WPA2 protocol used by vast majority of Wi-Fi connections has been broken

Non financial topics: autos; computers; entertainment; gatherings; hobbies; sports and travel.
Post Reply
User avatar
Peculiar_Investor
Administrator
Administrator
Posts: 13267
Joined: 01 Mar 2005 14:52
Location: Calgary
Contact:

WPA2 protocol used by vast majority of Wi-Fi connections has been broken

Post by Peculiar_Investor »

From what I've read this morning, WiFi Key Reinstallation Attack breaks WPA2 encryption - gHacks Tech News, appears to be a major issue that everyone who has a home Wi-Fi router needs to understand. It also seems to have a major impact to Android users.
Researchers have discovered a flaw in the Wi-Fi standard that attackers may use to eavesdrop on wireless network traffic even if WPA2 is used for protection.

Key Reinstallation Attacks, or Krack Attacks, work against all Wi-Fi networks protected by WPA2, and may in some cases be used to inject and manipulate data as well. The attack works against WPA and WPA2 standards, and against personal and Enterprise networks that implement Wi-Fi.
The flaw exists in the actual standard, so it's not a coding error.
Good news is that it is possible to patch the issue. However, a firmware update needs to be released by the manufacturer of the router, access point or client. The researchers note that any device that uses Wi-Fi is likely vulnerable to the attack.
From another article, Severe WiFi security flaw puts millions of devices at risk
The problem is made worse by Android and Linux, which, thanks to a bug in the WPA2 standard, don't force the client to demand a unique encryption key each time. Rather, they allow a key to be cleared and replaced by an "all-zero encryption key," foiling a key part of the handshake process. In some cases, a script can also force a connection to bypass HTTPS, exposing usernames, passwords and other critical data.

<snip>

If you still doubt the seriousness of it, Alex Hudson, for one, is actually advising Android users to "turn off WiFi on these devices until fixes are applied." He adds that "you can think of this a little bit like your firewall being defeated."

As such, you can protect yourself to a great extent by sticking with sites that have solid, proven HTTPS security. And of course, the attack won't work unless the attacker is nearby and can physically access your network.
Lastly, for the less technical, an article from the BBC, Wi-fi security flaw 'puts devices at risk of hacks' - BBC News.

Hopefully manufacturers will promptly address this issue and provide a fix. From what I've read so far this morning, Android phone users should be very careful about which Wi-Fi connections they use.

If you have a Wi-Fi router, you should be checking the manufacturer's website over the next couple of weeks to see if there is a firmware update available for your router. For those with ancient, unsupported routers, it might be worthwhile to consider upgrading to a newer, supported version.
Imagefiniki, the Canadian financial wiki New editors wanted and welcomed, please help collaborate and improve the wiki.

Normal people… believe that if it ain’t broke, don’t fix it. Engineers believe that if it ain’t broke, it doesn’t have enough features yet. – Scott Adams
User avatar
Peculiar_Investor
Administrator
Administrator
Posts: 13267
Joined: 01 Mar 2005 14:52
Location: Calgary
Contact:

Re: WPA2 protocol used by vast majority of Wi-Fi connections has been broken

Post by Peculiar_Investor »

A link to the source of the discovery, KRACK Attacks: Breaking WPA2, which contains lots of useful information and details of the problem.
We discovered serious weaknesses in WPA2, a protocol that secures all modern protected Wi-Fi networks. An attacker within range of a victim can exploit these weaknesses using key reinstallation attacks (KRACKs). Concretely, attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted. This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.

The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected. To prevent the attack, users must update affected products as soon as security updates become available. Note that if your device supports Wi-Fi, it is most likely affected. During our initial research, we discovered ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attacks. For more information about specific products, consult the database of CERT/CC, or contact your vendor.
For those that aren't interested in all the details, you should at least skip ahead to the FAQ. These two of probably of most importance to home users.
Do we now need WPA3?

No, luckily implementations can be patched in a backwards-compatible manner. This means a patched client can still communicate with an unpatched access point, and vice versa. In other words, a patched client or access points sends exactly the same handshake messages as before, and at exactly the same moments in time. However, the security updates will assure a key is only installed once, preventing our attacks. So again, update all your devices once security updates are available.

What if there are no security updates for my router?

Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates. We strongly advise you to contact your vendor for more details. In general though, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming). For ordinary home users, your priority should be updating clients such as laptops and smartphones.
Imagefiniki, the Canadian financial wiki New editors wanted and welcomed, please help collaborate and improve the wiki.

