Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

WPA2: Broken with KRACK. What now?

From: "Dave Farber" <farber () gmail com>
Date: Mon, 16 Oct 2017 18:17:58 -0400



Begin forwarded message:


From: the keyboard of geoff goodfellow <geoff () iconia com>
Date: October 16, 2017 at 6:03:14 PM EDT
To: "E-mail Pamphleteer Dave Farber's Interesting People list" <ip () listbox com>
Subject: WPA2: Broken with KRACK. What now?

WPA2: Broken with KRACK. What now?
By Alex Hudson
Oct 15 2017
<https://www.alexhudson.com/2017/10/15/wpa2-broken-krack-now/>

On social media right now, strong rumours are spreading that the WPA2 encryption scheme has been broken in a 
fundamental way. What this means: the security built into WiFi is likely ineffective, and we should not assume it 
provides any security.

The current name I’m seeing for this is “KRACK”: Key Reinstallation AttaCK. If this is true, it means third parties 
will be able to eavesdrop on your network traffic: what should be a private conversation could be listened in to.

This has happened before with WiFi: who remembers WEP passwords? However, what is different this time around: there 
is no obvious, easy, replacement ready and waiting. This is suddenly a very big deal.

In truth, WPA2 has been suspect for some time now. A number of attacks against WPA2-PSK have been shown to be 
successful to a limited degree, WPA2-Enterprise has shown itself to be slightly more resilient.

This is a story that is unfolding as I write. Please be aware:
        • I’m not one of the researchers here: credit for this goes to Mathy Vanhoef and Frank Piessens at KU Leuven, 
who have a great track record of discovering problems here. I want to be clear about this as I’ve be quoted 
incorrectly in a couple of places!
        • www.krackattacks.com is now up!
        • Attacks against Android Phones are very easy! Oh dear 🙁 Best to turn off wifi on these devices until fixes 
are applied.
        • Windows and Mac OS users are much safer. Updates for other OSes will come quite quickly, the big problem is 
embedded devices for whom updates are slow / never coming
        • For the very technical, the CVE list is at the bottom of this post.
        • The main attack is against clients, not access points. So, updating your router may or may not be 
necessary: updating your client devices absolutely is! Keep your laptops patched, and particularly get your Android 
phone updated
        • I haven’t made any corrections to the advice below yet, but will call out any changes. If you have some 
great advice to share, please let me know!
Information here is good as of 2017-10-16 13:00 UTC, but based on public information – I don’t know anything private, 
sorry. There will be better sources of information later today which I will endeavour to link to.

So, this is going to be a horrible Monday morning for IT admins across the world. The practical question is: what now?

Keep Calm

Remember, there is a limited amount of physical security already on offer by WiFi: an attack needs to be in 
proximity. So, you’re not suddenly vulnerable to everyone on the internet. It’s very weak protection, but this is 
important when reviewing your threat level.

Additionally, it’s likely that you don’t have too many protocols relying on WPA2 security. Every time you access an 
https site – like this one – your browser is negotiating a separate layer of encryption. Accessing secure websites 
over WiFi is still totally safe. Hopefully – but there is no guarantee – you don’t have much information going over 
your network that requires the encryption WPA2 provides.

So, we’re alright?

In a word, No. There are plenty of nasty attacks people will be able to do this. They may be able to disrupt existing 
communications. They may be able to pretend to be other nodes on the network. This could be really bad – again, they 
won’t be able to pretend to be a secure site like your bank on the wifi, but they can definitely pretend to be 
non-secure resources. Almost certainly there are other problems that will come up, especially privacy issues with 
cheaper internet-enabled devices that have poor security.

You can think of this a little bit like your firewall being defeated. WiFi encryption mainly functions to keep other 
devices from talking on your network (the security otherwise has been a bit suspect for a while). If that no longer 
works, it makes the devices on your network a lot more vulnerable – attackers in proximity will now be able to talk 
to them.

[snip]

-- 
Geoff.Goodfellow () iconia com
living as The Truth is True
http://geoff.livejournal.com  

This message was sent to the list address and trashed, but can be found online.




-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/18849915-ae8fa580
Modify Your Subscription: https://www.listbox.com/member/?member_id=18849915&id_secret=18849915-aa268125
Unsubscribe Now: 
https://www.listbox.com/unsubscribe/?member_id=18849915&id_secret=18849915-32545cb4&post_id=20171016181807:E153697E-B2BF-11E7-B835-8E468328FBB3
Powered by Listbox: http://www.listbox.com
Previous By Date Next
Previous By Thread Next

Current thread: