutie's Forum
An adult community for cam models and members to discuss all the things!

Vulnerability in All Wi-Fi Devices

  • ** WARNING - ACF CONTAINS ADULT CONTENT **
    Only persons aged 18 or over may read or post to the forums, without regard to whether an adult actually owns the registration or parental/guardian permission. AmberCutie's Forum (ACF) is for use by adults only and contains adult content. By continuing to use this site you are confirming that you are at least 18 years of age.
Status
Not open for further replies.
This is a public service announcement (PSA) from the Wordfence team regarding a security issue that has a wide impact.

Today is being called “Black Monday” in many information security circles. We have had a major Wi-Fi vulnerability announced that affects absolutely every device that supports Wi-Fi. The vulnerability allows attackers to decrypt WPA2 connections. A second vulnerability also emerged today, and we will cover that at the end of this post.


If you live in a city, don't use you wifi until you can get your router patch. i assume most people who cam are using ethernet, but in the meantime to protect yourself, use an ethernet cord. pretty much everything that uses wif needs patched/updated
  • Desktop workstations
  • Laptops/notebooks
  • Mobile phones
  • Tablets and e-readers that use Wi-Fi
  • Home and office routers
  • Home devices like NEST, Amazon Echo and Google Home
  • Printers, both home and office, that use Wi-Fi
  • Any other device that uses Wi-Fi

if you don't know how to update your router modem, call your isp's tech support and they can walk you through it.



---
NOTHING IS SAFE
 
  • Helpful!
Reactions: Gen
https://www.theverge.com/2017/10/16/16481818/wi-fi-attack-response-security-patches

Not sure if I should freak out or not. I use a router, but, I also use windows 10. The router is mainly used for my android phone as a wifi device (so i don't use data) but my computer is plugged in to the router via ethernet and my computer has the windows 10. This is where I am confused.

My android phone doesn't use windows 10 as it is android, but it is connected to a router that is connected to my computer that DOES use windows 10.

The layers of this computer stuff are confusing.
 
https://www.theverge.com/2017/10/16/16481818/wi-fi-attack-response-security-patches

Not sure if I should freak out or not. I use a router, but, I also use windows 10. The router is mainly used for my android phone as a wifi device (so i don't use data) but my computer is plugged in to the router via ethernet and my computer has the windows 10. This is where I am confused.

My android phone doesn't use windows 10 as it is android, but it is connected to a router that is connected to my computer that DOES use windows 10.

The layers of this computer stuff are confusing.

if you are using ethernet, your computer is safe. it's anything that uses wifi needs patch. disconnect the wifi from your phone and just use your data in the meantime. i have wifi security cameras i had to take off my network.

so if your phone is connected to the wifi, it's vulnerable.
 
  • Helpful!
Reactions: MissJasmineUK
It's a complex vulnerability to execute and requires physical proximity to the network. A victim would need to be specifically targeted. An attacker also can't decrypt TLS (HTTPS) traffic. Financial, most social media, most web email and even MyFreeCams would be protected since they https sessions.

I wouldn't worry about it. Just make sure you don't ignore updates for your router and internet connected devices. If you're paranoid, use ethernet or a VPN.
 
Last edited:
If you live in a city, don't use you wifi until you can get your router patch

That's an over-reaction... As pointed by Jesse0328, it's hard to exploit and the majority of the important sites use HTTPs; if you want to do anything in the mean time without disabling wifi, just install the "Https Everywhere" extension on your browser and it will ensure you will not be able to open any insecure sites.
 
That's an over-reaction... As pointed by Jesse0328, it's hard to exploit and the majority of the important sites use HTTPs; if you want to do anything in the mean time without disabling wifi, just install the "Https Everywhere" extension on your browser and it will ensure you will not be able to open any insecure sites.

But this isn't just computers that is effected.
 
if you are using ethernet, your computer is safe. it's anything that uses wifi needs patch. disconnect the wifi from your phone and just use your data in the meantime. i have wifi security cameras i had to take off my network.

so if your phone is connected to the wifi, it's vulnerable.

Technically, it's anything which has WiFi active. Your system can be plugged in, and if the wireless interface is still active, it could be vulnerable. While this is a relativley complex vulnerability, it's still worth taking very seriously.