Normal people… believe that if it ain’t broke, don’t fix it. Engineers believe that if it ain’t broke, it doesn’t have enough features yet. – Scott Adams
Jaunty
Veteran Contributor
Veteran Contributor
Posts: 1539
Joined: 19 Feb 2007 16:41
Location: Niagara

Re: WPA2 protocol used by vast majority of Wi-Fi connections has been broken

Post by Jaunty »

While I wait for my router manufacturer to react and provide a solution, do you know if running a wire to my router and connecting that way when performing transactions I want to be secure (in my case bank and on-line brokerage transactions) would by pass the router problem and therefore be secure?
User avatar
Peculiar_Investor
Administrator
Administrator
Posts: 13267
Joined: 01 Mar 2005 14:52
Location: Calgary
Contact:

Re: WPA2 protocol used by vast majority of Wi-Fi connections has been broken

Post by Peculiar_Investor »

This vulnerability has just been disclosed so I would expect information and updates to be very fluid over the next few days/weeks.

Obviously the problem can be avoided by not using Wi-Fi connections, but I think the FAQ that I linked above (and repeat again) probably provides the best answer(s) at this time. These two of probably of most importance to home users.
Do we now need WPA3?

No, luckily implementations can be patched in a backwards-compatible manner. This means a patched client can still communicate with an unpatched access point, and vice versa. In other words, a patched client or access points sends exactly the same handshake messages as before, and at exactly the same moments in time. However, the security updates will assure a key is only installed once, preventing our attacks. So again, update all your devices once security updates are available.

What if there are no security updates for my router?

Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates. We strongly advise you to contact your vendor for more details. In general though, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming). For ordinary home users, your priority should be updating clients such as laptops and smartphones.
This report seems to indicate that Windows users might be safe, Microsoft has already fixed the Wi-Fi attack vulnerability - The Verge,
Microsoft says it has already fixed the problem for customers running supported versions of Windows. “We have released a security update to address this issue,” says a Microsoft spokesperson in a statement to The Verge. “Customers who apply the update, or have automatic updates enabled, will be protected. We continue to encourage customers to turn on automatic updates to help ensure they are protected.” Microsoft is planning to publish details of the update later today.
I'm running Windows 10 and checked Windows Update and cannot find any indication of the security update, but the above says Microsoft will publish the details later today, so I'll stay tuned.
Imagefiniki, the Canadian financial wiki New editors wanted and welcomed, please help collaborate and improve the wiki.

Normal people… believe that if it ain’t broke, don’t fix it. Engineers believe that if it ain’t broke, it doesn’t have enough features yet. – Scott Adams
thundarr
Contributor
Contributor
Posts: 13
Joined: 12 Oct 2017 16:19

Re: WPA2 protocol used by vast majority of Wi-Fi connections has been broken

Post by thundarr »

Peculiar_Investor wrote: 16 Oct 2017 10:58 This vulnerability has just been disclosed so I would expect information and updates to be very fluid over the next few days/weeks.
Much appreciated for sharing. So that is why i am starting to see WPA2 in the news. I never thought to read much of it these past days since i simply glanced by their seemingly benign titles. That is, until i saw your more direct one :wink:

I remember in school we were assigned to experiment with known wifi vulnerabilities and one was doing a brute force dictionary attack on WPA2. Our professor said if one of the student groups could break in they'd get an automatic A on the mid-terms. I believe one group did. Beyond that i had never heard of any other way to break WPA2. Especially, after most routers upgraded to impose a timeout.

For the sake of education, and to understand how widespread this problem really is i am going to read the paper you cited and see if i can recreate it in my area. This will give me an idea if Microsoft's patch or router patches are being pushed and set accordingly. In my area, 99% have Windows 10. Should be an interesting test. Ok, off to tell my neighbor about this issue.
User avatar
Shakespeare
Veteran Contributor
Veteran Contributor
Posts: 23396
Joined: 15 Feb 2005 23:25
Location: Calgary, AB

Re: WPA2 protocol used by vast majority of Wi-Fi connections has been broken

Post by Shakespeare »

Microsoft has already fixed the Wi-Fi attack vulnerability - The Verge
Microsoft says the Windows updates released on October 10th protect customers, and the company “withheld disclosure until other vendors could develop and release updates.”
Sic transit gloria mundi. Tuesday is usually worse. - Robert A. Heinlein, Starman Jones
User avatar
Peculiar_Investor
Administrator
Administrator
Posts: 13267
Joined: 01 Mar 2005 14:52
Location: Calgary
Contact:

Re: WPA2 protocol used by vast majority of Wi-Fi connections has been broken

Post by Peculiar_Investor »

Further reading of KRACK Attacks: Breaking WPA2 indicates the problem has been known within the industry for quite a while, giving vendors time to address the issue before it became public.
When did you first notify vendors about the vulnerability?

