Wi-Fi's WPA2 has been cracked

October 17, 2017, 10:17 AM

According to information released yesterday (Ars Technica article), the security protocol protecting most of the world's Wi-Fi networks, WPA2, has been cracked. And it has been cracked at the protocol level, so it affects virtually all servers (Wi-Fi routers and Access Points) and clients (computers, smartphones, tablets, cameras, any device using Wi-Fi as its network connection). Some devices and OS's are more vulnerable than others, but all can be compromised, until patched. Linux and Android are particularly vulnerable. Some vendors have already patched their systems (incredibly Microsoft was one of the first), but all servers and clients need firmware upgrades to protect against this vulnerability. Luckily, the patch is easy for vendors to implement.

It is being called "Krack", for "Key Reinstallation Attack". For the technically inclined, here is a link to the paper written by the Belgian researchers who discovered the vulnerability. It details the mechanics of breaking the protocol.

Paper with background info.

October 17, 2017, 10:56 AM

sjtill

Looks like Apple has patches already in beta for MacOS, iOS, etc.

quote:
KRACK WPA2 Wi-Fi exploit already fixed in iOS, macOS, tvOS, watchOS betas
BY RENE RITCHIE Monday, Oct 16, 2017 at 3:11 pm EDT

KRACK is an exploit that attacks the way WPA2 protects Wi-Fi access points. While it's bad, there are a are a few factors that prevent it from being truly damaging to the state of modern wireless networking.

First, it can be patched. We don't need a new standard like we did when WEP was broken and everyone had to move to WPA2.

From the KRAK Q&A:

implementations can be patched in a backwards-compatible manner. This means a patched client can still communicate with an unpatched access point (AP), and vice versa. In other words, a patched client or access point sends exactly the same handshake messages as before, and at exactly the same moment in time.
Second, in some cases, access points won't need to be updated.

Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates. We strongly advise you to contact your vendor for more details. In general though, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming).
For example, it's my understanding that Apple's AirPorts, including Express, Extreme, and Time Capsule don't seem be vulnerable to the exploit, even if using one as a bridge.

If you're using a different router, we're maintaining a list of updates that you can consult as needed. If in doubt, contact your vendor directly.

For ordinary home users, your priority should be updating clients such as laptops and smartphones.
Third, Apple has confirmed to me that the KRACK exploit has already been patched in iOS, tvOS, watchOS, and macOS betas.

As soon as the updates leave beta, they'll be pushed out to everyone. We'll have to wait and see how fast other manufacturers are to respond, and how many of our connected devices receive updates.

October 17, 2017, 11:02 AM

rusbro

Thanks for posting. Looks like I've got some work to do.

October 17, 2017, 11:10 AM

bigdeal

If I read this correctly yesterday when it came out, the hacker must be within range of your WiFi network to hack it. The hack does not work over the internet, so that does mitigate the risk a bit. The primary point of vulnerability is public WiFi networks (think Starbucks and the like), so it might be a good idea for a while to not utilize them.

October 17, 2017, 11:17 AM

BBMW

Is the patch only necessary at the client level. Are routers/WAPs going to need updates also?

October 17, 2017, 11:30 AM

Tavman

quote:
Originally posted by BBMW:
Is the patch only necessary at the client level. Are routers/WAPs going to need updates also?

It is both. Everything will need updates.

October 17, 2017, 11:32 AM

H&K-Guy

Damn it six days a week and twice on Sunday...

H&K-Guy

October 17, 2017, 11:58 AM

BBMW

Okay, so I have an ancient D-link router. I doubt it can be flashed, and likely it's old enough that they won't support it anyway.

When do we think new routers will be out that address this situation?

Update:

From DLink's support page...

quote:

Regarding security updates for my Wi-Fi Access Points, Wi-Fi Routers, or Wi-Fi Gateways?
The primary security risk is an attack against the "4-way handshake" in WPA2 between Wi-Fi access points and Wi-Fi client devices. This attack does not present a risk to Wi-Fi access points, consumer Wi-Fi routers and gateways, but instead targets clients devices . For consumers users, your priority should be updating devices such as laptops and smartphones.

quote:
Originally posted by Tavman:
quote:
Originally posted by BBMW:
Is the patch only necessary at the client level. Are routers/WAPs going to need updates also?

