Wi-Fi weakness KRACK disclosed, affecting nearly every connected device

Shawn Knight

Posts: 12,593   +124
Staff member

Wi-Fi encryption security took a major hit on Monday with the disclosure of a flaw that affects virtually every device that wirelessly connects to the Internet.

KRACK, short for Key Reinstallation AttaCK, is a weakness that was discovered in the WPA2 encryption protocol by security researcher Mathy Vanhoef. As outlined in a profile of the weakness, the main attack is against the four-way handshake of the WPA2 protocol that takes place when a client wants to join a protected Wi-Fi network. In short, it works by tricking the victim device into reinstalling a key that is already in use, thus allowing packets to be replayed, decrypted and/or forged.

According to Vanhoef, nefarious types can use the attack technique to steal sensitive information like credit card numbers and passwords as well as access e-mails, photos and chat messages. What’s more, depending on the network configuration, it may even be possible for an attacker to inject ransomware or other malware into a website or otherwise manipulate data.

Because the weakness is in the Wi-Fi standard itself and not an individual product or implementation, it’s likely that any correct implementation of WPA2 is affected. This encompasses devices associated with Apple, Android, Linux, Windows, OpenBSD, MediaTek, Linksys and others although Vanhoef says the attack is especially devastating against Linux and Android 6.0 or higher.

Before going into full-on panic mode, it’s worth nothing that an attacker needs to be within physical range of a network to carry out an attack. The bad news, of course, is that Wi-Fi is all around us so finding a network to attack could be done in seconds.

Although information on the attack is just now going public, details of it were first submitted for review in mid-May. This has given vendors time to investigate the matter and, in some instances, already have patches available.

  • Apple: Cupertino tells CNET that fixes for iOS, macOS, watchOS and tvOS are in beta and will be rolling out to all in a few weeks.
  • Cisco: The company notes that multiple products are affected by the vulnerability. Some patches are already available and some are still pending.
  • Google: The search giant said on Monday that it is aware of the issue and will be rolling out patches for affected devices in the coming weeks.
  • Intel: Chipmaker Intel has a security advisory with updated Wi-Fi drivers and patches for various chipsets.
  • Microsoft: Redmond has a security fix out that's available through Windows' automatic updates.
  • Wi-Fi Alliance: The Wi-Fi Alliance has a fix up for vendors but not yet for end-users.

ZDNet has a running list of who’s on top of their game in this respect.

Permalink to story.

 

GreenNova343

Posts: 440   +330
My big question is whether Apple is going to make this a patch for all available versions of iOS, or are they only going to put it into iOS 11, thereby forcing everyone to upgrade to a version they don't want just to get the Wi-Fi fix?
 

Squid Surprise

Posts: 3,443   +2,341
My big question is whether Apple is going to make this a patch for all available versions of iOS, or are they only going to put it into iOS 11, thereby forcing everyone to upgrade to a version they don't want just to get the Wi-Fi fix?
And will they support devices that can't upgrade to iOS 11 - like older iphones and ipads...
 
  • Like
Reactions: GreenNova343

Kibaruk

Posts: 3,836   +1,183
So... I may be incorrect... but my understanding is that unless your phone is serving as a router this should not be anything to worry about, just cable it to your computer or whatever you are using and voila.

The main concern here are the routers that are serving 24/7.
 

jobeard

Posts: 13,970   +1,778
So... I may be incorrect... but my understanding is that unless your phone is serving as a router this should not be anything to worry about, just cable it to your computer or whatever you are using and voila.
First, iPhones can't 'just cable' to the PC and get Internet Service - - Internet access is ONLY via a tethered cell connection (big impact to your data plan) or a WiFi connection.

Second, it's the four-step handshake with the Client that is compromised and the Broadcom BCM4334 needs a firmware update.

[edit] oops;
Tethered connections are via Bluetooth or WiFi;
Setting it up
  1. Go to your iPhone's on-screen Settings.
  2. Look for Personal Hotspot; or General, followed by Network, and finally Personal Hotspot.
  3. Tap on Personal Hotspot and then slide the switch to On.
  4. Then connect the iPhone to your laptop or tablet using a USB cable or Bluetooth or WiFi.
[/edit]
 
Last edited:
  • Like
Reactions: xiaohs

mattsie

Posts: 60   +36
This means you wifi signal can be listened to. If webstie uses Secure connection with a website means all the info is safe, if I understood correctly? So only none-secure ones and file sharing is compromised.
 

jobeard

Posts: 13,970   +1,778
This means you wifi signal can be listened to. If webstie uses Secure connection with a website means all the info is safe, if I understood correctly? So only none-secure ones and file sharing is compromised.
Normally this would have been correct - - BUT NOT THIS TIME :sigh:
With the WiFi KRACK bug, the attack occurs before the connection is made with the remote end and this allows decryption of even SSL sessions. It is IMPERATIVE that you update your wifi driver for every device you own.
 
  • Like
Reactions: mattsie