Personally, I hard-wire everything I can. I've always viewed WiFi, Bluetooth, etc. as being highly insecure and only run when necessary. I shut everything down when not in use such as printer, etc. However, like you I have WiFi security cameras that I'm going to figure out how soon before they do the updates and decide when to bring them back online.

I'm waiting for my new router and firewall to arrive, then I can split everything out. Servers, laptops, etc on the internal. Cams, consoles, tablets and phone on the external.


The interesting part of this is how the different manufacturers are going to handle this. If you have a device that's older, will they provide an update, or will they just make you either accept risk or buy new?
 
requires physical proximity to the network.

This makes me not too worried about myself. I'm on a farm. I'd like to see someone actually bother coming out here to fuck with us.
 
We also had to disconnect our wifi security cameras in and around our house. I really hope those bastards don't make us buy new ones. My husband was in network security and he knows what he could do easily do at 15 with this exploit. So don't tell me I'm over reacting... It's called staying safe.
 
Last edited:
It's a complex vulnerability to execute and requires physical proximity to the network.

Also you didn't mention the other big part - it requires an insane amount of luck (or time) for it to be worth for the attacker, which is why I believe home users will not be attacked.

Let me expand a bit - this attack requires proximity as mentioned by Jesse and timing (or luck).

Proximity by itself is a problem - there's no way that an attacker won't be noticed in a residential area after lingering around for hours/days before police is called.

Hours/days? Yes - that's where the timing/luck part comes in: the attacker has to be lucky enough to be watching your network when you access something that is both *interesting* and *unencrypted* at the application level, which is not common at all. For an example, I looked at the traffic history of my home (only one user) and also my mother's home (3 adult users, two of which are non-technical and have a tendency to install random crap on their devices and click random links) for the last month and couldn't find a single connection that looked interesting (unencrypted and to a commercial website of any nature) from an attacker's POV (unless your attacker likes cat/dog pictures).

"But what about your wifi security cameras?" Yeah, they could watch those, but what information would that give them that they can't get elsewhere or more easily (with just their eyes, for example)?

Because of those factors, I have no doubt that anyone targeting home users will stick to the old methods - trojans, social engineering, remotely exploitable flaws - as they can be used 'safely' from the other side of the planet at a considerably lower cost.

Now, for any business that doesn't have a network designed on a 'zero trust' model, then you have to worry, specially if your business is near a coffee shop, mall or any place where people can linger for hours.
 
  • Helpful!
Reactions: SaffronBurke
Proximity by itself is a problem - there's no way that an attacker won't be noticed in a residential area after lingering around for hours/days before police is called.

Hours/days? Yes - that's where the timing/luck part comes in: the attacker has to be lucky enough to be watching your network when you access something that is both *interesting* and *unencrypted* at the application level, which is not common at all. For an example, I looked at the traffic history of my home (only one user) and also my mother's home (3 adult users, two of which are non-technical and have a tendency to install random crap on their devices and click random links) for the last month and couldn't find a single connection that looked interesting (unencrypted and to a commercial website of any nature) from an attacker's POV (unless your attacker likes cat/dog pictures).

The one variable you seem to neglect when it comes to home users is if they live within range. It's not so much the random guy walking around with a network sniffer. Therefore, they could be sniffing traffic and you'd never be the wiser. Parse through logs, searching for specific phrases, and you might have something. Go to an ultra-dense locale such as studio apartments, dorms, etc and the chance of it multiplies. Yes, this may already be occurring, even prior to this particular vulnerability so it's not new. Again, just another vector that's already open and why I shut it down whenever I can.

"But what about your wifi security cameras?" Yeah, they could watch those, but what information would that give them that they can't get elsewhere or more easily (with just their eyes, for example)?
You're not thinking this through all the way. Yes, they can hack cameras and see into your home. But, the idea of privacy is now violated that shades don't protect against. I'm sure my neighbours would much rather have a view at the gals across the hall than seeing me walking out of the shower without a thread on me.

Add to it that most crimes occur against those they know. Therefore, cameras could be used to spy when someone is home, get video/pics of intimate moments or just someone walking out of a shower. Perhaps someone does something in the privacy of their own home that they could get into trouble with in public.

