Support NeoGAF

[emag]

Earlier speculation thread here: http://www.neogaf.com/forum/showthread.php?t=1448462
Updated Ars story: https://arstechnica.com/information...ck-attack-destroys-nearly-all-wi-fi-security/

PATCHING YOUR ROUTER IS NOT ENOUGH. YOUR PHONES, LAPTOPS, ETC., NEED TO BE PATCHED.

Patch dates by vendor
EDIT: Microsoft says Windows is patched as of last week. Google says Nexus/Pixel devices to be patched November 6. Apple says current betas (iOS 11.1 dev beta 3, etc.) incorporate the patch.

KRACK: Key Reinstallation AttaCKs

In short, effectively all client WiFi devices (laptops, phones, tablets, consoles, smart home/IoT devices, etc.) using WPA2 security (the "secure" standard) are entirely insecure due to vulnerable handshake handling. All of your WiFi traffic can be snooped and manipulated with ease. Clients need to be updated to resolve this vulnerability. VPNs and HTTPS might help, but if an attacker controls your WiFi connection, targeted man-in-the-middle attacks may also render those worthless.

Downgrading to WEP, WPA1, etc., is not advised, as those protocols are broken. If you want even the veneer of secure connections, used a wired connection until your devices are updated.

Note that this isn't a device-specific bug, but rather a failing of the WPA2 protocol. That said, some devices are easier to exploit than others, with modern Android/Linux devices being particularly at risk.

Details are up at https://www.krackattacks.com/

Key reinstallation attacks: concrete example against the 4-way handshake

As described in the introduction of the research paper, the idea behind a key reinstallation attack can be summarized as follows. When a client joins a network, it executes the 4-way handshake to negotiate a fresh encryption key. It will install this key after receiving message 3 of the 4-way handshake. Once the key is installed, it will be used to encrypt normal data frames using an encryption protocol. However, because messages may be lost or dropped, the Access Point (AP) will retransmit message 3 if it did not receive an appropriate response as acknowledgment. As a result, the client may receive message 3 multiple times. Each time it receives this message, it will reinstall the same encryption key, and thereby reset the incremental transmit packet number (nonce) and receive replay counter used by the encryption protocol. We show that an attacker can force these nonce resets by collecting and replaying retransmissions of message 3 of the 4-way handshake. By forcing nonce reuse in this manner, the encryption protocol can be attacked, e.g., packets can be replayed, decrypted, and/or forged. The same technique can also be used to attack the group key, PeerKey, TDLS, and fast BSS transition handshake.

Practical impact

In our opinion, the most widespread and practically impactful attack is the key reinstallation attack against the 4-way handshake. We base this judgement on two observations. First, during our own research we found that most clients were affected by it. Second, adversaries can use this attack to decrypt packets sent by clients, allowing them to intercept sensitive information such as passwords or cookies. Decryption of packets is possible because a key reinstallation attack causes the transmit nonces (sometimes also called packet numbers or initialization vectors) to be reset to zero. As a result, the same encryption key is used with nonce values that have already been used in the past. In turn, this causes all encryption protocols of WPA2 to reuse keystream when encrypting packets. In case a message that reuses keystream has known content, it becomes trivial to derive the used keystream. This keystream can then be used to decrypt messages with the same nonce. When there is no known content, it is harder to decrypt packets, although still possible in several cases (e.g. English text can still be decrypted). In practice, finding packets with known content is not a problem, so it should be assumed that any packet can be decrypted.

The ability to decrypt packets can be used to decrypt TCP SYN packets. This allows an adversary to obtain the TCP sequence numbers of a connection, and hijack TCP connections. As a result, even though WPA2 is used, the adversary can now perform one of the most common attacks against open Wi-Fi networks: injecting malicious data into unencrypted HTTP connections. For example, an attacker can abuse this to inject ransomware or malware into websites that the victim is visiting.

