Update: Apple says the security vulnerability has been fixed in the beta versions of the next software updates to iOS, macOS, watchOS, and tvOS. These releases are expected this month (based on Apple Watch scheduled to gain Apple Music streaming in watchOS 4.1 in October.)
Wpa2 Vulnerability Called Krack
The WPA2 protocol that is widely used to secure WiFi traffic is at risk from multiple vulnerabilities, collectively referred to as 'KRACK Attacks,' which were publicly disclosed on Oct. 'All wifi networks' are vulnerable to hacking, security expert discovers. Discovered the weakness in the wireless security protocol WPA2. The vulnerability affects a number of operating.
WPA2 – the encryption standard that secures all modern wifi networks – has been cracked. An attacker could now read all information passing over any wifi network secured by WPA2, which is most routers, both public and private.
Android and Linux are particularly vulnerable, being described as ‘trivial’ to attack, but all other platforms are vulnerable too, including iOS and macOS …
The flaw in WPA2 was discovered by Mathy Vanhoef, a postdoc security researcher in the computer science department of the Belgian university KU Leuven.
We discovered serious weaknesses in WPA2, a protocol that secures all modern protected Wi-Fi networks […] Attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted. This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks […]
The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected […] If your device supports Wi-Fi, it is most likely affected. During our initial research, we discovered ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attacks
A proof of concept shows an attack against an Android smartphone, as devices running Android 6.0 or higher are especially vulnerable. In addition to allowing data to be decrypted, they can also be easily fooled into resetting the encryption key to all zeroes.
However, Vanhoef emphasizes that all platforms are vulnerable, and that although attacking Macs proved a tougher challenge initially, he has since found a much easier way to do it.
We can take some comfort from the fact that the attack only decrypts data encrypted by the wifi connection itself. If you are accessing a secure website, that data will still be encrypted by the HTTPS protocol. However, there are separate attacks against HTTPS that could be employed.
The attack works by exploiting the comms that goes on when a device joins a wifi network. There is a 4-step process used to confirm first that the device is using the correct password for the wifi router, and then to agree an encryption key that will be used for all the data sent between them during the connection.
In a key reinstallation attack, the adversary tricks a victim into reinstalling an already-in-use key. This is achieved by manipulating and replaying cryptographic handshake messages. When the victim reinstalls the key, associated parameters such as the incremental transmit packet number (i.e. nonce) and receive packet number (i.e. replay counter) are reset to their initial value. Essentially, to guarantee security, a key should only be installed and used once. Unfortunately, we found this is not guaranteed by the WPA2 protocol. By manipulating cryptographic handshakes, we can abuse this weakness in practice.
The practical implication of this is, if you know any of the contents of the data that have been sent between the device and the router, you can use that known data to work out the encryption key. As Vanhoef points out, there is almost always going to be known data being passed at some point, so you have to assume that the encryption can always be cracked. Even if you don’t know any of the content, a sufficient volume of English text would be enough to break the encryption.
With Android and Linux, an attacker doesn’t even have to do that much work: the attacker can simply reset the encryption key.
The good news is that Vanhoef says that WPA2 can be patched to block the attack, and the patch will be backward compatible. Once a patch is available for your router, you should update the firmware without delay.
The Wi-Fi Alliance has issued a security advisory thanking Vanhoef for his work, stating that it is aware of the issue and that major platform providers have already started deploying patches. It says there is no evidence that the attack has been used in the wild, though the research paper notes that such attacks would be difficult to detect.
The security protocol used to protect the vast majority of wifi connections has been broken, potentially exposing wireless internet traffic to malicious eavesdroppers and attacks, according to the researcher who discovered the weakness.
Mathy Vanhoef, a security expert at Belgian university KU Leuven, discovered the weakness in the wireless security protocol WPA2, and published details of the flaw on Monday morning.
“Attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted,” Vanhoef’s report said. “This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos and so on.
Vanhoef emphasised that “the attack works against all modern protected wifi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.”
The vulnerability affects a number of operating systems and devices, the report said, including Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys and others.
“If your device supports wifi, it is most likely affected,” Vanhoef wrote. “In general, any data or information that the victim transmits can be decrypted … Additionally, depending on the device being used and the network setup, it is also possible to decrypt data sent towards the victim (e.g. the content of a website).”
Vanhoef gave the weakness the codename Krack, short for Key Reinstallation AttaCK.
Britain’s National Cyber Security Centre said in a statement it was examining the vulnerability. “Research has been published today into potential global weaknesses to wifi systems. The attacker would have to be physically close to the target and the potential weaknesses would not compromise connections to secure websites, such as banking services or online shopping.
“We are examining the research and will be providing guidance if required. Internet security is a key NCSC priority and we continuously update our advice on issues such as wifi safety, device management and browser security.”
The United States Computer Emergency Readiness Team (Cert) issued a warning on Sunday in response to the vulnerability.
“The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection and others,” the alert says, detailing a number of potential attacks. It adds that, since the vulnerability is in the protocol itself, rather than any specific device or software, “most or all correct implementations of the standard will be affected”.
The development is significant because the compromised security protocol is the most secure in general use to encrypt wifi connections. Older security standards have been broken in the past, but on those occasions a successor was available and in widespread use.
Crucially, the attack is unlikely to affect the security of information sent over the network that is protected in addition to the standard WPA2 encryption. This means connections to secure websites are still safe, as are other encrypted connections such as virtual private networks (VPN) and SSH communications.
However, insecure connections to websites – those which do not display a padlock icon in the address bar, indicating their support for HTTPS – should be considered public, and viewable to any other user on the network, until the vulnerability is fixed.
Equally, home internet connections will remain difficult to fully secure for quite some time. Many wireless routers are infrequently if ever updated, meaning that they will continue to communicate in an insecure manner. However, Vanhoef says, if the fix is installed on a phone or computer, that device will still be able to communicate with an insecure router. That means even users with an unpatched router should still fix as many devices as they can, to ensure security on other networks.
Krack Wpa2 Vulnerability Explained
Alex Hudson, the chief technical officer of subscription service Iron, said that it is important to “keep calm”.
“There is a limited amount of physical security already on offer by wifi: an attack needs to be in proximity,” Hudson wrote. “So, you’re not suddenly vulnerable to everyone on the internet. It’s very weak protection, but this is important when reviewing your threat level.
“Additionally, it’s likely that you don’t have too many protocols relying on WPA2 security. Every time you access an HTTPS site … your browser is negotiating a separate layer of encryption. Accessing secure websites over wifi is still totally safe. Hopefully – but there is no guarantee – you don’t have much information going over your network that requires the encryption WPA2 provides.”
There’s likely to be a delay before the vulnerability is used to actually attack networks in the wild, says Symantec researcher Candid Wuest. “It’s quite a complex attack to carry out in practice, but we’ve seen similar before, so we know it’s possible to automate.
“Small businesses and people at home should be concerned, but not too worried,” Wuest added, advising most users to simply apply the updates to their software as and when it becomes available.
The most important lesson from the weakness, he said, was that relying on any one security feature is risky. “You shouldn’t be trusting one single point of failure for all your security. Don’t rely on just your wifi, use a VPN or secure connection for anything important.”
Different devices and operating systems are impacted to differing degrees based on how they implement the WPA2 protocol. Among the worst hit are Android 6.0 (Marshmallow) and Linux, due to a further bug that results in the encryption key being rewritten to all-zeros; iOS and Windows, meanwhile, are among the most secure, since they don’t fully implement the WPA2 protocol. No tested device or piece of software was fully immune to the weakness, however.
Wpa2 Crack Vulnerability Software
The international Cert group, based at Carnegie Mellon University, informed technology companies of the flaw on 28 August, meaning that most have had around a month and a half to implement a fix. The Guardian has asked Apple, Google, Microsoft and Linksys the status of their patches. Google said: “We’re aware of the issue, and we will be patching any affected devices in the coming weeks.” Microsoft said: “We have released a security update to address this issue. Customers who apply the update, or have automatic updates enabled, will be protected.” No other vendor has replied at press time.
- Your iPhone’s password demands aren’t just annoying. They’re a security flaw