Aragorn
16th October 2017, 15:14
So far only three companies claim to have devised a fix for this vulnerability at this point in time — i.e. Monday 16 October 2017 — but we may expect the various other manufacturers to be working on firmware updates already, and to be making them available for your IoT (https://en.wikipedia.org/wiki/Internet_of_things) device soon.
If and when such an update becomes available for your device — check the manufacturer's website — you will generally have to download it onto your computer, and from there upload it onto the device. The device itself should have a menu item somewhere which allows you to do that.
As for the risk factor, well, the attacker would have to be within range of the WiFi device, of course. That narrows down the attack vector a little, but it is still a dangerous situation nevertheless. :hmm:
http://zdnet4.cbsistatic.com/hub/i/r/2017/10/16/7e705f19-4827-49c1-ab75-c2d249233f6c/resize/770xauto/9ec084a55808bb7a00a2abeb0f196284/free-wifi-new-york-city-subway.jpg
Source: ZDnet (http://www.zdnet.com/article/wpa2-security-flaw-lets-hackers-attack-almost-any-wifi-device/)
A security protocol at the heart of most modern Wi-Fi devices, including computers, phones, and routers, has been broken, putting almost every wireless-enabled device at risk of attack.
The bug, known as "KRACK" for Key Reinstallation Attack, exposes a fundamental flaw in WPA2, a common protocol used in securing most modern wireless networks. Mathy Vanhoef, a computer security academic, who found the flaw (https://www.documentcloud.org/documents/4109401-KRACK-Attacks.html), said the weakness lies in the protocol's four-way handshake, which securely allows new devices with a pre-shared password to join the network.
That weakness can, at its worst, allow an attacker to decrypt network traffic from a WPA2-enabled device, hijack connections, and inject content into the traffic stream.
In other words: hackers can eavesdrop on your network traffic.
The bug represents a complete breakdown of the WPA2 protocol, for both personal and enterprise devices -- putting every supported device at risk.
"If your device supports Wi-Fi, it is most likely affected," said Vanhoef, on his website.
News of the vulnerability was later confirmed on Monday by US Homeland Security's cyber-emergency unit US-CERT, which about two months ago had confidentially warned vendors and experts of the bug, ZDNet has learned.
The warning came at around the time of the Black Hat security conference, when Vanhoef presented a talk (https://www.blackhat.com/docs/webcast/08242017-securely-implementing-network2.pdf) on networking protocols, with a focus on the Wi-Fi handshake that authenticates a user joining a network.
The cyber-emergency unit has since reserved (https://www.kb.cert.org/vuls/id/228519) ten common vulnerabilities and exposures (CVE) records for the various vulnerabilities.
Cisco, Intel, Juniper, Samsung, and Toshiba are among the companies affected (https://www.kb.cert.org/vuls/id/228519).
The flaw is "exceptionally devastating" for Android 6.0 Marshmallow and above, said Vanhoef. A patch is expected in the next few weeks.
"The core of the attack, hence its name, is that the attacker tricks the connected party into reinstalling an already-in-use key," Alan Woodward, a professor at the University of Surrey, told ZDNet.
Despite the ire many have with branded, or popularized vulnerabilities -- Heartbleed (http://www.zdnet.com/article/heartbleed-bug-still-affects-thousands-of-sites/), Shellshock (http://www.zdnet.com/article/shellshock-makes-heartbleed-look-insignificant/), and Poodle (http://www.zdnet.com/article/poodle-not-fixed-some-tls-systems-vulnerable/) to name a few -- many renowned security and cryptographic experts are warning not to underestimate the severity of the flaw.
"It's not a trivial attack," said Woodward. He warned that the scale of the attack is "huge."
https://www.youtube.com/watch?v=Oh4WURZoR98
It's not the first attack that's hit WPA2. WPA2 was developed, ironically, as a way to replace a similar protocol, WEP, which was cracked just a few years after its debut in 1997.
Several researchers, including Vanhoef, have demonstrated valid attacks against the protocol. By far the most notable was in 2011 when a security researcher showed that an attacker could recover the code (http://www.zdnet.com/article/researcher-warns-of-wi-fi-protected-setup-security-holes/) used in Wi-Fi Protected Setup, a feature that let users authenticate with a one-push button on the router, which could be easily cracked.
Like similar attacks against WPA2, an attacker needs to be within a close physical proximity of a vulnerable device, such as a router or even a cash register or point-of-sale device.
