Alleged 'KRACK Attack' vulnerability threatens to lay bare Wi-Fi WPA-2 security

Posted:
in General Discussion edited October 2017
A set of six collegiate researchers are set to unveil details on a Key Reinstallation Attack (KRACK Attack) for WPA-2 Wi-Fi security, which if legitimate can allow attackers to undermine encryption on any wi-fi connection utilizing the security method -- including Apple hardware connecting to Airport Extreme and Airport Express routers. AppleInsider explains what it is, and how to cut down on the potential for attack until patches are rolled out.




The exploit, published on Monday, takes advantage of a four-way handshake between a router and a connecting device to establish the encryption key. Properly executed, the third step can be compromised, resulting in the re-use of an encryption key -- or in some cases in Android and Linux, the establishment of a null key.

US-CERT, the division of the Department of Homeland Security responsible for computer safety has become aware of "several key management vulnerabilities" used in the attack. The agency has declared that the vulnerability includes lack of proper encryption, content hijacking, HTTP injection, and other problems. In the advisory issued on Monday, US-CERT says that "most or all correct implementations" of WPA-2 are affected by the vulnerability -- meaning every consumer device, and most enterprise access points.

The researchers claim that the attack vector completely opens up an Android 6.0 and later device. Other operating systems, including iOS and macOS are less impacted, but "a large number of packets" can still be decrypted from all.

At present, there are no patches for consumer-grade devices, and only a few commercial manufacturers have issued updates. A large percentage of network equipment will likely not see updates -- so a properly patched operating system will be essential for users.

The attack uses one or more of 10 different exploits. The details of the exploit were submitted for review on May 19, and a conference presentation will be delivered on Nov. 1.

Fixes can be made by vendors on either the client or router level, and only one of the pair needs to be patched for the vulnerability to be ineffective. A patched computer can connect to an un-patched router and not be vulnerable, and vice-versa. Updates to either will prevent an encryption key from being reused.

How to mitigate the issue until a patch is issued

Most networks in single-family homes are probably safe. However, in apartment buildings and thickly-settled areas, there remains the potential of attack -- if the exploit is as easy to implement as the researchers claim it is.

When and if a patch becomes available for your computers, routers, or other Wi-Fi gear -- implement it. If you're not on macOS Sierra, macOS High Sierra, or iOS 11, it might be time to get there.

Avoid public Wi-Fi. That will cut down on exposure vectors for most users while patches are being rolled out.

The researchers note that they cannot retrieve data downloaded from a "properly configured HTTPS site" -- but a "significant fraction" aren't well set up. Avoid transmitting sensitive data to non-HTTPS sites.

While networks not broadcasting SSID, or network name, can still be sniffed out by the determined, still consider not having a publicly broadcast network name. If somebody is just looking to stir up some trouble, a less visible network is less likely to be attacked than a publicly broadcasting one.

To secure your own home network, ensure that home servers and network attached storage devices all have non-default passwords for file sharing and other services, and use Ethernet whenever possible. Additionally, to prevent an attack on a printer possibly resulting in hundreds of pages of garbage being printed, consider turning off printers when not in use.
«1

Comments

  • Reply 1 of 29
    gatorguygatorguy Posts: 24,608member
    Those in large apartment buildings or using public Wi-Fi (bad idea to begin with IMHO) would appear to be most at risk, and bored teens are the ones I'd personally worry about most. Yes turning off Wi-Fi connected printers too when not in use, particularly in a high-density area, sounds like good advice.

    The list of affected routers and the current patch status is here:
    https://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=228519&SearchOrder=4
    edited October 2017 chialostkiwiSoliRacerhomieX
  • Reply 2 of 29
    linkmanlinkman Posts: 1,046member

    The researchers claim that the attack vector completely opens up an Android 6.0 and later device. Other operating systems, including iOS and macOS are less impacted, but "a large number of packets" can still be decrypted from all.