Much greater implications than you're thinking....
 
Last edited by a moderator:
Anything with an Internet has vulnerability by definition. I don’t keep work material on my devices or home computer, and I live in the land where the term security freak is re-invented any given day of the week. Not freaked out yet.
 
Go to an ultra-dense locale such as studio apartments, dorms, etc and the chance of it multiplies.

It doesn't multiply that much - it also increases the complexity unless they know exactly which network to target. If they don't, they then have to use more hardware to capture all potential networks until they identify yours and can focus the attack, which makes it even less likely. As I've said, there's cheaper attacks.

You're not thinking this through all the way. Yes, they can hack cameras and see into your home. But, the idea of privacy is now violated that shades don't protect against.

My privacy is not violated in this case - all my cameras are set up for monitoring only possible entry points (doors/windows), so they never record anything private.
 
Anything with an Internet has vulnerability by definition. I don’t keep work material on my devices or home computer, and I live in the land where the term security freak is re-invented any given day of the week. Not freaked out yet.

Exactly. Anything is vulnerable, and I keep work and home strongly separated. Security ix ever evolving, and this is really nothing more than yet another breach in a long line of what has, and what will be vulnerable.
 
It doesn't multiply that much - it also increases the complexity unless they know exactly which network to target. If they don't, they then have to use more hardware to capture all potential networks until they identify yours and can focus the attack, which makes it even less likely. As I've said, there's cheaper attacks.

It does multiply, and given the environment, it can be a very easy and somewhat rewarding finding. Again, it takes nothing to setup a server, listen to traffic and even less to use a command to parse logs searching for specific strings.

Sometimes the best target is the one which is least suspecting. ie: compromise home networks for a larger scale and brute force attck on a corporation



My privacy is not violated in this case - all my cameras are set up for monitoring only possible entry points (doors/windows), so they never record anything private.
just because your privacy may not be, doesn't mean that others aren't
 
  • Like
Reactions: Gen
Yes, they can hack cameras and see into your home. But, the idea of privacy is now violated that shades don't protect against. I'm sure my neighbours would much rather have a view at the gals across the hall than seeing me walking out of the shower without a thread on me.

Add to it that most crimes occur against those they know. Therefore, cameras could be used to spy when someone is home, get video/pics of intimate moments or just someone walking out of a shower. Perhaps someone does something in the privacy of their own home that they could get into trouble with in public.
People have security cameras inside their home?

(Sorry it's a tad off-topic but I can't envision many people having cameras positioned inside/at their private rooms unless they're models on a voyeur site.)
 
  • Like
Reactions: ramblin and weirdbr
People have security cameras inside their home?

(Sorry it's a tad off-topic but I can't envision many people having cameras positioned inside/at their private rooms unless they're models on a voyeur site.)
A few of my colleagues do for monitoring pets while they’re out. (I want one haha)
 
People have security cameras inside their home?

(Sorry it's a tad off-topic but I can't envision many people having cameras positioned inside/at their private rooms unless they're models on a voyeur site.)

Well my husband is usually working when I'm working. I have them in my hallway outside my camroom and our bedroom. Front door, both side doors. It's just another sense of security. He got them after I got outed in case anyone in my family goes psycho.
 
I have a feeling that I will regret this, but here goes:

This vuln is concerning and somewhat alarming, but it's not 3 alarm fire/DEFCON1. 1st off, this has only been exploited in a lab/test environment. As they say in the biz, this vuln exploit has not been seen in "the wild". 2nd, yes, the attacker has to have relatively close proximity to the vulnerable network/device. So right off, people like Amber, Saffron, and myself can wait on the sidelines in relative safety until companies roll out the patches.

There's a lot of misinformation floating around out there. This and other similar vulns are for the most part not about hacking your camera to watch you brush your teeth or make a driveway log on your property. Or to hack into your Echo to resort your playlist. It's about entry to your network. If this vuln is exploited correctly, the attacker can downgrade your connections to non-HTTPS connections. So yeah, that's not good. You can google it, but there's all kinds of things that could be done, like dropping malware/ransomware on your device; making your device part of a botnet, etc.

