Alleged 'KRACK Attack' vulnerability threatens to lay bare Wi-Fi WPA-2 security
A set of six collegiate researchers are set to unveil details on a Key Reinstallation Attack (KRACK Attack) for WPA-2 Wi-Fi security, which if legitimate can allow attackers to undermine encryption on any wi-fi connection utilizing the security method -- including Apple hardware connecting to Airport Extreme and Airport Express routers. AppleInsider explains what it is, and how to cut down on the potential for attack until patches are rolled out.
The exploit, published on Monday, takes advantage of a four-way handshake between a router and a connecting device to establish the encryption key. Properly executed, the third step can be compromised, resulting in the re-use of an encryption key -- or in some cases in Android and Linux, the establishment of a null key.
US-CERT, the division of the Department of Homeland Security responsible for computer safety has become aware of "several key management vulnerabilities" used in the attack. The agency has declared that the vulnerability includes lack of proper encryption, content hijacking, HTTP injection, and other problems. In the advisory issued on Monday, US-CERT says that "most or all correct implementations" of WPA-2 are affected by the vulnerability -- meaning every consumer device, and most enterprise access points.
The researchers claim that the attack vector completely opens up an Android 6.0 and later device. Other operating systems, including iOS and macOS are less impacted, but "a large number of packets" can still be decrypted from all.
At present, there are no patches for consumer-grade devices, and only a few commercial manufacturers have issued updates. A large percentage of network equipment will likely not see updates -- so a properly patched operating system will be essential for users.
The attack uses one or more of 10 different exploits. The details of the exploit were submitted for review on May 19, and a conference presentation will be delivered on Nov. 1.
Fixes can be made by vendors on either the client or router level, and only one of the pair needs to be patched for the vulnerability to be ineffective. A patched computer can connect to an un-patched router and not be vulnerable, and vice-versa. Updates to either will prevent an encryption key from being reused.
When and if a patch becomes available for your computers, routers, or other Wi-Fi gear -- implement it. If you're not on macOS Sierra, macOS High Sierra, or iOS 11, it might be time to get there.
Avoid public Wi-Fi. That will cut down on exposure vectors for most users while patches are being rolled out.
The researchers note that they cannot retrieve data downloaded from a "properly configured HTTPS site" -- but a "significant fraction" aren't well set up. Avoid transmitting sensitive data to non-HTTPS sites.
While networks not broadcasting SSID, or network name, can still be sniffed out by the determined, still consider not having a publicly broadcast network name. If somebody is just looking to stir up some trouble, a less visible network is less likely to be attacked than a publicly broadcasting one.
To secure your own home network, ensure that home servers and network attached storage devices all have non-default passwords for file sharing and other services, and use Ethernet whenever possible. Additionally, to prevent an attack on a printer possibly resulting in hundreds of pages of garbage being printed, consider turning off printers when not in use.
The exploit, published on Monday, takes advantage of a four-way handshake between a router and a connecting device to establish the encryption key. Properly executed, the third step can be compromised, resulting in the re-use of an encryption key -- or in some cases in Android and Linux, the establishment of a null key.
US-CERT, the division of the Department of Homeland Security responsible for computer safety has become aware of "several key management vulnerabilities" used in the attack. The agency has declared that the vulnerability includes lack of proper encryption, content hijacking, HTTP injection, and other problems. In the advisory issued on Monday, US-CERT says that "most or all correct implementations" of WPA-2 are affected by the vulnerability -- meaning every consumer device, and most enterprise access points.
The researchers claim that the attack vector completely opens up an Android 6.0 and later device. Other operating systems, including iOS and macOS are less impacted, but "a large number of packets" can still be decrypted from all.
At present, there are no patches for consumer-grade devices, and only a few commercial manufacturers have issued updates. A large percentage of network equipment will likely not see updates -- so a properly patched operating system will be essential for users.