    When and if a patch becomes available for your computers, routers, or other Wi-Fi gear -- implement it. If you're not on macOS Sierra, macOS High Sierra, or iOS 11, it might be time to get there.
    It's likely that a huge number of current Android devices will never get patched.
    netmagecornchipGeorgeBMacRacerhomieXtallest skilwatto_cobramagman1979
  • Reply 3 of 29
    Given the way they work, I imagine VPNs render the attacks useless as well.
    Soli
  • Reply 4 of 29
    Mike WuertheleMike Wuerthele Posts: 6,920administrator
    linkman said:

    The researchers claim that the attack vector completely opens up an Android 6.0 and later device. Other operating systems, including iOS and macOS are less impacted, but "a large number of packets" can still be decrypted from all.

    When and if a patch becomes available for your computers, routers, or other Wi-Fi gear -- implement it. If you're not on macOS Sierra, macOS High Sierra, or iOS 11, it might be time to get there.
    It's likely that a huge number of current Android devices will never get patched.
    And routers. The two combined are bad news. We'll see if the Airport family gets a patch -- but I'm expecting one for macOS and iOS very, very soon.
    watto_cobramagman1979
  • Reply 5 of 29
    gatorguygatorguy Posts: 24,608member
    linkman said:

    The researchers claim that the attack vector completely opens up an Android 6.0 and later device. Other operating systems, including iOS and macOS are less impacted, but "a large number of packets" can still be decrypted from all.

    When and if a patch becomes available for your computers, routers, or other Wi-Fi gear -- implement it. If you're not on macOS Sierra, macOS High Sierra, or iOS 11, it might be time to get there.
    It's likely that a huge number of current Android devices will never get patched.
    Oddly enough in this particular case the most affected Android devices are the ones most likely to get patched. Reportedly not much risk, perhaps none at all, in versions older than 6.0. (41% is the estimate of potentially vulnerable Android devices)

    Best advice IMHO is stay off public wi-fi anyway, patched or not. Home routers in general are not in much danger according to reporting, except in the very dense metro areas or well-used coffee shops and such where hundreds of people might "see' your wi-fi network.
    linkman said:

    The researchers claim that the attack vector completely opens up an Android 6.0 and later device. Other operating systems, including iOS and macOS are less impacted, but "a large number of packets" can still be decrypted from all.

    When and if a patch becomes available for your computers, routers, or other Wi-Fi gear -- implement it. If you're not on macOS Sierra, macOS High Sierra, or iOS 11, it might be time to get there.
    It's likely that a huge number of current Android devices will never get patched.
    And routers. The two combined are bad news. We'll see if the Airport family gets a patch -- but I'm expecting one for macOS and iOS very, very soon.
    I would think Google Wi-Fi too and surely the Airport family.
    Given the way they work, I imagine VPNs render the attacks useless as well.

    According to researchers yes they do.
    edited October 2017
  • Reply 6 of 29
    netmagenetmage Posts: 314member
    Recommending non-broadcast SSIDs has been known to be very bad advice for at least ten years as published by sources like Microsoft Security and the US Federal government. It is trivial to intercept the SSID from a WiFi network in use.

    In addition foolishly disabling SSID broadcast is like posting a sign that says "Important Network here!"

    Also, at what point is it no longer alleged?
    edited October 2017
  • Reply 7 of 29
    coolfactorcoolfactor Posts: 2,327member
    While networks not broadcasting SSID, or network name, can still be sniffed out by the determined, still consider not having a publicly broadcast network name. If somebody is just looking to stir up some trouble, a less visible network is less likely to be attacked than a publicly broadcasting one.

    I used to believe this, as well, and always made my networks hidden.

    But then I learned about this:
    When you hide your wireless SSID on the router side of things, what actually happens behind the scenes is that your laptop or mobile device is going to start pinging over the air to try and find your router—no matter where you are. So you’re sitting there at the neighborhood coffee shop, and your laptop or iPhone is telling anybody with a network scanner that you’ve got a hidden network at your house or job.

