Interesting People mailing list archives
WPA2: Broken with KRACK. What now?
From: "Dave Farber" <farber () gmail com>
Date: Mon, 16 Oct 2017 18:17:58 -0400
Begin forwarded message:
From: the keyboard of geoff goodfellow <geoff () iconia com> Date: October 16, 2017 at 6:03:14 PM EDT To: "E-mail Pamphleteer Dave Farber's Interesting People list" <ip () listbox com> Subject: WPA2: Broken with KRACK. What now? WPA2: Broken with KRACK. What now? By Alex Hudson Oct 15 2017 <https://www.alexhudson.com/2017/10/15/wpa2-broken-krack-now/> On social media right now, strong rumours are spreading that the WPA2 encryption scheme has been broken in a fundamental way. What this means: the security built into WiFi is likely ineffective, and we should not assume it provides any security. The current name I’m seeing for this is “KRACK”: Key Reinstallation AttaCK. If this is true, it means third parties will be able to eavesdrop on your network traffic: what should be a private conversation could be listened in to. This has happened before with WiFi: who remembers WEP passwords? However, what is different this time around: there is no obvious, easy, replacement ready and waiting. This is suddenly a very big deal. In truth, WPA2 has been suspect for some time now. A number of attacks against WPA2-PSK have been shown to be successful to a limited degree, WPA2-Enterprise has shown itself to be slightly more resilient. This is a story that is unfolding as I write. Please be aware: • I’m not one of the researchers here: credit for this goes to Mathy Vanhoef and Frank Piessens at KU Leuven, who have a great track record of discovering problems here. I want to be clear about this as I’ve be quoted incorrectly in a couple of places! • www.krackattacks.com is now up! • Attacks against Android Phones are very easy! Oh dear 🙁 Best to turn off wifi on these devices until fixes are applied. • Windows and Mac OS users are much safer. Updates for other OSes will come quite quickly, the big problem is embedded devices for whom updates are slow / never coming • For the very technical, the CVE list is at the bottom of this post. • The main attack is against clients, not access points. So, updating your router may or may not be necessary: updating your client devices absolutely is! Keep your laptops patched, and particularly get your Android phone updated • I haven’t made any corrections to the advice below yet, but will call out any changes. If you have some great advice to share, please let me know! Information here is good as of 2017-10-16 13:00 UTC, but based on public information – I don’t know anything private, sorry. There will be better sources of information later today which I will endeavour to link to. So, this is going to be a horrible Monday morning for IT admins across the world. The practical question is: what now? Keep Calm Remember, there is a limited amount of physical security already on offer by WiFi: an attack needs to be in proximity. So, you’re not suddenly vulnerable to everyone on the internet. It’s very weak protection, but this is important when reviewing your threat level. Additionally, it’s likely that you don’t have too many protocols relying on WPA2 security. Every time you access an https site – like this one – your browser is negotiating a separate layer of encryption. Accessing secure websites over WiFi is still totally safe. Hopefully – but there is no guarantee – you don’t have much information going over your network that requires the encryption WPA2 provides. So, we’re alright? In a word, No. There are plenty of nasty attacks people will be able to do this. They may be able to disrupt existing communications. They may be able to pretend to be other nodes on the network. This could be really bad – again, they won’t be able to pretend to be a secure site like your bank on the wifi, but they can definitely pretend to be non-secure resources. Almost certainly there are other problems that will come up, especially privacy issues with cheaper internet-enabled devices that have poor security. You can think of this a little bit like your firewall being defeated. WiFi encryption mainly functions to keep other devices from talking on your network (the security otherwise has been a bit suspect for a while). If that no longer works, it makes the devices on your network a lot more vulnerable – attackers in proximity will now be able to talk to them. [snip] -- Geoff.Goodfellow () iconia com living as The Truth is True http://geoff.livejournal.com This message was sent to the list address and trashed, but can be found online.
------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/18849915-ae8fa580 Modify Your Subscription: https://www.listbox.com/member/?member_id=18849915&id_secret=18849915-aa268125 Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=18849915&id_secret=18849915-32545cb4&post_id=20171016181807:E153697E-B2BF-11E7-B835-8E468328FBB3 Powered by Listbox: http://www.listbox.com
Current thread:
- WPA2: Broken with KRACK. What now? Dave Farber (Oct 16)