We sent out notifications to vendors whose products we tested ourselves around 14 July 2017. After communicating with these vendors, we realized how widespread the weaknesses we discovered are (only then did I truly convince myself it was indeed a protocol weaknesses and not a set of implementation bugs). At that point, we decided to let CERT/CC help with the disclosure of the vulnerabilities. In turn, CERT/CC sent out a broad notification to vendors on 28 August 2017.
From what I've read, recent software updates from Microsoft and Apple have quietly addressed the issue, which is how the system is supposed to work. Those in the security industry find and report the problems to software vendors and generally give them around 60 days to identify and resolve the issue before going public with the security hole and potential exploit(s).
Imagefiniki, the Canadian financial wiki New editors wanted and welcomed, please help collaborate and improve the wiki.

Normal people… believe that if it ain’t broke, don’t fix it. Engineers believe that if it ain’t broke, it doesn’t have enough features yet. – Scott Adams
User avatar
Peculiar_Investor
Administrator
Administrator
Posts: 13267
Joined: 01 Mar 2005 14:52
Location: Calgary
Contact:

Re: WPA2 protocol used by vast majority of Wi-Fi connections has been broken

Post by Peculiar_Investor »

An update, I have two wireless routers, one by Linksys and the other by ASUS. A couple of days ago I re-checked the respective websites and both had released new firmware that addresses the KRACK WPA2 issue. I've updated both.

For those interested in whether there is a fix for your specific router, check out GitHub - kristate/krackinfo: Vendor Response Matrix for KRACK WPA2 (Key Reinstallation Attack)
Imagefiniki, the Canadian financial wiki New editors wanted and welcomed, please help collaborate and improve the wiki.

Normal people… believe that if it ain’t broke, don’t fix it. Engineers believe that if it ain’t broke, it doesn’t have enough features yet. – Scott Adams
User avatar
Arby
Veteran Contributor
Veteran Contributor
Posts: 3125
Joined: 20 Feb 2005 19:23
Location: Ottawa, ON

Re: WPA2 protocol used by vast majority of Wi-Fi connections has been broken

Post by Arby »

Does this vulnerability affect the wireless routers provided by Bell, and if so, has it been patched yet? I have a Sagecom router from Bell. Bell tech support didn't know anything about this vulnerability.
OnlyMyOpinion
Veteran Contributor
Veteran Contributor
Posts: 4231
Joined: 24 Jan 2014 23:17

Re: WPA2 protocol used by vast majority of Wi-Fi connections has been broken

Post by OnlyMyOpinion »

Arby wrote: 15 Nov 2017 14:30 Does this vulnerability affect the wireless routers provided by Bell, and if so, has it been patched yet? I have a Sagecom router from Bell. Bell tech support didn't know anything about this vulnerability.
I can't anything about krack wpa2 on Sagemcom's website Have you given their support line a call?
http://www.sagemcom.com/contact/hotline/america/canada/
User avatar
Arby
Veteran Contributor
Veteran Contributor
Posts: 3125
Joined: 20 Feb 2005 19:23
Location: Ottawa, ON

Re: WPA2 protocol used by vast majority of Wi-Fi connections has been broken

Post by Arby »

OnlyMyOpinion wrote: 15 Nov 2017 14:54 I can't anything about krack wpa2 on Sagemcom's website Have you given their support line a call?
http://www.sagemcom.com/contact/hotline/america/canada/
I called Bell tech support, and that was enough frustration for the day. Sent an email to Sagecom support, and still waiting for a response.
User avatar
Peculiar_Investor
Administrator
Administrator
Posts: 13267
Joined: 01 Mar 2005 14:52
Location: Calgary
Contact:

Re: WPA2 protocol used by vast majority of Wi-Fi connections has been broken

Post by Peculiar_Investor »

Arby wrote: 15 Nov 2017 14:30 Does this vulnerability affect the wireless routers provided by Bell, and if so, has it been patched yet? I have a Sagecom router from Bell. Bell tech support didn't know anything about this vulnerability.
From the list that I provided in:
Peculiar_Investor wrote: 15 Nov 2017 12:07 For those interested in whether there is a fix for your specific router, check out GitHub - kristate/krackinfo: Vendor Response Matrix for KRACK WPA2 (Key Reinstallation Attack)
It states "Unless a known patch has been applied, assume that all WPA2-enabled Wi-Fi devices are vulnerable." and specifically for Sagecom that "No Known Official Response", so I'd assume that the Bell router is vulnerable if it were me.

Personally, I'd never rely on my ISP's provided Wi-Fi router, I've bought my own and had the Wi-Fi in the ISP's modem turned off. It costs a few dollars more, but gives me much more control and security.
Imagefiniki, the Canadian financial wiki New editors wanted and welcomed, please help collaborate and improve the wiki.