That's not to downplay the seriousness of the attack, however.
The downside is that nowadays, a hacker can launch an attack from hundreds of feet from a vulnerable device, Kenneth White, a security researcher, told ZDNet.
Matthew Green, a cryptography teacher at Johns Hopkins University, said in a tweet (https://twitter.com/matthew_d_green/status/919645126938505216) that this is "probably going to turn into a slew of TJ Maxxes," referring to a cyberattack on the department store (http://www.zdnet.com/article/wi-fi-hack-caused-tk-maxx-security-breach/), where hackers cracked the Wi-Fi password that connected the cash registers to the network.
White explained, however, that sites and services that provide content over strict HTTPS (known as HSTS (http://www.zdnet.com/article/google-heres-why-were-putting-all-our-top-level-domains-on-forced-https-list/)) will encrypt traffic from the browser to the server.
In other words, it's still safe to access sites that encrypt your data over an insecure network. Although Vanhoef said it wasn't clear if any attacks had been seen in the wild.
http://zdnet1.cbsistatic.com/hub/i/r/2017/10/16/e8cc969e-0bf3-4aec-9013-5d34b40754bd/resize/370xauto/ae703124736ab64292a881dbf7606458/screen-shot-2017-10-16-at-6-47-25-am.png
A table of vulnerable software
Several router and network equipment makers were briefed prior to Monday's announcement, including Cisco, HPE, and Arris. We reached out to all three but did not hear back at the time of writing.
Aruba (http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-007.txt), Ubiquiti (https://www.kb.cert.org/vuls/id/CHEU-AQNN6B), and Eero (https://twitter.com/nsweaves/status/919727190253510657) are said to have patches available, according to sources we spoke to at the time of writing. It's not known if others have -- but we will update as we find out.
But many products and device makers will likely not receive patches -- immediately, or ever. Katie Moussouris, founder of Luta Security, said in a tweet (https://twitter.com/k8em0/status/919701311880232960) that Internet of Things devices will be some of the "hardest hit."
Until patches are available, Wi-Fi should be considered a no-go zone for anything mission critical, a feat almost impossible in today's age of ubiquitous and blanket wireless network access.
Source: ZDnet (http://www.zdnet.com/article/wpa2-security-flaw-lets-hackers-attack-almost-any-wifi-device/)
If and when such an update becomes available for your device — check the manufacturer's website — you will generally have to download it onto your computer, and from there upload it onto the device. The device itself should have a menu item somewhere which allows you to do that.
As for the risk factor, well, the attacker would have to be within range of the WiFi device, of course. That narrows down the attack vector a little, but it is still a dangerous situation nevertheless. :hmm:
http://zdnet4.cbsistatic.com/hub/i/r/2017/10/16/7e705f19-4827-49c1-ab75-c2d249233f6c/resize/770xauto/9ec084a55808bb7a00a2abeb0f196284/free-wifi-new-york-city-subway.jpg
Source: ZDnet (http://www.zdnet.com/article/wpa2-security-flaw-lets-hackers-attack-almost-any-wifi-device/)
A security protocol at the heart of most modern Wi-Fi devices, including computers, phones, and routers, has been broken, putting almost every wireless-enabled device at risk of attack.
The bug, known as "KRACK" for Key Reinstallation Attack, exposes a fundamental flaw in WPA2, a common protocol used in securing most modern wireless networks. Mathy Vanhoef, a computer security academic, who found the flaw (https://www.documentcloud.org/documents/4109401-KRACK-Attacks.html), said the weakness lies in the protocol's four-way handshake, which securely allows new devices with a pre-shared password to join the network.
That weakness can, at its worst, allow an attacker to decrypt network traffic from a WPA2-enabled device, hijack connections, and inject content into the traffic stream.
In other words: hackers can eavesdrop on your network traffic.
The bug represents a complete breakdown of the WPA2 protocol, for both personal and enterprise devices -- putting every supported device at risk.
"If your device supports Wi-Fi, it is most likely affected," said Vanhoef, on his website.
News of the vulnerability was later confirmed on Monday by US Homeland Security's cyber-emergency unit US-CERT, which about two months ago had confidentially warned vendors and experts of the bug, ZDNet has learned.