If the victim uses either the WPA-TKIP or GCMP encryption protocol, instead of AES-CCMP, the impact is especially catastrophic. Against these encryption protocols, nonce reuse enables an adversary to not only decrypt, but also to forge and inject packets. Moreover, because GCMP uses the same authentication key in both communication directions, and this key can be recovered if nonces are reused, it is especially affected. Note that support for GCMP is currently being rolled out under the name Wireless Gigabit (WiGig), and is expected to be adopted at a high rate over the next few years.

The direction in which packets can be decrypted (and possibly forged) depends on the handshake being attacked. Simplified, when attacking the 4-way handshake, we can decrypt (and forge) packets sent by the client. When attacking the Fast BSS Transition (FT) handshake, we can decrypt (and forge) packets sent towards the client. Finally, most of our attacks also allow the replay of unicast, broadcast, and multicast frames. For further details, see Section 6 of our research paper.

Note that our attacks do not recover the password of the Wi-Fi network. They also do not recover (any parts of) the fresh encryption key that is negotiated during the 4-way handshake.

Android and Linux

Our attack is especially catastrophic against version 2.4 and above of wpa_supplicant, a Wi-Fi client commonly used on Linux. Here, the client will install an all-zero encryption key instead of reinstalling the real key. This vulnerability appears to be caused by a remark in the Wi-Fi standard that suggests to clear the encryption key from memory once it has been installed for the first time. When the client now receives a retransmitted message 3 of the 4-way handshake, it will reinstall the now-cleared encryption key, effectively installing an all-zero key. Because Android uses wpa_supplicant, Android 6.0 and above also contains this vulnerability. This makes it trivial to intercept and manipulate traffic sent by these Linux and Android devices. Note that currently 41% of Android devices are vulnerable to this exceptionally devastating variant of our attack.

Is my device vulnerable?

Probably. Any device that uses Wi-Fi is likely vulnerable. Contact your vendor for more information.

What if there are no security updates for my router?

Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates. We strongly advise you to contact your vendor for more details. In general though, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming). For ordinary home users, your priority should be updating clients such as laptops and smartphones.

...

Will the Wi-Fi standard be updated to address this?

There seems to be an agreement that the Wi-Fi standard should be updated to explicitly prevent our attacks. These updates likely will be backwards-compatible with older implementations of WPA2. Time will tell whether and how the standard will be updated.

 

[giga]

Why two threads? http://www.neogaf.com/forum/showthread.php?t=1448462

 

[faint.]

Why two threads? http://www.neogaf.com/forum/showthread.php?t=1448462

This thread is focused on the actual attack. It was not released until a few minutes ago. The other thread specifies that WPA2 may be cracked. This should be the thread going forward.

 

[Funyarinpa]

This sounds like... An extremely big issue?

I'm worried, though I don't have much to add except perhaps worrying over how to ensure safety of legacy devices

 

[DonMigs85]

Wonder if TP-Link will issue an update for my Archer D7 router.

 

[Shauni]

How do you update a router? Like, what can be done now? I'm pretty dumb with this stuff so I don't 100% get this though it sounds pretty terrible?

 

[DonMigs85]

How do you update a router? Like, what can be done now? I'm pretty dumb with this stuff so I don't 100% get this though it sounds pretty terrible?

Your router might have an update check button in its settings page, or check the manufacturer's support page

 

[Pooya]

who's going to update all the abandoned 2+ years old android devices out there. yeah...

 

[JettDash]

So I have an S8 and a brand new router. This should get fixed right?

 

[reKon]

Just read this on Engadget. Jesus...

 

[Aiii]

who's going to update all the abandoned 2+ years old android devices out there. yeah...

Well it certainly won't be the manufacturers. I betcha they can give you a great 2 year plan on their latest flagship that is guaranteed to get another 2 or 3 updates over the next year or so!

 

[Charles Brandon]

Can someone please explain what the actual, real-world implications are for a home user (and a business owner I suppose)?

 

[faint.]