Also, the people who say "I'm wired, I'm good", may not be good. Depends on what kind of router you have, do you have a switch or not, etc. Lots of variables. Some wireless routers broadcast all packets, whether they are destined to a wired node, or not. This should make patching your router priority 1.

To restate: yeah, not good. BUT, while possible, for most of us, it's not probable. Too expensive, too time intensive, too many boots on the ground to do much damage. For home users. If I was a Corporate Security XXX, where "XXX" is any position above password changer, I'd be shitting bricks. Only because I know the corporate business side has a huge reluctance in patching, due to many years of poor IT performance in that area. The old battle between "Keep the trains running" vs. "We need to lock the barn door".

To sum up: most of us should be OK. It's not in the wild yet, so we have time to patch, and patch, and yell at our vendors to make the patch. The people who will be worst off: the ones with older hardware/devices that vendors won't patch. You guys will have to buy new shit, or do without. Makes me glad that I just upgraded my iPad 2 for a Pro, lol
 
People have security cameras inside their home?

(Sorry it's a tad off-topic but I can't envision many people having cameras positioned inside/at their private rooms unless they're models on a voyeur site.)
Yes, I have them as I live in a dense community of people, and having external cameras is not beneficial for me. Motion alerts would be going off frequently, theft, etc. So, I have them setup in key locations to cover windows and doors and turn them on when I leave the premises. This way, I can record them actually being in the residence, what they might have done/stolen/etc. Yes, it's kind of after the fact. But, it's also much more damning since they are inside, vs just in the property. Also, due to their location, I will most likely get a much better recorded shot of their face and distinguishing features.

Also, I have them for smoke/fire alerting as they tie into the complete package. If smoke detectors go off, I can turn on cameras and see where the fire is and also have recording of where it may have started.
 
There's a lot of misinformation floating around out there. This and other similar vulns are for the most part not about hacking your camera to watch you brush your teeth or make a driveway log on your property. Or to hack into your Echo to resort your playlist. It's about entry to your network. If this vuln is exploited correctly, the attacker can downgrade your connections to non-HTTPS connections. So yeah, that's not good. You can google it, but there's all kinds of things that could be done, like dropping malware/ransomware on your device; making your device part of a botnet, etc.

This is exactly the point I was attempting to make is that it is for modification and to make it into another tool for hackers. Once on a network, it can be difficult to completely eradicate as you have no idea how far it is. Corporations with decent IT teams can work their way through a lot of this, and hopefully are working their way towards far better security if they aren't there yet.

But, your average homeowner, or private user is not as savvy and is at far greater risk to not do anything while allows it to propagate.

The viewing of cams, etc is but a small portion of the potential damage. I was simply stating that as it was already done multiple times in the past, and was directly related to the device.
 
  • Like
Reactions: Gen
People have security cameras inside their home?

(Sorry it's a tad off-topic but I can't envision many people having cameras positioned inside/at their private rooms unless they're models on a voyeur site.)

Some of those security cameras are 4k and have built-in streaming. So you could in theory stream to CB at 4k. XD
 
Update
Note: if any of you are using riseup you most probably received the following



Adobe Flash Advisory
====================================================

The problem
----------------------------------------------------

Adobe Flash is a plugin for most web browsers that allows the browser to display interactive content such as games and videos. In a new vulnerability announced on Monday, Adobe Flash can be tricked by a website you visit or a document you open to allow a remote attacker to take control of your computer.

Who does this affect?
----------------------------------------------------

The problem exists in all web browsers that have Adobe Flash, on all operating systems. It also affects Microsoft Office.

By combining this vulnerability with others, an attacker can take total control over your computer, read all your data, capture all your login accounts, spy on you through the webcam, and so on.

What can I do to protect myself?
----------------------------------------------------

Disable Adobe Flash immediately. It is a constant source of security holes, and is being discontinued by Adobe.

Until recently, sites like YouTube relied heavily on Adobe Flash. Today, however, you don't need Adobe Flash in order to use most sites with dynamic content or video. Because of this, you should disable or uninstall Flash entirely. If you have some burning reason you need Adobe Flash, you can also upgrade Flash to the new version without the vulnerability.