    It's simply much better to ensure that you have a strong password.

    I wish entire apartment buildings would get wired up so that each unit didn't need to have it's own separate wireless router. Instead, the entire building could be one super-powered network.

    RacerhomieX
  • Reply 8 of 29
    SoliSoli Posts: 10,038member
    While networks not broadcasting SSID, or network name, can still be sniffed out by the determined, still consider not having a publicly broadcast network name. If somebody is just looking to stir up some trouble, a less visible network is less likely to be attacked than a publicly broadcasting one.
    I used to believe this, as well, and always made my networks hidden.

    But then I learned about this:
    When you hide your wireless SSID on the router side of things, what actually happens behind the scenes is that your laptop or mobile device is going to start pinging over the air to try and find your router—no matter where you are. So you’re sitting there at the neighborhood coffee shop, and your laptop or iPhone is telling anybody with a network scanner that you’ve got a hidden network at your house or job.
    It's simply much better to ensure that you have a strong password.

    I wish entire apartment buildings would get wired up so that each unit didn't need to have it's own separate wireless router. Instead, the entire building could be one super-powered network.
    I hide my network my home network, but only so it doesn't clutter the WiFi list that humans have to read. I consider it netiquette. Whether others are doing it for the same reason (which seems unlikely) or because they think it's secure, I'm glad they do it because it reduces the clutter considerably.

    For those aren't aware, there is a GUI tool built right into macOS for seeing all the SSIDs, hidden or not. Open WiFI Diagnostics (Option-click on the WiFI Menu Bar item or go to /System/Library/CoreServices/), then go to the Scan window by choosing Window » Scan from the Menu Bar or hitting Control-Option-Command-4 on the keyboard.

    Regarding security, from that app you can even tell a lot about the router by looking up the first half of the MAC/HW address listed. I just checked and someone is still rocking a Netgear router with 802.11b/g enabled.

    To reiterate your point, a better password is always a better solution. Unlike online accounts and enterprise setups where brute force attacks are limited, someone(s) could be trying to access your network 24/7/52 and you'd never get a heads up from the router.
    edited October 2017
  • Reply 9 of 29
    To those who think Apple products are immune and only other products suffer.. Just read it and follow demonstration and stop philosophy that apple is always secure.And yes it is legitimate.

    https://www.krackattacks.com/
  • Reply 10 of 29
    SoliSoli Posts: 10,038member
    To those who think Apple products are immune and only other products suffer.. Just read it and follow demonstration and stop philosophy that apple is always secure.And yes it is legitimate.

    https://www.krackattacks.com/
    1) Who said Apple is always secure? The article clearly indicates the WPA2 protocol is the issue, which isn't proprietary to Apple, and addresses ways that those using Apple products can lower their threat level.

    2) Between, say, all the Android-based smartphones and all the iPhones in the wild which do you think will have a higher percentage of devices fixed in, say, a month?
    iqatedowatto_cobracgWerks
  • Reply 11 of 29
    gatorguygatorguy Posts: 24,608member
    Soli said:
    To those who think Apple products are immune and only other products suffer.. Just read it and follow demonstration and stop philosophy that apple is always secure.And yes it is legitimate.

    https://www.krackattacks.com/
    1) Who said Apple is always secure? The article clearly indicates the WPA2 protocol is the issue, which isn't proprietary to Apple, and addresses ways that those using Apple products can lower their threat level.

    2) Between, say, all the Android-based smartphones and all the iPhones in the wild which do you think will have a higher percentage of devices fixed in, say, a month?
    I know, I know! (raises hand)
    Apple!
    cgWerks
  • Reply 12 of 29
    GeorgeBMacGeorgeBMac Posts: 11,421member
    netmage said:
    Recommending non-broadcast SSIDs has been known to be very bad advice for at least ten years as published by sources like Microsoft Security and the US Federal government. It is trivial to intercept the SSID from a WiFi network in use.

