Anyone who uses Wifi on their devices please take note of the following and take steps to ensure your Wifi safety!
Wifi encryption eg WPA2 has been shown to vulnerable to attack and the threat is NOW. The attack is aptly named as KRACK coming from what happens: key reinstallation attacks (k from key r from reinstallation and ack from attacks). When & if patches become available for your devices you should update immediately. If unsure you should contact your vendor/s for when a patch will be released.
What type & version of software is affected? Basically all of them. Linux and Android (version 6 and on) seem particularly at threat. Currently 41% of Android devices are affected by the vulnerability.
Why? It is because it is the Wifi Standard which is the problem and where the weakness lies. The attacker needs to be nearby and this may have some benefit to some users. Also if you use https this is not necessarily secure and should not be relied on to help circumvent the issue.
Please read these two articles that follow for further information and some possible ways to help minimise problems:
Many vulnerabilities are only demonstrated in a laboratory setting rather than discovered in the wild. The conditions required to deploy the laboratory hack in the wild are usually onerous although far from impossible. Locality is a big one for wifi.
Good practice - When in a public place if you do not broadcast a Wifi SID (eg from your mobile phone or enabled wifi host on a tablet) it is unlikely a hacker is interested in spending the time to find you before each of you moves on. They are more interested in trying to hack into the easier targets, eg the SIDs they see, not the ones they don’t see that might be there.
Good practice - Do not connect to an unknown Wifi. At a place with (esp free) Wifi be aware of the correct SID name. The real one could be Centre-Wifi and a hacker could be running Center-Wifi-1. The ‘1’ appended to make it look like a repeater or alternative AP. Connect to a bogus one at your peril.
War story - Back in the days I was on a small team that designed a very secure monitored alarm system. Monitoring was over leased lines. If the line was cut it went off. It was a digital and analogue system with tight digital windows sans analogue, random crypto verification for each digital transmission, and anything in a frequency of break-enter sounds or simply ‘loud enough’ would trip it. It had remote listening and recording capability amongst other features. If you somehow got a user premises box (low volume only sold through central stations so highly trackable) and the theory of operation, and access to the leased line and a tape recorder you could tap in and synch within 50ms and knew exactly the digital things to play and got them right with the correct crypto for 90 seconds, you could fool it and replace the real user box with yours and go for your break in. With all of that going well for you it was about a 3 1/2% probability you pulled it off. Not perfect, but what were the odds?
My point, not well made above, is that enough security is possible but hardware and software developers lost their way long ago by ignoring prime rule #1 - protect yourself from the users no matter what. Some historical systems had hardware enforced sandboxes supported by the OS a decade before the internet. My observations about why that was abandoned or ignored was a combination of IBM ‘OS technology’ of the times, and the advent of the microprocessor that did not have the power or sophistication or application where security was a worry. Simplistically, everyone was in the same offices so why worry?
Since then ‘security’ has been patch after patch, and as patches are added so are new vulnerabilities.
Yep that’s a big no. They will patch this fast but anything not patched is not safe.
Also the group that found this issue are saying that https is not necessarily safe and using MAC’s will not really secure it either (because of MAC spoofing).
@BrendanMays you may be interested in this site as it lists companies etc (not a final list but it is growing) and whether they have patched, not patched and if they have responded to the problem:
Yeah sorry - that’s what the (cough) was intended to convey, euphemistically a distant cough, or maybe a far one … but to spell it out further would be a little naughty. I just laugh when people make technology choices in the belief that it in some way provides them with security - essentially what is not as bad today could be worse tomorrow, and vice-versa, but ultimately there is no secure device, just varying levels of insecure devices. Don’t trust anything or anyone with information you are not prepared to lose.
I understood the sarcasm why I said “Yep that’s a big no”…sorry if my post was misread…My kids all tell me I only tell dad jokes, the jokes that only dads tell because they are so bad.
It seems obvious now. Brain still on holidays after two weeks out of mobile/data/internet/telephone/computer range … Normal programming will return shortly
Although this is a serious breach, it is not a simple one technically and requires the attacker to have proximity to the Wi-Fi network. The attacker also has to rely on the attacked device going to unprotected, non-HTTPS sites and to not be using a VPN.
As industry commentators have pointed out, this is not quite as serious as media headlines might suggest. But consider it a timely reminder to install software updates on all your devices.
Doesn’t get stopped by you using https or VPN. The hack just requires being in range of your wifi. It sends packets to enable them access to your wifi traffic. In some an all zero wpa/wpa2 authorisation key is used to gain access to your device. Https and VPN may protect your traffic but the authors of the paper have advised this is not necessarily secure. The advice at the moment when using your smartphone or other portable device is to use the 3/4G network rather than using Wifi until your devices are patched.
From the authors site comes this “warning”: “The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.”
Also in regards to encrypted traffic was this: “As mentioned in the demonstration, the attacker first obtains a man-in-the-middle (MitM) position between the victim and the real Wi-Fi network (called a channel-based MitM position). However, this MitM position does not enable the attacker to decrypt packets! This position only allows the attacker to reliably delay, block, or replay encrypted packets. So at this point in the attack, they cannot yet decrypt packets. Instead, the ability to reliably delay and block packets is used to execute a key reinstallation attack. After performing a key reinstallation attack, packets can be decrypted.”
… or be an attacker for whom https and/or vpn are less of an issue - they just make it (variably) more difficult subject to the attackers resources.
I’d bet there are some entities who think this disclosure is very serious and who are very p*ssed off - the exploit could well have been in field use for a decade or more
Anything made by humans is vulnerable…it would be difficult to program something to exclude everyone even the programmer This is another example of someone finding something which has not quite hit the mark as anticipated.
why I said “Yep that’s a big no”…sorry if my post was misread…My kids all tell me I only tell dad jokes, the jokes that only dads tell because they are so bad.
