KRACK WPA2 Vulnerability Exposed

[thiggins]

[orginally posted by gLWxSJeSsEA]

KRACK, a flaw in Wi-Fi security protocol WPA2, leaves traffic open to eavesdropping, connection hijacking, and malicious injection; US CERT advisory issued.

Report by Ars' Dan Goodin.

Official Website: https://www.krackattacks.com/

Attack is a nonce reuse attack on 4-way handshake
Attack does NOT allow the attacker to recover the Wi-Fi password
Attack DOES allow the attacker to intercept/decrypt/inject packets (i.e. perform a full MITM attack on a connected client)
Attack primarily leverages client-side vulnerabilities so patching the access point won't magically fix this (client side patches are needed for each device using Wi-Fi)

Pre-Release Speculation:

Kenn White describes it as a "core protocol-level flaw in WPA2 wi-fi"... which sounds bad.

CVE's were assigned in August, so hopefully there are mitigations in place (if possible).

Look for CVE-2017-13077, 13078, 13079, 13080, 13081, 13082, 13084, 13086, 13087, 13088 when details become available.

Two articles that list patches already available:
https://char.gd/blog/2017/wifi-has-been-broken-heres-the-companies-that-have-already-fixed-it
http://www.zdnet.com/article/here-is-every-patch-for-krack-wi-fi-attack-available-right-now/

Follow @vanhoefm for the official drop.

 

[thiggins]

My sincere apologies to everyone! I accidentally deleted the thread while trying to clean up duplicate posts.

I am restoring as much information as I can from my browser cache.

 

[thiggins]

[posted by Konstigt]
This is the official homepage with lots of good information about KRACK Attacks (also linked in the above linked forum thread):

https://www.krackattacks.com/

 

[thiggins]

[posted by joegreat]
By the way: ALL clients are effected (regardless of the platform) - even beloved fanboy platform iOS - as the problem comes from the WAP2 protocol DEFINITION and not in the specific IMPLEMENTATION on the clients!

 

[thiggins]

[posted by Matt Humphrey]
Yes, but if you read the information at KRACK Attacks, you would realize that Android and Linux are more vulnerable to the attack. FTA:

 

[thiggins]

[posted by thelonelycoder]
I know this is a serious vulnerability but in reality, how likely am I a target of it in my home in a quiet friendly neighborhood?
Are there legions of hackers out there waiting to exploit it right now? I doubt it.

 

[thiggins]

[posted by joegreat]
...analogous to your avatar picture: # security | grep thread > /dev/null and you are save!

The problem with such "easy" and very wide spread security threads is that it becomes very tempting for any "script kiddie" to give it a try AND the professional back hat hackers will use it as well, as the payback (amount of money) is big!

So, you personally might not be effected but many will be!

 

[thiggins]

[gLWxSJeSsEA]
It's not as bad as WEP/WPS vulnerabilities in that it doesn't allow Wi-Fi password recovery--so it's not a hop on your neighbour's wifi for fun thing.

 

[thiggins]

[alexandro]

gLWxSJeSsEA said: ↑
It's not as bad as WEP/WPS vulnerabilities in that it doesn't allow Wi-Fi password recovery--so it's not a hop on your neighbour's wifi for fun thing.

Fun things are - listening traffic and grabbing passwords, is some cases change your traffic and insert dangerous data - CP or something else. Very bad.

 

[thiggins]

[thelonelycoder]

joegreat said: ↑
The problem with such "easy" and very wide spread security threads is that it becomes very tempting for any "script kiddie" to give it a try AND the professional back hat hackers will use it as well, as the payback (amount of money) is big!

So, you personally might not be effected but many will be!

If you live in a densely populated part of a city I agree, but here I have cows grazing outside and neighbors mowing their lawns with grey hair (as I do). I'm not worried where I am.

 

[alexandro]

http://svn.dd-wrt.com/changeset/33525

DD-WRT patched, may be similar patch for Merlin?

 

[thiggins]

[RMerlin]
I haven't had the time to read all the published details yet (still on my breakfast orange juice atm), but from what I gather so far, the issue only allows one to eavesdrop and to decrypt your traffic, it does not allow to connect to your network or steal your WPA2 passphrease. So if all your sensitive Internet traffic is encrypted, then this limits the impact of that exploit. Just make sure your mail clients are all configured to use TLS/SSL (a lot probably are still using plaintext POP3/SMTP), and it might be prudent to rely on a VPN tunnel when wireless connected outside of home.

People using old SMB might be at risk however, as SMBv1 (and various SMBv2 implementations) are NOT encrypted.

 

[thiggins]

[bits]
[quote[Matt Humphrey said: ↑
Yes, but if you read the information at KRACK Attacks, you would realize that Android and Linux are more vulnerable to the attack. FTA:[/quote]

Linux patches were written weeks ago to fix this problem. They just had to wait for embargo to be lifted at 8am est when this was announced.
Wpa_supplicant in Android will be patched on supported devices soon enough.
https://w1.fi/security/2017-1/

 

[thiggins]

[Morac]
ASUS was notified by CERT about this issue back on August 28th. They never responded.

http://www.kb.cert.org/vuls/id/CHEU-AQNMXY

 

[thiggins]

[sfx2000]
It's a client side vuln - linux and android are high at risk, OpenBSD released a patch for their wpa supplicant, and I expect other OS's to release as well.

AP's are not impacted - however, repeats (as they are clients) are vulnerable.

 

[thiggins]

[o-l-a-v]

sfx2000 said: ↑
It's a client side vuln - linux and android are high at risk, OpenBSD released a patch for their wpa supplicant, and I expect other OS's to release as well.

AP's are not impacted - however, repeats (as they are clients) are vulnerable.

Media bridge devices should be vulnerable too then, correct?

 

[thelonelycoder]

No problem @thiggins, we'll survive.

 

[thiggins]

[Morac]

sfx2000 said: ↑
It's a client side vuln - linux and android are high at risk, OpenBSD released a patch for their wpa supplicant, and I expect other OS's to release as well.

AP's are not impacted - however, repeats (as they are clients) are vulnerable.

That doesn't seem to match up to what's mentioned in the FAQ on the disclosure site.

Do we now need WPA3?

No, luckily implementations can be patched in a backwards-compatible manner. This means a patched client can still communicate with an unpatched access point, and vice versa. In other words, a patched client or access points sends exactly the same handshake messages as before, and at exactly the same moments in time. However, the security updates will assure a key is only installed once, preventing our attacks. So again, update all your devices once security updates are available.
Click to expand...

Why would they say a patched client can communicate with an unpatched access point (and vice-versa) if APs didn't require patching? It sounds like APs can re-use keys as well.

 

[thiggins]

[Viktor Jaep]
And this is why you need to also use a beefy VPN client while connected to an AP... :/

 

[thiggins]

[Fitz Mutch]
When he fires up Wireshark in the demonstration video, can you see if his router is made by ASUSTek Computer Inc (bc:ae:c5:xx:xx:xx)? I understand that it's an exploit of the client, not the router.

https://www.krackattacks.com/