Wonder if TP-Link will issue an update for my Archer D7 router.

How do you update a router? Like, what can be done now? I'm pretty dumb with this stuff so I don't 100% get this though it sounds pretty terrible?

You should focus on your clients first. That is what's being targeted here.

Can someone please explain what the actual, real-world implications are for a home user (and a business owner I suppose)?

Your transmitted data can be read and manipulated. See this video for an example.

 

[emag]

This sounds like... An extremely big issue?

I'm worried, though I don't have much to add except perhaps worrying over how to ensure safety of legacy devices

Legacy devices (and their users) are fucked. All of their data belongs to anyone within WiFi distance who bothers to take it. Turn off WiFi, delete your accounts, buy new devices, or pray that no one takes what's sitting out in the open.

Wonder if TP-Link will issue an update for my Archer D7 router.

This vulnerability doesn't affect routers (except when used in client mode to connect to other WiFi routers/switches/APs), it affects clients.

So I have an S8 and a brand new router. This should get fixed right?

Presumably Google will (or has) rolled this up into the current/next monthly security patch. Don't know when Samsung will get around to updating the S8 with it.

Can someone please explain what the actual, real-world implications are for a home user (and a business owner I suppose)?

All of your WiFi communications are public. Anyone can see everything going both ways.

 

[TheExecutive]

Your router might have an update check button in its settings page, or check the manufacturer's support page

It’s stating that clients need to be updated.

 

[Plum]

You should focus on your clients first. That is what's being targeted here.

What is a client and how can one "focus" on them?

 

[Vanillalite]

Wonder if TP-Link will issue an update for my Archer D7 router.

How do you update a router? Like, what can be done now? I'm pretty dumb with this stuff so I don't 100% get this though it sounds pretty terrible?

It's CLIENT SIDE.

What we need is every WiFi device to get patched ie phones, laptops, servers, tablets, iot, pos systems... basically fuckin anything and everything

Client = your device ie your phone (not your router)

 

[Ether_Snake]

Wait, is the issue the router, or a combination of router + handheld device?

Doubt my router will have an update. If it’s the phone that needs to be updated, I’m not worried.

 

[KarneeKarnay]

I heard something like this recently. My company has been phasing out of WP2 devices for a while now.

That said SHA1 and now this in less than a year, I'm wondering if this has been known for a while or are hackers getting better?

 

[Widdle Puppy]

is my porn safe?

 

[shira]

This thread is focused on the actual attack. It was not released until a few minutes ago. The other thread specifies that WPA2 may be cracked. This should be the thread going forward.

The title is confusing.

 

[Apt101]

My Asus AC1900 has a new firmware out - big ol' alert on the interface when I logged on.

 

[DonMigs85]

It's CLIENT SIDE.

What we need is every WiFi device to get patched ie phones, laptops, servers, tablets, iot, pos systems... basically fuckin anything and everything

Client = your device ie your phone (not your router)

That's a tall order

 

[gngf123]

All of those abandoned Android phones stuck on KitKat...

 

[CrunchyFrog]

woof, this really sucks

 

[faint.]

What is a client and how can one "focus" on them?

Any machine on your network. Your phone, PC, smarthome item, etc. If it's using WiFi it is at risk. You'll want to update them as soon as security patches are released, assuming security patches are released. It's recommended to use wired internet if possible until a patch is applied.

 

[Vanillalite]

That's a tall order

Now you know why this is a veritable apocalypse

 

[TheExecutive]

Can someone please explain what the actual, real-world implications are for a home user (and a business owner I suppose)?

Umm your stuff can be stolen but the likelihood is still small that you will be targeted.

For a small business it may be a little more dangerous. Depends on what you do.

 

[PeskyToaster]

I heard something like this recently. My company has been phasing out of WP2 devices for a while now.

That said SHA1 and now this in less than a year, I'm wondering if this has been known for a while or are hackers getting better?

These are released by university researchers looking for vulnerabilities. They might have been known by hackers but I don't think there's been any known attacks with it.