Disable Flash

* Chrome: Preferences: Settings > Show advanced settings > Content settings > Flash > uncheck "Allow sites to run Flash".

* Firefox: Tools: Add-ons > Plugins > Flash > Never Activate.

Uninstall Flash

For instructions on how to uninstall Flash for every browser, see https://www.howtogeek.com/222275/how-to-uninstall-and-disable-flash-in-every-web-browser/

Upgrade Flash

See Adobe's security advisory for instructions on how to get a patched release of Flash https://helpx.adobe.com/security/products/flash-player/apsb17-32.html

More information
----------------------------------------------------

An attack using this vulnerability in Adobe Flash was observed on October 10 by Kaspersky Lab. The vulnerability was being used to infect the victim's computer with the FinFisher malware. The group behind the attack is believed to be BlackOasis, aka NEODYMIUM, which historically focuses on targeted attacks against civil society actors in Turkey. BlackOasis is classified as an "advanced persistent threat" and is believed by many researchers to be a customer of the Gamma Group, a German and UK corporation with along history of surveillance and monitoring of activists.

For further reading, see:

http://www.securityweek.com/middle-east-group-uses-flash-zero-day-deliver-spyware

https://threatpost.com/adobe-patches-flash-zero-day-exploited-by-black-oasis-apt/128467/

https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/

https://en.wikipedia.org/wiki/Gamma_Group


Wi-Fi Advisory
===================================================

There is a new class of attacks against Wi-Fi networks. Most Wifi networks these days use a technology called WPA2 to protect the network from eavesdropping. Researchers found a way to break this.

These attacks allow an adversary within Wi-Fi range to read your network traffic and potentially to also send your device nefarious traffic, depending on what device you are using.

Who does this affect?
---------------------------------------------------

Nearly all Wi-Fi devices and operating systems are vulnerable, to varying degrees. This includes nearly all laptops, mobile phones, and Wi-Fi connected devices. In particular, most Android and Linux devices are highly vulnerable.

What is the danger?
---------------------------------------------------

There are many attacks that are made possible with this vulnerability. For example:

* An attacker could read your login username and password if not transmitted using HTTPS (encrypted browser connection). Riseup requires HTTPS on all servers -- but many services do not.

* An attacker could downgrade your secure HTTPS web browser connection to an insecure HTTP connection, depending on the configuration of the server (Riseup servers are protected against this).

* If you click on a link to download a file, an attacker could attach a virus to that file while it was in transit to your device (in some cases).

What can I do to protect myself?
------------------------------------------------

If you have an Android device, you should disable Wi-Fi and use your telco's data plan whenever possible. When possible, keep Wi-Fi disabled until an update becomes available for your device.

You should update your devices as soon as possible. Unfortunately, there are not fixes yet for most operating systems or Wi-Fi access points.

The use of HTTPS is always a good idea, particularly now. We recommend that everyone install the browser extension "HTTPS Everywhere" which will automatically switch your browser to use HTTPS when a website supports it. The new Wi-Fi attack makes it much easier for an attacker to try to downgrade your web browsing to use an insecure connection, and the HTTPS Everywhere extension will prevent this for most popular websites. See https://www.eff.org/https-everywhere to install this extension.

The use of a personal VPN is always a good idea, particularly now. A personal VPN encrypts your traffic to the entire internet, while a corporate VPN just encrypts your traffic to the corporate network. To read more about Riseup's VPN service, see https://riseup.net/vpn

Current update status
------------------------------------------------

Android: There is no fix yet for Android. Devices with Android 6.0 or later are highly vulnerable.

iOS: No update is available yet.

macOS: No update is available yet.

Windows: Update is available.

Ubuntu and Debian Linux: Security patches are available. Run `sudo apt update; sudo apt upgrade`.

Red Hat Linux and Fedora: No fix yet released. See https://access.redhat.com/security/cve/cve-2017-13077 for latest status. You can keep trying to run `sudo yum update` until you see wpa_supplicant get updated.

Access points and home routers: check the website of the manufacturer.