The warning came at around the time of the Black Hat security conference, when Vanhoef presented a talk (https://www.blackhat.com/docs/webcast/08242017-securely-implementing-network2.pdf) on networking protocols, with a focus on the Wi-Fi handshake that authenticates a user joining a network.
The cyber-emergency unit has since reserved (https://www.kb.cert.org/vuls/id/228519) ten common vulnerabilities and exposures (CVE) records for the various vulnerabilities.
Cisco, Intel, Juniper, Samsung, and Toshiba are among the companies affected (https://www.kb.cert.org/vuls/id/228519).
The flaw is "exceptionally devastating" for Android 6.0 Marshmallow and above, said Vanhoef. A patch is expected in the next few weeks.
"The core of the attack, hence its name, is that the attacker tricks the connected party into reinstalling an already-in-use key," Alan Woodward, a professor at the University of Surrey, told ZDNet.
Despite the ire many have with branded, or popularized vulnerabilities -- Heartbleed (http://www.zdnet.com/article/heartbleed-bug-still-affects-thousands-of-sites/), Shellshock (http://www.zdnet.com/article/shellshock-makes-heartbleed-look-insignificant/), and Poodle (http://www.zdnet.com/article/poodle-not-fixed-some-tls-systems-vulnerable/) to name a few -- many renowned security and cryptographic experts are warning not to underestimate the severity of the flaw.
"It's not a trivial attack," said Woodward. He warned that the scale of the attack is "huge."
https://www.youtube.com/watch?v=Oh4WURZoR98
It's not the first attack that's hit WPA2. WPA2 was developed, ironically, as a way to replace a similar protocol, WEP, which was cracked just a few years after its debut in 1997.
Several researchers, including Vanhoef, have demonstrated valid attacks against the protocol. By far the most notable was in 2011 when a security researcher showed that an attacker could recover the code (http://www.zdnet.com/article/researcher-warns-of-wi-fi-protected-setup-security-holes/) used in Wi-Fi Protected Setup, a feature that let users authenticate with a one-push button on the router, which could be easily cracked.
Like similar attacks against WPA2, an attacker needs to be within a close physical proximity of a vulnerable device, such as a router or even a cash register or point-of-sale device.
That's not to downplay the seriousness of the attack, however.
The downside is that nowadays, a hacker can launch an attack from hundreds of feet from a vulnerable device, Kenneth White, a security researcher, told ZDNet.
Matthew Green, a cryptography teacher at Johns Hopkins University, said in a tweet (https://twitter.com/matthew_d_green/status/919645126938505216) that this is "probably going to turn into a slew of TJ Maxxes," referring to a cyberattack on the department store (http://www.zdnet.com/article/wi-fi-hack-caused-tk-maxx-security-breach/), where hackers cracked the Wi-Fi password that connected the cash registers to the network.
White explained, however, that sites and services that provide content over strict HTTPS (known as HSTS (http://www.zdnet.com/article/google-heres-why-were-putting-all-our-top-level-domains-on-forced-https-list/)) will encrypt traffic from the browser to the server.
In other words, it's still safe to access sites that encrypt your data over an insecure network. Although Vanhoef said it wasn't clear if any attacks had been seen in the wild.
http://zdnet1.cbsistatic.com/hub/i/r/2017/10/16/e8cc969e-0bf3-4aec-9013-5d34b40754bd/resize/370xauto/ae703124736ab64292a881dbf7606458/screen-shot-2017-10-16-at-6-47-25-am.png
A table of vulnerable software
Several router and network equipment makers were briefed prior to Monday's announcement, including Cisco, HPE, and Arris. We reached out to all three but did not hear back at the time of writing.
Aruba (http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-007.txt), Ubiquiti (https://www.kb.cert.org/vuls/id/CHEU-AQNN6B), and Eero (https://twitter.com/nsweaves/status/919727190253510657) are said to have patches available, according to sources we spoke to at the time of writing. It's not known if others have -- but we will update as we find out.
But many products and device makers will likely not receive patches -- immediately, or ever. Katie Moussouris, founder of Luta Security, said in a tweet (https://twitter.com/k8em0/status/919701311880232960) that Internet of Things devices will be some of the "hardest hit."
Until patches are available, Wi-Fi should be considered a no-go zone for anything mission critical, a feat almost impossible in today's age of ubiquitous and blanket wireless network access.
Source: ZDnet (http://www.zdnet.com/article/wpa2-security-flaw-lets-hackers-attack-almost-any-wifi-device/)