The MagicBox Forums  

Go Back   The MagicBox Forums > General Topics > Community Board

Thread Tools Display Modes
Old 10-16-2017, 12:12 PM   #1
Registered User
Rubeus's Avatar
Join Date: Apr 2002
Posts: 7,865
Don't Panic, But Wi-Fi's Main Security Protocol Has Been Broken

Click for full size

Don't Panic, But Wi-Fi's Main Security Protocol Has Been Broken

A major vulnerability has been discovered in the protocol governing basically all modern wi-fi routers. Here’s what we know so far.

If you’ve set up a home wi-fi network, at some point you’ve encountered one or more screens concerning WEP and its successor WPA2. Both are security protocols created by the Wi-Fi Alliance that keep strangers from eavesdropping on what websites your computer is trying to access.

WEP was deemed insecure in 2003 and replaced, and it looks like WPA2 is also headed for the dustbin of history now that researcher Mathy Vanhoef has revealed a major flaw in the protocol, which he’s calling KRACK—for Key Reinstallation Attacks. This weak link in WPA2 not only allows “man-in-the-middle” eavesdropping attacks, it also opens up wi-fi networks for ransomware and other malicious code injections. According to Vanhoef’s findings, KRACK “can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on.”

Essentially, WPA2 has devices go through a four-way handshake, and KRACK forces part three to be resent, over and over again, while your WiFi access point looks for a response from the device. Though an exceptionally clever attack on a protocol, KRACK appears to require attackers be close enough to a router’s signal to connect to it, like any normal sign-in to a wi-fi network.

Android and Linux users are in an especially bad position, as KRACK is highly effective against devices running those operating systems according to Vanhoef, and some have suggested Android users turn wi-fi capabilities off until the issue is patched. Here’s video of the exploit hitting an Android device.

So what’s the good news, exactly? First, patches for this issue are already rolling out. Companies know how serious this protocol breach is and are doing what they can as fast as they can. According to a statement by the WiFi Alliance “This issue can be resolved through straightforward software updates, and the Wi-Fi industry, including major platform providers, has already started deploying patches to Wi-Fi users.”

Second, the handshake your computer and a given website go through with WPA2 is just one countermeasure against ne’er-do-wells. So far it seems secure sites—distinguished by having HTTPS before the URL—are, well, still secure.

And, again, it appears that gaining access to a given wi-fi network still requires physical proximity to the router, so KRACK targets can’t be hit from anywhere in the world, unlike hacks that have no proximity requirements.

For the next couple days, avoid public wi-fi, try to stick with HTTPS sites, and remember to install all patches on your devices as they’re made available.

We’ve reached out to Vanhoef for additional comments and will update if we hear back. In the meantime, his full paper on KRACK is available to read online.
Rubeus is offline   Reply With Quote
Connect With Facebook to "Like" This Thread

Old 10-17-2017, 03:19 PM   #2
spider-prime's Avatar
Join Date: Aug 2003
Location: I hated going to weddings cause all the grandmas would poke me saying "you're next, you're next". They stopped saying that when I did it to them at Funerals.
Posts: 22,466
I think I'm safe... I live in a neighborhood that is mostly seniors that don't even have a computer lol
spider-prime is offline   Reply With Quote

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

All times are GMT -4. The time now is 05:37 AM.

Powered by vBulletin® Version 3.7.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.