Welcome to WebmasterWorld Guest from 54.198.108.19

Forum Moderators: bakedjake

Featured Home Page Discussion

High Severity WPA2 WiFi Vulnerabilities, Dubbed KRACK, Key Reinstalltion Attacks

     
10:36 am on Oct 16, 2017 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:May 9, 2000
posts:24716
votes: 612


WPA2 wireless access points might be a bigger risk to use following proof of concept research that could mean that many access points remain vulnerable for a very long time after a fix is released.

Researchers indicated that a KRACK attack exploits a four-way handshake that is used to establish an encryption key. At the third point of the process the key can be sent multiple times. Under certain circumstances a cryptographic hack can re-use the key in a way that will undermine the encryption.

The proof-of-concept exploit is called KRACK, short for Key Reinstallation Attacks. The research has been a closely guarded secret for weeks ahead of a coordinated disclosure that's scheduled for 8 a.m. Monday, east coast time.High Severity WPA2 WiFi Vulnerabilities, Dubbed KRACK, Key Reinstalltion Attacks [arstechnica.com]


More information at [krackattacks.com...]

[kb.cert.org...]
4:19 pm on Oct 16, 2017 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:May 9, 2000
posts:24716
votes: 612


Update: It appears that Microsoft has already fixed this on its systems, and the automatic update will "push it" to devices.
Google says it has a fix, but patches won't be issued until November 6 for its own devices. Anyone else with Android is probably way behind the curve.
Linux is also affected, but no updates are currently known as of now, and Apple has not yet confirmed if it is vulnerable.

Here's an update from the WiFI alliance, which wants to assure people that there's no evidence of this in the wild.
[wi-fi.org...]
5:00 pm on Oct 16, 2017 (gmt 0)

Senior Member from CA 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 25, 2003
posts:1080
votes: 249


Fascinating easy read:

Instead, I want to talk about why this vulnerability continues to exist so many years after WPA was standardized. And separately, to answer a question: how did this attack slip through, despite the fact that the 802.11i handshake was formally proven secure?

Falling through the KRACKs [blog.cryptographyengineering.com] by Matthew Green, 16-October-2017.


RE: Linux mitigation and patches...
* DSA-3999-1 wpa -- security update [debian.org]
* WPA packet number reuse with replayed messages and key reinstallation [w1.fi] (Note: txt file)
6:05 pm on Oct 16, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:10113
votes: 550


So on my Android phone I won't use public WiFi until after Nov 6 I guess. That's not much of an issue. My mobile network 4g Lite is nearly as fast and I have unlimited bandwidth.
8:19 pm on Oct 16, 2017 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:May 9, 2000
posts:24716
votes: 612


That's only Google's Pixel phones from November 6 when they push the updates. Many handset makers are way behind on updates, and far too slow, imho.
8:34 pm on Oct 16, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:10113
votes: 550


Home & office I use my biz WiFi account from Cox ISP. When I get over there, I'll check to see if there's a WPA2 update on my router. I've installed updates before.
10:24 pm on Oct 16, 2017 (gmt 0)

Preferred Member

10+ Year Member

joined:Mar 10, 2004
posts: 436
votes: 25


DD-WRT pushed out an update last week containing a fix. I believe Microsoft's started pushing out around the same time. One of our routers here doesn't have an update, probably never will, but this attack can be mitigated by either the client or the router. Best to make sure your client devices have the fix so you're good no matter what you connect to.
5:45 am on Oct 17, 2017 (gmt 0)

Senior Member from FR 

WebmasterWorld Senior Member henry0 is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Apr 19, 2003
posts: 4422
votes: 9


@Keyply, I never used my droid on any public NW.
However if needed for my devices I use the marvelous little thing known as "BiteBird" with which one I can connect all over the world.
5:50 am on Oct 17, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:10113
votes: 550


henry0 - thanks for the recomendation. I use a different VPN that does the same thing.
8:11 am on Oct 17, 2017 (gmt 0)

Administrator from JP 

WebmasterWorld Administrator bill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:Oct 12, 2000
posts: 15023
votes: 136


I'm glad this one isn't something that can be taken advantage of remotely. An attacker would have to be in WiFi range of your device to do anything.

Then, if you've got all your traffic encrypted Krack isn't going to be able to do much. Run everything thru a VPN, HTTPS, SSH and you'll be safer.

The biggest PITA of this whole thing is Android devices. It's going to take forever to get these things up-to-date, if patches are ever issued for some hardware. I'm not as concerned about my own devices as I am about other people's.
8:26 am on Oct 17, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:10113
votes: 550


No updates ready for my Cox router.
No updates ready for my Samsung TV
And nothing for my Android devices either.

Well that's reassuring. Glad to see they're on top of things.
2:20 pm on Oct 18, 2017 (gmt 0)

Preferred Member from IN 

Top Contributors Of The Month

joined:Apr 30, 2017
posts:482
votes: 67


My Windows Phone and PC updated with the fix on October 10.

The world needs to ditch Android.
5:49 pm on Oct 18, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:10113
votes: 550


Ha... the world IS ditching the windows phones.

[webmasterworld.com...]
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members