More information
-----------------------------------------------

For an updated list of the state of security patches to client operating systems and AP firmware, see:



https://www.bleepingcomputer.com/ne...-driver-updates-for-krack-wpa2-vulnerability/

http://www.zdnet.com/article/here-is-every-patch-for-krack-wi-fi-attack-available-right-now/

For more information on the flaw in WPA2, see:

https://arstechnica.com/information...l-leaves-wi-fi-traffic-open-to-eavesdropping/
 
Adobe Flash Advisory

I tried disabling the adobe flash and couldn't get any video on MFC. Not sure if this advisory is gonna work on MFC. Are there other options? I suppose the updating, but it would be nice for it to be said "Just keep updated" as opposed to the disable flash and websites are moving away from flash.

I was updated, but, damn if these kinds alerts drive me bonkers because I want to negate any chance to be compromised, but, I don't really see any other option.
 
@Dan202 while helpful, your info is a little out of date on some items

Red Hat/Fedora have had fixes for almost a week. Many of the articles I glanced are were about a week old. So, would think there's many updates since then. Such as Red Hat and Fedora released updates on the 17th.


I tried disabling the adobe flash and couldn't get any video on MFC. Not sure if this advisory is gonna work on MFC. Are there other options? I suppose the updating, but it would be nice for it to be said "Just keep updated" as opposed to the disable flash and websites are moving away from flash.

I was updated, but, damn if these kinds alerts drive me bonkers because I want to negate any chance to be compromised, but, I don't really see any other option.

Downside is that Adobe is so heavily embedded in websites that it won't be gone any time soon. It'd be like Java just going away. Most sites would break and have to be almost entirely recoded in a mad rush...

Best way to mitigate risks is to only go to known sites, install things such as AdBlock Plus, have a good A/V, and be vigilant on computer use. Most importantly, stay up to date on all patches and software updates.
 
@ForceTen you might be right, some of the vulnerabilities might got fixed (I didn't tested) , its a copy/paste from alert email, I don't navigate the dark side of the web daily so I didn't check the emails every day. Anyway the rate propagation of the vulnerabilities are wider and not even a month (late) can't be assumed as "old news"

I wounder what's next ?
o_O targeting popular (m device) apps ...?!
I'm covered, I have an old mobile around :) no wifi, no selfie, no camera --- pretty ancient but reliable
 
It's a lot of info to digest and did appreciate the passing of info. I read the bit about Fedora/RHEL not being patched and knew it was incorrect as they released patches early last week.

Ultimately, it's up to the device owners to determine whether their devices have patches and how to do them, as well as how to handle it if there is no patching available for that device.

The mobile apps have long been a target on phones and tablets. Many had trojans in them and would install rootkits, etc to get data. These are mostly from various apps, etc which are relatively unknown or from unknown sources. I only install mobile apps from trusted sources and vendors.

There will always be flaws uncovered in no matter what is programmed. A couple weeks ago, I got an alert on a food processing software...

Who'd a thunk it?
 
  • Like
Reactions: DFT
I find it interesting what people get alarmed about. A WiFi hack - requires proximity as discussed. All sorts of measures to reduce risk. Most of the things that get alarming headlines on tech blogs are obscure and improbable exploits now. Why? The real risks were documented long ago, and while they still exist, that'd be a boring retread article.

What camera do most people have in their homes (aside from the webcam built into their laptop) - nanny (dog) cam. One of them there "internet of thangs" devices which never get patched. Typically have their own webserver so you can check them remotely and so do lots of other people. There are sites full of voyeurs who watch them using the default login and cracked ones. There even was a search engine for them, hopefully defunct. Know of from a security podcast and doing some research about cameras for monitoring workplaces - only into consensual cam models

The user will always be a weak point. "I'm home, I shut off the cam app so even though that camera is pointed at me now it's not doing anything". /facepalm

But then I have a no name Chinese Android TV box just for watching videos off my local server so I'm worse than most. And a Motorola Android phone that hasn't had a single update yet. No excuse for them being on the LAN. Heck I'm not even responsible enough to use charging only cables with my vapes - I'm inviting trouble. I know it and I still do it because it seems an acceptable risk vs the nuisance. Until I get bit, which is just a matter of when.
 
There even was a search engine for them, hopefully defunct.

Nope, it's still alive and kicking and finding worse and worse things online with shitty security - from home security cameras to hydraulic dam control systems.
 
Status
Not open for further replies.