Published: Mon, October 16, 2017
Science | By Hubert Green

All Wi-Fi devices exposed by "devastating" WPA2 exploit

The attack does not work over the internet.

"By forcing nonce reuse in this manner, the data-confdentiality protocol can be attacked, e.g., packets can be replayed, decrypted, and/or forged". If you're particularly concerned, using a (reliable) VPN is recommended.

According to Vanhoef, Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and many other vendors are affected by some variant of the KRACK attacks. "For ordinary home users, your priority should be updating clients such as laptops and smartphones", said the researchers. It looks like security researcher Mathy Vanhoef will present the (potentially) revelatory findings at around 10PM AEST Monday - although it's been worked on for some time; Vanhoef first teased the revelations 49 days ago. The attack works against all modern protected Wi-Fi networks. The website says that the router manufacturer would need to update the security to prevent the attack.

'Note that as protocol-level issues, most or all correct implementations of the standard will be affected. Rather, it's in the implementation.

We discovered serious weaknesses in WPA2, a protocol that secures all modern protected Wi-Fi networks. That key is unique to that connection, and that device. If initial reports are accurate that encryption bypass exploits are easy and reliable in the WPA2 protocol, it's likely attackers will be able to eavesdrop on nearby Wi-Fi traffic as it passes between computers and access points. The paper largely focused upon Android based Smartphone and Tablets, which is thus where most of the problem resides. Some versions of the WPA2 protocol can even send malicious traffic to connected from the looks of it mostly Lilux and Android devices seem to be the most effected. By detecting and replaying the third part of the four-way handshake, attackers can force the reinstallation of the encryption key, allowing them to access the packets being transmitted. The attacker can use the one-time key to decrypt much of the traffic passing between the client device and the router.

"This makes it trivial to intercept and manipulate traffic sent by these Linux and Android devices", warned Vanhoef, who pointed out that more than 40% of Android devices (including any device on Android 6.0 and above) are vulnerable to this attack. In such cases, the encryption between the router and client device will be completely broken.

It's all speculation at this point, but if you're at all anxious, you can always switch to using a VPN (so your data is encrypted anyway, in that case), or stick to HTTPS sites (which employ encryption, as opposed to plain HTTP) where possible. The researchers point out that this will "not work on a properly configured HTTPS site", but will work on a "significant fraction" that are poorly set up.

Currently, over two-fifths (41%) of Android devices are vulnerable to this kind of attack. Vanhoef manages to steal the user's password and username. The attack includes the but is not limited to recovering login credentials (ie, email addresses and passwords).

Like this: