Author Topic: 'All wifi networks' are vulnerable to hacking, security expert discovers  (Read 323 times)

0 Members and 1 Guest are viewing this topic.

Offline Frands

  • LzD Friends
  • Hero Member
  • *****
  • Posts: 966
  • Esbjerg, Denmark
    • View Profile
Hi  :),

The Guardian, Monday 16 October 2017

The security protocol used to protect the vast majority of wifi connections has been broken, potentially exposing wireless internet traffic to malicious eavesdroppers and attacks, according to the researcher who discovered the weakness.
Mathy Vanhoef, a security expert at Belgian university KU Leuven, discovered the weakness in the wireless security protocol WPA2, and published details of the flaw on Monday morning.
“Attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted,” Vanhoef’s report said. “This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos and so on.
Vanhoef emphasised that “the attack works against all modern protected wifi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.”

Full story: https://www.theguardian.com/technology/2017/oct/16/wpa2-wifi-security-vulnerable-hacking-us-government-warns

More:https://papers.mathyvanhoef.com/ccs2017.pdf (PDF document)
Our greatest glory is not in never falling but in rising every time we fall.
- Confucius
-----
Trend Micro Internet Security


Home Forums: http://www.spywarefri.dk/forum
http://securitygarden.blogspot.dk/
https://www.classicrockforums.com/

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 18330
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
C|Net's article includes a list of vendors with a status of updates for KRACK:  KRACK attack: Here's how companies are responding.  Except for Microsoft and Netgear, the responses were that they are aware of the vulnerability, are working on a patch or could not be reached for comment.

Microsoft, via Twitter, https://twitter.com/msftsecresponse/status/919991901960388608:
Quote
MSRC was happy to coordinate with ICASI to address industry protocol issue in #KRACKAttacks. http://www.icasi.org/wi-fi-protected-access-wpa-vulnerabilities/

Netgear, Security Advisory for WPA-2 Vulnerabilities, PSV-2017-2826, PSV-2017-2836, PSV-2017-2837 | Answer | NETGEAR Support




Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline plodr

  • LzD Friends
  • Hero Member
  • *****
  • Posts: 850
    • View Profile
Interesting article by Brian Krebs that puts things in perspective.
Quote
As scary as this attack sounds, there are several mitigating factors at work here. First off, this is not an attack that can be pulled off remotely: An attacker would have to be within range of the wireless signal between your device and a nearby wireless access point.

Quote
More importantly, most sensitive communications that might be intercepted these days, such as interactions with your financial institution or browsing email, are likely already protected end-to-end with Secure Sockets Layer (SSL) encryption that is separate from any encryption added by WPA2 — i.e., any connection in your browser that starts with “https://”.

Source: https://krebsonsecurity.com/2017/10/what-you-should-know-about-the-krack-wifi-security-weakness/

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 18330
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Via Twitter, the Microsoft update does appear to be included in the Fall Creator's Update, released today:  https://twitter.com/mniehaus/status/920334569970180096

A better list than at C|Net on Bleeping Computer and being updated as new information is available:  List of Firmware & Driver Updates for KRACK WPA2 Vulnerability


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline techie

  • LzD Friends
  • Hero Member
  • *****
  • Posts: 505
    • View Profile
Via Twitter, the Microsoft update does appear to be included in the Fall Creator's Update, released today:  https://twitter.com/mniehaus/status/920334569970180096

A better list than at C|Net on Bleeping Computer and being updated as new information is available:  List of Firmware & Driver Updates for KRACK WPA2 Vulnerability

I see a major player not listed anywhere Arris/Motorola. There are many of there modem/router combos, on the market. Having a wifi router built in means there most likely vulnerable as well. This will be interesting, since the modem/router combos firmware has to be updated by the ISP, once it is released.

Offline plodr

  • LzD Friends
  • Hero Member
  • *****
  • Posts: 850
    • View Profile
Quote
Arris is “evaluating” its options, ZDNet reported, but hasn’t actually released any patches.
Source: https://www.tomsguide.com/us/protect-your-router-krack,news-25999.html