• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5


Severe flaw in WPA2 protocol leaves Wi-Fi traffic open to eavesdropping
#1
https://arstechnica.com/information-tech...sdropping/

Quote:An air of unease set into the security circles on Sunday as they prepared for the disclosure of high-severity vulnerabilities in the Wi-Fi Protected Access II protocol that make it possible for attackers to eavesdrop Wi-Fi traffic passing between computers and access points.

The proof-of-concept exploit is called KRACK, short for Key Reinstallation Attacks. The research has been a closely guarded secret for weeks ahead of a coordinated disclosure that's scheduled for 8am Monday, East Coast time. A website disclosing the vulnerability said it affects the core WPA2 protocol itself and is effective against devices running the Android, Linux, Apple, Windows, and OpenBSD operating systems, as well as MediaTek Linksys, and other types of devices. The site warned attackers can exploit it to decrypt a wealth of sensitive data that's normally encrypted by the nearly ubiquitous Wi-Fi encryption protocol.


To answer a few questions you may have:
  1. Yes this is a big deal, probably the biggest blow to internet security since the breaking of the last major wireless protocol's security (though none were as widely adopted as WPA2 is right now) or the last major 0day worm. 
  2. Yes, this affects you if you use WiFi. Anywhere. For anything. With any connected device, be it a computer, phone, or any other internet connected device (think Amazon Echo, and other IOT devices)
  3. Yes, this can be fixed... if hardware vendors release patches. some, such as ubiqiti already have released patches/mitigations.
  4. No, your ISP probably won't patch your box... unless you have their latest hardware.  They often don't produce their own hardware (or even firmware) and lets be honest, how much do they really care about a regular johns privacy.
  5. No, it's not likely you will be affected by this.  There's not much benefit in targeting regular john internet user for people with malicious intent. 
  6. The severity of this is mainly due to the way and scale that WPA2 is adopted by everyone from me and you to major corporations, banks and government.
  7. Is there anything I can do to protect myself?  Yes. HTTPS and VPN traffic is still encrypted and safe, as long as certificates are legit and valid.  Example: Browsing UKCR is still secure even over a broken implementation of this protocol or an open network.
Now.  I've already seen a lot of conflicting statements due to how early it is since this has been revealed, so my quick FAQ above is subject to change. 
If anybody has any corrections or amendments for accuracy's sake, please post or PM me and i'll amend it.
Reply
#2
Paper disclosing the attack method

https://papers.mathyvanhoef.com/ccs2017.pdf
Reply
#3
More hits to the internet as a whole today:

'Worse Than KRACK' -- Google And Microsoft Hit By Massive 5-Year-Old Encryption Hole. Thanks to the bug, it's possible to calculate someone's private key by just having the public key.


It only affects certain Infineon hardware that these massive companies use, still... it's a big deal.  It only needs local access to their networks to be potentially catastrophic.

Quote:
Quote:   First, by abusing code signing certificates, used to validate software is coming from a legitimate, trusted source. "Given a code signing certificate's public key (which an organization has to publish), an attacker could derive the private key allowing them to sign software impersonating the victim,"

That's a pretty big deal.

Quote:    Estonia's national ID card system was also affected, with 750,000 affected by the weakness, opening up the threat of identity theft, according to local media.

And so is that.
There is a fix for existing Infineon hardware, but only for new keys, existing keys are still affected.
Reply

Reddit   Facebook   Twitter  




Users browsing this thread:
1 Guest(s)

   
DISCLAIMER
Any views or opinions posted by members are solely those of the author and do not necessarily represent those of the UKCR staff team.