 

[Ferr986]

So for PC users I have to wait for a Windows update?

 

[tuxfool]

Do note that this attack isn't as bad as when WEP was broken. Still it is pretty bad.

I remember seeing WEP in widespread usage years after it was broken.

 

[Zojirushi]

So at home my PC connectect via network cable to my router is fine but my phone and laptop connected via Wifi aren't?

 

[ponpo]

tfw both an android and linux user

 

[Jezbollah]

So at home my PC connectect via network cable to my router is fine but my phone and laptop connected via Wifi aren't?

Well yes - your PC wouldnt be using Wifi if it was connected by network cable...

 

[Mindwipe]

It's CLIENT SIDE.

What we need is every WiFi device to get patched ie phones, laptops, servers, tablets, iot, pos systems... basically fuckin anything and everything

Client = your device ie your phone (not your router)

This attack is client side, but there are ways you could exploit this vulnerability against a router too. Everything needs patching.

 

[Vanillalite]

Do note that this attack isn't as bad as when WEP was broken. Still it is pretty bad.

While true the amount of WiFi devices has ballooned exponentially since then though.

Fucking EVERYTHING is wireless now.

 

[faint.]

So at home my PC connectect via network cable to my router is fine but my phone and laptop connected via Wifi aren't?

Assuming WiFi is disabled on your PC, yes.

 

[Pankratous]

So what about Mobile Data, as opposed to WiFi? Can I connect to my mobile ISP without issue?

 

[LiK]

Thread title should be changed. Didn't understand it at all. Thought this was a joke thread.

 

[Zojirushi]

Well yes - your PC wouldnt be using Wifi if it was connected by network cable...

I got that. I guess the question is if my shit gets hacked because of an insecure wifi could that potentially somehow affect my non wifi PC as well?

 

[TheExecutive]

These are released by university researchers looking for vulnerabilities. They might have been known by hackers but I don't think there's been any known attacks with it.

From what I just read it would be tough to do a wide scale attack with this so the likelihood of it being found if someone did know about it would be small. There are 1,000 things to blame for stolen information before even thinking about the handshake.

 

[RazorbackDB]

How are you gonna deal with all these outdated Android devices, OEM manufacturers offer at most 2 year of updates for flagships and fuck all for anything else, oh boy.

 

[SwordStruck]

So what about Mobile Data, as opposed to WiFi? Can I connect to my mobile ISP without issue?

Cellular data is encrypted by CMEA, which is already extremely vulnerable.

 

[DigitalRicket]

Umm your stuff can be stolen but the likelihood is still small that you will be targeted.

For a small business it may be a little more dangerous. Depends on what you do.

So does this mean passwords can be sniffed out with this?

 

[darkwing]

why hasn't Microsoft or Google release any patches yet, even Apple

my old smartphone is useless then

 

[tuxfool]

While true the amount of WiFi devices has ballooned exponentially since then though.

Fucking EVERYTHING is wireless now.

Very true. In my case when using semi public access points I generally use a VPN, I do worry about the more appliance-like devices.

 

[darkwing]

How are you gonna deal with all these outdated Android devices, OEM manufacturers offer at most 2 year of updates for flagships and fuck all for anything else, oh boy.

it will be vulnerable

 

[Berordn]

How are you gonna deal with all these outdated Android devices, OEM manufacturers offer at most 2 year of updates for flagships and fuck all for anything else, oh boy.

They'll use it as a selling point for an upgrade.

 

[Pankratous]

Cellular data is encrypted by CMEA, which is already extremely vulnerable.

Is this true for the UK as well? I don't know if that is a universal standard. I'd imagine EU law makes us be slightly beefier, but don't know for sure, obviously.

 

[Kensation]

Welp, glad I have unlimited mobile data.

EDIT:

Cellular data is encrypted by CMEA, which is already extremely vulnerable.

FUCK! Time to go back to pen and paper, then.