    In addition foolishly disabling SSID broadcast is like posting a sign that says "Important Network here!"

    Also, at what point is it no longer alleged?
    Security through obscurity...   It works.   Like any and all security measures, it is not fail proof.  Instead, it's just one more piece of the pie.

    30+ years ago a security auditor gave me some advice that has served me well:   "If somebody (especially a pro) wants to get in, they will.  So, the trick is to make yours hard enough to get into that they pick on your neighbor."  (My apologies to my neighbors!)

    So, if the teenager next door doesn't know it exists, he'll likely pick on somebody else.
    ...  Can it be cracked?  Of course it can!   Everything can!   That's not a valid question.
  • Reply 13 of 29
    GeorgeBMacGeorgeBMac Posts: 11,421member
    Soli said:
    While networks not broadcasting SSID, or network name, can still be sniffed out by the determined, still consider not having a publicly broadcast network name. If somebody is just looking to stir up some trouble, a less visible network is less likely to be attacked than a publicly broadcasting one.
    I used to believe this, as well, and always made my networks hidden.

    But then I learned about this:
    When you hide your wireless SSID on the router side of things, what actually happens behind the scenes is that your laptop or mobile device is going to start pinging over the air to try and find your router—no matter where you are. So you’re sitting there at the neighborhood coffee shop, and your laptop or iPhone is telling anybody with a network scanner that you’ve got a hidden network at your house or job.
    It's simply much better to ensure that you have a strong password.

    I wish entire apartment buildings would get wired up so that each unit didn't need to have it's own separate wireless router. Instead, the entire building could be one super-powered network.
    I hide my network my home network, but only so it doesn't clutter the WiFi list that humans have to read. I consider it netiquette. Whether others are doing it for the same reason (which seems unlikely) or because they think it's secure, I'm glad they do it because it reduces the clutter considerably.

    For those aren't aware, there is a GUI tool built right into macOS for seeing all the SSIDs, hidden or not. Open WiFI Diagnostics (Option-click on the WiFI Menu Bar item or go to /System/Library/CoreServices/), then go to the Scan window by choosing Window » Scan from the Menu Bar or hitting Control-Option-Command-4 on the keyboard.

    Regarding security, from that app you can even tell a lot about the router by looking up the first half of the MAC/HW address listed. I just checked and someone is still rocking a Netgear router with 802.11b/g enabled.

    To reiterate your point, a better password is always a better solution. Unlike online accounts and enterprise setups where brute force attacks are limited, someone(s) could be trying to access your network 24/7/52 and you'd never get a heads up from the router.
    So why does it have to be either/or?
    Why does having a more secure password negate the benefit of not broadcasting you ID?
    ...  As we see here, there are more way into a data stream than hacking IDs...

    Actually, the best security has multiple levels.
    edited October 2017
  • Reply 14 of 29
    SoliSoli Posts: 10,038member
    netmage said:
    Recommending non-broadcast SSIDs has been known to be very bad advice for at least ten years as published by sources like Microsoft Security and the US Federal government. It is trivial to intercept the SSID from a WiFi network in use.

    In addition foolishly disabling SSID broadcast is like posting a sign that says "Important Network here!"

    Also, at what point is it no longer alleged?
    Security through obscurity...   It works.   Like any and all security measures, it is not fail proof.  Instead, it's just one more piece of the pie.

    30+ years ago a security auditor gave me some advice that has served me well:   "If somebody (especially a pro) wants to get in, they will.  So, the trick is to make yours hard enough to get into that they pick on your neighbor."  (My apologies to my neighbors!)