The attack uses one or more of 10 different exploits. The details of the exploit were submitted for review on May 19, and a conference presentation will be delivered on Nov. 1.
Fixes can be made by vendors on either the client or router level, and only one of the pair needs to be patched for the vulnerability to be ineffective. A patched computer can connect to an un-patched router and not be vulnerable, and vice-versa. Updates to either will prevent an encryption key from being reused.
How to mitigate the issue until a patch is issued
Most networks in single-family homes are probably safe. However, in apartment buildings and thickly-settled areas, there remains the potential of attack -- if the exploit is as easy to implement as the researchers claim it is.When and if a patch becomes available for your computers, routers, or other Wi-Fi gear -- implement it. If you're not on macOS Sierra, macOS High Sierra, or iOS 11, it might be time to get there.
Avoid public Wi-Fi. That will cut down on exposure vectors for most users while patches are being rolled out.
The researchers note that they cannot retrieve data downloaded from a "properly configured HTTPS site" -- but a "significant fraction" aren't well set up. Avoid transmitting sensitive data to non-HTTPS sites.
While networks not broadcasting SSID, or network name, can still be sniffed out by the determined, still consider not having a publicly broadcast network name. If somebody is just looking to stir up some trouble, a less visible network is less likely to be attacked than a publicly broadcasting one.
To secure your own home network, ensure that home servers and network attached storage devices all have non-default passwords for file sharing and other services, and use Ethernet whenever possible. Additionally, to prevent an attack on a printer possibly resulting in hundreds of pages of garbage being printed, consider turning off printers when not in use.
Comments
The list of affected routers and the current patch status is here:
https://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=228519&SearchOrder=4
Best advice IMHO is stay off public wi-fi anyway, patched or not. Home routers in general are not in much danger according to reporting, except in the very dense metro areas or well-used coffee shops and such where hundreds of people might "see' your wi-fi network. I would think Google Wi-Fi too and surely the Airport family.
According to researchers yes they do.
In addition foolishly disabling SSID broadcast is like posting a sign that says "Important Network here!"
Also, at what point is it no longer alleged?
I used to believe this, as well, and always made my networks hidden.
But then I learned about this:
It's simply much better to ensure that you have a strong password.
I wish entire apartment buildings would get wired up so that each unit didn't need to have it's own separate wireless router. Instead, the entire building could be one super-powered network.
For those aren't aware, there is a GUI tool built right into macOS for seeing all the SSIDs, hidden or not. Open WiFI Diagnostics (Option-click on the WiFI Menu Bar item or go to /System/Library/CoreServices/), then go to the Scan window by choosing Window » Scan from the Menu Bar or hitting Control-Option-Command-4 on the keyboard.
Regarding security, from that app you can even tell a lot about the router by looking up the first half of the MAC/HW address listed. I just checked and someone is still rocking a Netgear router with 802.11b/g enabled.
To reiterate your point, a better password is always a better solution. Unlike online accounts and enterprise setups where brute force attacks are limited, someone(s) could be trying to access your network 24/7/52 and you'd never get a heads up from the router.
https://www.krackattacks.com/
2) Between, say, all the Android-based smartphones and all the iPhones in the wild which do you think will have a higher percentage of devices fixed in, say, a month?
Apple!
30+ years ago a security auditor gave me some advice that has served me well: "If somebody (especially a pro) wants to get in, they will. So, the trick is to make yours hard enough to get into that they pick on your neighbor." (My apologies to my neighbors!)
So, if the teenager next door doesn't know it exists, he'll likely pick on somebody else.
... Can it be cracked? Of course it can! Everything can! That's not a valid question.
Why does having a more secure password negate the benefit of not broadcasting you ID?
... As we see here, there are more way into a data stream than hacking IDs...
Actually, the best security has multiple levels.
I'll be moderately surprised if both Google and Apple don't have fixes available within the next 24 hours or so, along with many other affected manufacturers.