Update Every Device -- This KRACK Hack Kills Your Wi-Fi Privacy
Ron Czapala
Posts: 2,418
https://www.forbes.com/sites/thomasbrewster/2017/10/16/krack-attack-breaks-wifi-encryption/#3d5e37b82ba9
excerpt
excerpt
It's time to get patching again. Another widespread vulnerability affecting practically everyone and everything that uses Wi-Fi was revealed on Monday, allowing hackers to decrypt and look at everything people are doing online.
Researcher Mathy Vanhoef, from Belgian university KU Leuven, released information on his hack, dubbing it KRACK, for Key Reinstallation Attack. Vanhoef's description of the bug on his KRACK website is startling: "This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites."
What's behind the vulnerability? It affects a core encryption protocol, Wi-Fi Protected Access 2 (WPA2), relied on by most Wi-Fi users to keep their web use hidden and secret from others. More specifically, the KRACK attack sees a hacker trick a victim into reinstalling an already-in-use key. Every key should be unique and not re-usable, but a flaw in WPA2 means a hacker can tweak and replay the "handshakes" carried out between Wi-Fi routers and devices connecting to them; during those handshakes, encryption keys made up of algorithmically-generated, one-time-use random numbers are created. It turns out that in WPA2, it's possible for an attacker to manipulate the handshakes so that the keys can be reused and messages silently intercepted.
Comments
https://www.pcworld.com/article/3233308/security/krack-wi-fi-security-flaw-faq-tips.html
EDIT:
Now for some somewhat settling news: Iron Group CTO Alex Hudson says an attacker needs to be on the same Wi-Fi network as you in order to carry out any nefarious plans with KRACK. “You’re not suddenly vulnerable to everyone on the internet,” he says.[/color]
On the other we could say that it was never secure as this "feature" was there all along. Who knows who was exploiting it before already?
Of course if you are connecting to public WIFI hot spots that are not under you control all bets are off. At least one should be sure to be using HTTPS or VPN etc in those situations.
By the way, how come this forum is still not using HTTPS?
The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected. To prevent the attack, users must update affected products as soon as security updates become available. Note that if your device supports Wi-Fi, it is most likely affected. During our initial research, we discovered ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attacks. For more information about specific products, consult the database of CERT/CC, or contact your vendor.
As a proof-of-concept we executed a key reinstallation attack against an Android smartphone. In this demonstration, the attacker is able to decrypt all data that the victim transmits. For an attacker this is easy to accomplish, because our key reinstallation attack is exceptionally devastating against Linux and Android 6.0 or higher. This is because Android and Linux can be tricked into (re)installing an all-zero encryption key. When attacking other devices, it is harder to decrypt all packets, although a large number of packets can nevertheless be decrypted. In any case, the following demonstration highlights the type of information that an attacker can obtain when performing key reinstallation attacks against protected Wi-Fi networks:
In any case, I run VPN anyway and I'm not bothered by anyone trying or succeding to crack my connection to whatever network I'm on. They won't see inside my device anyway. They would be just like anyone else who are 'legitimally' on the network - they could see my traffic, but the only thing they'll see is my encrypted VPN traffic.
One or more Intel Products affected by the Wi-Fi Protected Access II (WPA2) protocol vulnerability
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00101&languageid=en-fr
https://www.bleepingcomputer.com/news/security/microsoft-quietly-patched-the-krack-wpa2-vulnerability-last-week/
Pretty sneaky, Microsoft. While some vendors were scrambling to release updates to fix the KRACK Attack vulnerability released today, Microsoft, quietly snuck the fix into last week's Patch Tuesday.
While Windows users were dutifully installing October 10th's Patch Tuesday security updates, little did they know they were also installing a fix for the KRACK vulnerability that was not publicly disclosed until today. This fix was installed via a cumulative update that included over 25 other updates, but didn't provide any useful info until you visited the associated knowledge basic article.
See http://espressif.com/en/media_overview/news/espressif-releases-patches-wifi-vulnerabilities-cert-vu228519?position=0&list=W1-rtfr4C9e1Vhf5JEhY_1EPZ-Dag7NT6M7sJEphvS0
Seem like the same problem as Android. There must be a ton of such devices out in the field that are never going to get updated.
https://www.microchip.com/design-centers/wireless-connectivity/embedded-wi-fi/wpa2-protocol-vulnerability
Like the "Mirai BotNet" attack this especially goes after a vulnerability in Linux. Think about all of those RasPi's connected on folks networks that are using the default 'pi' root password as well as all the devices in a typical household that are running Embedded Linux; TVs, SetTop Boxes, Cable Boxes, and so on.
https://papers.mathyvanhoef.com/ccs2017.pdf
"Our attack is especially devastating against version 2.4 and 2.5 of wpa_supplicant, a Wi-Fi client commonly used on Linux. Here, the client will install an all-zero encryption key instead of reinstalling the real key. This vulnerability appears to be caused by a remark in the 802.11 standard that suggests to clear parts of the session key from memory once it has been installed [1, §12.7.6.6]. Because Android uses a modified wpa_supplicant, Android 6.0 and Android Wear 2.0 also contain this vulnerability. As a result, currently 31.2% of Android devices are vulnerable to this exceptionally devastating
variant of our attack [33].
You might what to do the search again:
zdnet.com/article/here-is-every-patch-for-krack-wi-fi-attack-available-right-now/
"Espressif Systems: The Chinese vendor has begun patching its chipsets, namely ESP-IDF and ESP8266 versions, with Arduino ESP32 next on the cards for a fix."
If you want to do something fun in your own network, try running the following on a Linux (Especially a Raspberry Pi or a BeagleBone Black). You'll get a lot of info regarding your router as well as any neighbor that is within range and are broadcasting their SSID . Note: War Hackers can reach a Wi-Fi connection up to 3 miles and more out.
The thing about the "all zero" key is interesting. Seems the spec. calls for zeroing keys after use. A sensible precaution to clean secret stuff out of memory after use. Which of course leads to making the issue even worse in the case that you do actually do that.
iwlist is fun. Nothing special though. It only does what all computers do to find out what is out there on the waves to connect to. Of course a typical GUI interface does not show you all that detail.