    So, if the teenager next door doesn't know it exists, he'll likely pick on somebody else.
    ...  Can it be cracked?  Of course it can!   Everything can!   That's not a valid question.
    The only people that would never know it's in a list are those that have neither the knowledge or inclination to bypass your security. It's all or nothing—you're either in range of an SSID or you're not.
  • Reply 15 of 29
    tzm41tzm41 Posts: 95member
    Not sure why Apple hasn't fixed it. Didn't the author release to CERT, and then CERT broadcasted to major vendors in August?
  • Reply 16 of 29
    gatorguygatorguy Posts: 24,608member
    tzm41 said:
    Not sure why Apple hasn't fixed it. Didn't the author release to CERT, and then CERT broadcasted to major vendors in August?
    Yes they did but typically fixes aren't publically rolled out until the the exploit embargo is lifted. That happened today. The reasoning is that by publishing fixes out it alerts neer-do-wells to the flaw,  who then rush figure out how the ploy works and take advantage of platforms/devices not yet patched by other companies. In this particular instance one developer DID jump the gun (BSD) which endangers everyone. Why did he do that? Because he thought it was silly to hold off publishing his "fix" until today. Now I'm sure he understands the reason why exploits are embargoed. 

    I'll be moderately surprised if both Google and Apple don't have fixes available within the next 24 hours or so, along with many other affected manufacturers. 
    edited October 2017 Soli
  • Reply 17 of 29
    Mike WuertheleMike Wuerthele Posts: 6,920administrator
    While networks not broadcasting SSID, or network name, can still be sniffed out by the determined, still consider not having a publicly broadcast network name. If somebody is just looking to stir up some trouble, a less visible network is less likely to be attacked than a publicly broadcasting one.

    I used to believe this, as well, and always made my networks hidden.

    But then I learned about this:
    When you hide your wireless SSID on the router side of things, what actually happens behind the scenes is that your laptop or mobile device is going to start pinging over the air to try and find your router—no matter where you are. So you’re sitting there at the neighborhood coffee shop, and your laptop or iPhone is telling anybody with a network scanner that you’ve got a hidden network at your house or job.

    It's simply much better to ensure that you have a strong password.

    I wish entire apartment buildings would get wired up so that each unit didn't need to have it's own separate wireless router. Instead, the entire building could be one super-powered network.

    When you're being chased by a bear, you don't have to be the fastest. You just shouldn't be the slowest.
    GeorgeBMacwatto_cobra
  • Reply 18 of 29
    SoliSoli Posts: 10,038member
    gatorguy said:
    I'll be moderately surprised if both Google and Apple don't have fixes available within the next 24 hours or so, along with many other affected manufacturers. 
    Do you think they'll be in a tertiary point update or be part of a future rollout, as developers do have new betas today. While the breach in security is large the risk to individuals seems pretty small. Hell, I assume most users aren't even using a VPN when connecting to open WiFi networks which could be more problematic for packet sniffing than someone writing SW and going to a location to get access to a network within the next couple weeks.
    edited October 2017
  • Reply 19 of 29
    appexappex Posts: 687member
    Nothing like a wired connection. Whenever possible, of course.
  • Reply 20 of 29
    SoliSoli Posts: 10,038member
    While networks not broadcasting SSID, or network name, can still be sniffed out by the determined, still consider not having a publicly broadcast network name. If somebody is just looking to stir up some trouble, a less visible network is less likely to be attacked than a publicly broadcasting one.

    I used to believe this, as well, and always made my networks hidden.

    But then I learned about this:
    When you hide your wireless SSID on the router side of things, what actually happens behind the scenes is that your laptop or mobile device is going to start pinging over the air to try and find your router—no matter where you are. So you’re sitting there at the neighborhood coffee shop, and your laptop or iPhone is telling anybody with a network scanner that you’ve got a hidden network at your house or job.

    It's simply much better to ensure that you have a strong password.

    I wish entire apartment buildings would get wired up so that each unit didn't need to have it's own separate wireless router. Instead, the entire building could be one super-powered network.

    When you're being chased by a bear, you don't have to be the fastest. You just shouldn't be the slowest.
    That scenario assumes one bear. In this scearnio there could be more hungry bears than there are people.
    cgWerks
Sign In or Register to comment.