It is both. Everything will need updates.

October 17, 2017, 12:02 PM

Balzé Halzé

How does one update a router?

October 17, 2017, 12:02 PM

Gustofer

So what does this mean to those of us out in the boonies? My wifi doesn't even reach to the end of my driveway, so someone using it or otherwise causing me problems seems pretty remote.

October 17, 2017, 12:06 PM

zoom6zoom

Well, the router for my FiOS is an Actiontec, but their legal agreement with Verizon doesn't allow them to post firmware updates, Verizon controls that. But I'm not holding my breath to see one. And I can't afford to replace it right now.
But on the other hand, having almost everything hardwired is paying off now... laughing at people who wondered why I bothered.

October 17, 2017, 12:14 PM

ensigmatic

Hmmm... Have to check on my AP (Ubiquiti UniFi AC Pro), but our mobile devices are iOS. I'm not too worried about somebody hacking the data stream to/from the TV, DVR or Roku box. The alarm system is wired. All the computers are wired.

Only real problem I see is the Reolink wireless surveillance cameras I just installed.

My laptop, dual-booting MS-Win 7 Pro and Linux Mint Mate. But MS-Win 7 Pro should be patched and I just saw a Linux WPA Supplicant update yesterday, so I imagine that's taken care of. (I haven't been using the laptop, anyway.)

I should be in pretty good shape.

October 17, 2017, 12:19 PM

ChicagoSigMan

quote:
Originally posted by Balzé Halzé:
How does one update a router?

Typical, you would log into it by pointing your browser to your router's IP address (often 192.168.1.1). Then it will usually have a firmware update are in the control panel.

October 17, 2017, 12:24 PM

rusbro

quote:
Originally posted by ChicagoSigMan:
quote:
Originally posted by Balzé Halzé:
How does one update a router?

Typical, you would log into it by pointing your browser to your router's IP address (often 192.168.1.1). Then it will usually have a firmware update are in the control panel.

If 192.168.1.1 doesn't load your router's webadmin page, you can open a command prompt, and type: ipconfig /all
Look for the IP address of the Default Gateway, and type that in your browser.

October 17, 2017, 12:28 PM

FenderBender

update whatever you'd like this is an attack on the protocol, we're far from out of the woods with this yet.

October 17, 2017, 12:36 PM

nhtagmember

sweet

so what is our NSA doing to find these people and send in a few SEAL teams to eliminate the problems?

If the NSA isn't doing anything, what are we paying them for?

October 17, 2017, 12:50 PM

icom706

quote:
Originally posted by nhtagmember:
sweet

so what is our NSA doing to find these people and send in a few SEAL teams to eliminate the problems?

If the NSA isn't doing anything, what are we paying them for?

The NSA (National Surveillance Agency) likely has known about the issue for years and had been eavesdropping to their hearts content.

-.-. --.- -.-. --.- -.-. --.- -.-. --.-
It only stands to reason that where there's sacrifice, there's someone collecting the sacrificial offerings. Where there's service, there is someone being served. The man who speaks to you of sacrifice is speaking of slaves and masters, and intends to be the master.

Ayn Rand

"He gains votes ever and anew by taking money from everybody and giving it to a few, while explaining that every penny was extracted from the few to be giving to the many."

Ogden Nash from his poem - The Politician

October 17, 2017, 12:54 PM

Balzé Halzé

quote:
Originally posted by rusbro:
quote:
Originally posted by ChicagoSigMan:
quote:
Originally posted by Balzé Halzé:
How does one update a router?

Typical, you would log into it by pointing your browser to your router's IP address (often 192.168.1.1). Then it will usually have a firmware update are in the control panel.

If 192.168.1.1 doesn't load your router's webadmin page, you can open a command prompt, and type: ipconfig /all
Look for the IP address of the Default Gateway, and type that in your browser.

Thank you, both. I know how to log into my Router so I'll start there.

October 17, 2017, 01:12 PM

BBMW

I think you're misreading this. This is some academic who's probing security in order to find weaknesses and push the companies to fix them. There's no proof that someone nefarious has found this. Of course now they do know.

quote:
Originally posted by nhtagmember:
sweet

so what is our NSA doing to find these people and send in a few SEAL teams to eliminate the problems?

If the NSA isn't doing anything, what are we paying them for?