Normal people… believe that if it ain’t broke, don’t fix it. Engineers believe that if it ain’t broke, it doesn’t have enough features yet. – Scott Adams
User avatar
AltaRed
Veteran Contributor
Veteran Contributor
Posts: 33398
Joined: 05 Mar 2005 20:04
Location: Ogopogo Land

Re: WPA2 protocol used by vast majority of Wi-Fi connections has been broken

Post by AltaRed »

I do similarly. Have my own stand alone router and will keep it that way indefinitely.

Added: Meant to also say my specific Linksys router is not affected.
Last edited by AltaRed on 15 Nov 2017 19:52, edited 2 times in total.
Imagefiniki, the Canadian financial wiki The go-to place to bolster your financial freedom
User avatar
Shakespeare
Veteran Contributor
Veteran Contributor
Posts: 23396
Joined: 15 Feb 2005 23:25
Location: Calgary, AB

Re: WPA2 protocol used by vast majority of Wi-Fi connections has been broken

Post by Shakespeare »

I don't think that's possible with Optik. Nonetheless, according to Vulnerability in WPA2 Protocol - KRACK - TELUS Neighbourhood, my modem is protected.
Sic transit gloria mundi. Tuesday is usually worse. - Robert A. Heinlein, Starman Jones
chufinora
Contributor
Contributor
Posts: 769
Joined: 12 Oct 2009 15:03
Location: Ottawa

Re: WPA2 protocol used by vast majority of Wi-Fi connections has been broken

Post by chufinora »

Peculiar_Investor wrote: 15 Nov 2017 17:50 Personally, I'd never rely on my ISP's provided Wi-Fi router, I've bought my own and had the Wi-Fi in the ISP's modem turned off. It costs a few dollars more, but gives me much more control and security.
I do too, however I looked at Netgears (My router) page on this and it states:

Routers and gateways are only affected when in bridge mode (which is not enabled by default and not used by most customers). A WPA-2 handshake is initiated by a router in bridge mode only when connecting or reconnecting to a router.

(From https://kb.netgear.com/000049498/Securi ... -2017-2837)

So an ISP provided router acting as gateway to the DSL/cable modem is not going to be affected.
User avatar
tightwad
Contributor
Contributor
Posts: 183
Joined: 07 Feb 2007 15:26
Location: BC

Re: WPA2 protocol used by vast majority of Wi-Fi connections has been broken

Post by tightwad »

There may be remedy for routers that are no longer supported and left without updated firmware. The following article lists a number alternative firmware sources: 6 Free Alternative Router Firmware – Unlock Hidden Features.
User avatar
LadyGeek
Veteran Contributor
Veteran Contributor
Posts: 1975
Joined: 26 Oct 2011 16:51
Location: Philadelphia, PA
Contact:

Re: WPA2 protocol used by vast majority of Wi-Fi connections has been broken

Post by LadyGeek »

My favourite and only security podcast, Security Now!, has the clearest explanation of this hack I've seen.

In the SN-633 transcript, start reading from here:
STEVE: So, okay. We've discussed over the years WiFi details, WiFi crypto, extensively. But I need to do a little bit of a review because there haven't been any, like, horrific problems. I mean, remember, Leo, back in the beginning of the podcast, I mean, there was stuff happening.
The correction should be done on the client side, meaning your cellphone.

My OnePlus 5 just released an update to its OxygenOS. One of the fixes was for a "WPA2 security issue". I updated immediately.
Imagefiniki, the Canadian financial wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
User avatar
tightwad
Contributor
Contributor
Posts: 183
Joined: 07 Feb 2007 15:26
Location: BC

Re: WPA2 protocol used by vast majority of Wi-Fi connections has been broken

Post by tightwad »

I'm still waiting for patches, which may or may not be forthcoming, for both my router and android tablet. In the meantime I decided to give wifi a rest and connected the tablet using an ethernet adapter and cable. This comes with the added benefit of faster download speed, albeit with increased battery drain. However, be aware that not all mobile devices have the necessary drivers to accommodate a network adapter and those that do may not support some adapters (as I found out the hard way). In other words, do some research before making a purchase. You'll also need an OTG adapter.
User avatar
tightwad
Contributor
Contributor
Posts: 183
Joined: 07 Feb 2007 15:26
Location: BC

Re: WPA2 protocol used by vast majority of Wi-Fi connections has been broken

Post by tightwad »

LadyGeek wrote: 16 Nov 2017 20:11 My favourite and only security podcast, Security Now!, has the clearest explanation of this hack I've seen.

In the SN-633 transcript...
Thanks for the link. It's good to know that routers are unaffected in most cases.
Post Reply