Security experts have said the bug is a total breakdown of the WPA2 security protocol.
A security protocol at the heart of most modern Wi-Fi devices, including computers, phones, and routers, has been broken, putting almost every wireless-enabled device at risk of attack.
The bug, known as "KRACK" for Key Reinstallation Attack, exposes a fundamental flaw in WPA2, a common protocol used in securing most modern wireless networks. Mathy Vanhoef, a computer security academic, who found the flaw, said the weakness lies in the protocol's four-way handshake, which securely allows new devices with a pre-shared password to join the network.
That weakness can, at its worst, allow an attacker to decrypt network traffic from a WPA2-enabled device, hijack connections, and inject content into the traffic stream.
In other words: This flaw, if exploited, gives an attacker a skeleton key to access any WPA2 network without a password. Once they're in, they can eavesdrop on your network traffic.The bug represents a complete breakdown of the WPA2 protocol, for both personal and enterprise devices -- putting every supported device at risk.
"If your device supports Wi-Fi, it is most likely affected," said Vanhoef, on his website.But because Vanhoef hasn't released any proof-of-concept exploit code, there's little risk of immediate or widespread attacks.
News of the vulnerability was later confirmed on Monday by US Homeland Security's cyber-emergency unit US-CERT, which about two months ago had confidentially warned vendors and experts of the bug.
The warning came at around the time of the Black Hat security conference, when Vanhoef presented a talk on networking protocols, with a focus on the Wi-Fi handshake that authenticates a user joining a network.The cyber-emergency unit has since reserved 10 common vulnerabilities and exposures (CVE) records for the various vulnerabilities.
At its heart, the flaw is found in the cryptographic nonce, a randomly generated number that's used only once to prevent replay attacks, in which a hacker impersonates a user who was legitimately authenticated.
In this case, an attacker can trick a victim into reinstalling a key that's already in use. Reusing the nonce can allow an adversary to attack the encryption by replaying, decrypting, or forging packets.Windows and latest versions of Apple's iOS are largely immune from the flaws, according to security researcher Kevin Beaumont, in a blog post.
However, Vanhoef said the security issue is "exceptionally devastating" for Android 6.0 Marshmallow and above."The core of the attack, hence its name, is that the attacker tricks the connected party into reinstalling an already-in-use key," Alan Woodward, a professor at the University of Surre.
Despite the ire many have with branded, or popularized vulnerabilities -- Heartbleed, Shellshock, and Poodle to name a few -- many renowned security and cryptographic experts are warning not to underestimate the severity of the flaw.
"It's not a trivial attack," said Woodward. He warned that the scale of the attack is "huge."
It's not the first attack that's hit WPA2. WPA2 was developed, ironically, as a way to replace a similar protocol, WEP, which was cracked just a few years after its debut in 1997.
Several researchers, including Vanhoef, have demonstrated valid attacks against the protocol. By far the most notable was in 2011 when a security researcher showed that an attacker could recover the code used in Wi-Fi Protected Setup, a feature that let users authenticate with a one-push button on the router, which could be easily cracked.
Like similar attacks against WPA2, an attacker needs to be within a close physical proximity of a vulnerable device, such as a router or even a cash register or point-of-sale device.
That's not to downplay the seriousness of the attack, however.
The downside is that nowadays, a hacker can launch an attack from hundreds of feet from a vulnerable device, Kenneth White, a security researcher.
A table of vulnerable software. (Image: Mathy Vanhoef)
Matthew Green, a cryptography teacher at Johns Hopkins University, said in a tweet that this is "probably going to turn into a slew of TJ Maxxes," referring to a cyberattack on the department store, where hackers cracked the Wi-Fi password that connected the cash registers to the network.
White explained, however, that sites and services that provide content over strict HTTPS (known as HSTS) will encrypt traffic from the browser to the server.
In other words, it's still safe to access sites that encrypt your data over an insecure network.
Although Vanhoef said it wasn't clear if any attacks had been seen in the wild.
Several router and network equipment makers were briefed prior to Monday's announcement, including Cisco and HPE. We reached out to all three but did not hear back at the time of writing.
Aruba, Ubiquiti, and Eero are said to have patches available, according to sources we spoke to at the time of writing. It's not known if others have -- but we will update as we find out.
But many products and device makers will likely not receive patches -- immediately, or ever. Katie Moussouris, founder of Luta Security, said in a tweet that Internet of Things devices will be some of the "hardest hit."
Until patches are available, Wi-Fi should be considered a no-go zone for anything mission critical, a feat almost impossible in today's age of ubiquitous and blanket wireless network access.
Microsoft's Roslyn 'compiler as a service' inches forward Summary: Microsoft is now compiling internally its daily Visual Studio builds using its 'Roslyn' compiler technology. Could a new preview and/or final release be happening soon?Lets wait and see. Microsoft is internally dogfooding its "Roslyn" compiler as a service technology, and is compiling internal daily builds of Visual Studio using "Roslyn." That update, courtesy of a Microsoft December 16 blog post , is the first Microsoft has shared about its Roslyn technology in more than a year. Microsoft's Roslyn effort is about re-architecting the C# and VB compilers to support "compiler as a service" (CaaS) scenarios. Currently, a compiler is a black box; with Roslyn, Microsoft is working on opening it up so that all of the information processed via a compiler is available in application programming interface (API) form. Microsoft's most recent Roslyn desc...
Biometric smartphones to become mainstream in 2014, Ericsson says Summary: Following the release of the fingerprint sensor-enabled iPhone 5s, more smartphone makers could soon jump on the bandwagon, if Ericsson's predictions prove true. By the end of 2014, a wealth of new smartphones could come with biometric technology, such as fingerprint recognition hardware. In September, Apple released the iPhone 5s, which included a fingerprint reader , in the hope of bolstering security and improving usability. And other mobile makers, keen to jump on the biometric bandwagon, could soon embed the technology in their own devices. According to new research by mobile network maker Ericsson, which polled 100,000 people over 40 countries, about 74 percent of respondents said they believe biometric smartphones "will become mainstream" during 2014. More than half at 52 percent want to use their fingerprints instead of a complex alphanumeric combination of letters...
Summary: Intel outlines its plans to be the brains of the autonomous vehicle, but it'll have to duel with Qualcomm and NXP among others. Intel, best known for the processors behind PCs, servers and data center gear, now wants to be the brains behind autonomous vehicles. The chip giant at CES 2017 launched a new brand, Intel GO, that's designed for autonomous driving and aim to link cloud computing, connectivity and the car. To back up its efforts, Intel is launching t wo development kits to connect GO with Atom and Xeon processor s. Intel said its GO effort will provide the first 5G-ready development platform. The company also launched its 5G modem at CES. CNET's Stephen Shankland has the deep dive and the strategy details. As for partnerships, Intel is teaming up with BMW and Mobileye to have 40 autonomous vehicles on the roads by the second half of the year. Intel announced a partnership with BMW and Mobileye in July. The Intel moves come as the company boug...
Comments
Post a Comment