You’ve set up a closed Wi-Fi network at home and use the same thing at the office, and it’s secured through the WPA2 standard — the ubiquitous security protocol for Wi-Fi, widely established as superior to WEP. Think you’re safe? As of today, you should think again. This morning, security researchers revealed a new kind of attack on the popular Wi-Fi protocol that allows bad actors to potentially eavesdrop on your Wi-Fi traffic and intercept sensitive data passing through the network — whether that’s passwords, emails, chat messages, photos, or credit card information.
The exploit, disclosed by security researcher Mathy Vanhoef at KU Leuven, a Belgian university, is called KRACK — short for Key Reinstallation Attacks. Vanhoef says that the vulnerability affects the WPA2 standard itself and can potentially be exploited on devices running Android, Apple, Windows, Linux, and OpenBSD operating systems, plus LinkSys routers, Internet of Things devices, and other wireless devices using MediaTek chips. “The attack works against all modern protected Wi-Fi networks,” Vanhoef warned.
Microsoft said it had already released a software patch for this vulnerability. “Microsoft released security updates on October 10th and customers who have Windows Update enabled and applied the security updates, are protected automatically,” a Microsoft spokesperson told BuzzFeed News. At the time of publication, Google and Apple had not yet responded to requests for comment.
While Vanhoef presented proof-of-concept that the attack can work, you don’t necessarily need to panic yet. “There is no immediate risk, and certainly not to the overwhelming majority of people,” Kenneth White, a Washington DC-based security consultant to federal agencies, who was briefed on Vanhoef’s research, told BuzzFeed News. “No exploit code has been released.” Additionally, White noted, someone would have to be (somewhat) physically nearby the network to launch the attack.
Basically, White recommended, the security-conscientious should do what they always do every time a new vulnerability is discovered: update, update, update. Major wireless vendors will likely issue software patches for the vulnerable devices, White said. “Over-the-air updates to phones and devices will help reduce the threat of the most trivial attacks,” he said.
Meanwhile, the Wi-Fi Alliance said that “major platform providers” had already started pushing out patches for the WPA2 vulnerability. “There is no evidence that the vulnerability has been exploited maliciously, and Wi-Fi Alliance has taken immediate steps to ensure users can continue to count on Wi-Fi to deliver strong security protections,” the group said in a statement. “Wi-Fi Alliance now requires testing for this vulnerability within our global certification lab network and has provided a vulnerability detection tool for use by any Wi-Fi Alliance member.”
Still, it isn’t clear how long it will take for the affected devices to be patched — or whether some Wi-Fi devices can be patched at all. In particular, White said, owners of older Android phones running version 6.0 of the operating system should make sure they upgrade because their devices are extra vulnerable. Vanhoef called the attack “exceptionally devastating” to such devices in his research paper. About a third of Android phones in circulation are known to be vulnerable, according to the most recent Android developer data. But more at risk are the millions of vulnerable Internet of Things wireless devices that consumers own, many of which don’t have the ability to get software updates over a wireless network.
One vulnerability at issue, according to Vanhoef’s research, is the random number generation in “group keys” — encryption keys shared on WPA and WPA2 wireless networks. The security of such keys relies on how random those numbers are, but Vanhoef’s findings suggest they may not be random enough — to the point that predicting them may be possible. By inundating a wireless network with authentication handshakes, Vanhoef’s research shows it’s possible to figure out a 128-bit WPA2 key, through sheer volume of random number collection. Then that key can be used in a certain way on the network so that it subverts the encryption in place, giving the attacker access to all the data passing through the network.
And on older Android phones, the attack is much simpler, White said: by repeatedly replaying one of the messages in the Wi-Fi handshake, the attacker can force a special code called a “nonce” to be reused. Once that’s done, it is possible to decrypt network packets. On Android, a common piece of Linux code is used so that decryption is much easier to accomplish, White explained — it can only take seconds to do.
The findings of the research will be discussed in a talk at the ACM Conference on Computer and Communications Security in Dallas, Texas, on November 1, while related research was presented last August at the Black Hat Security Conference in Las Vegas. By then, hopefully, most vendors will have already issued a software update addressing the attack. But whether most people actually make the effort to update their wireless devices — or whether they’re even able to update them in the first place — remains the perennial security issue.
Quelle: <a href="A New Severe Security Flaw Could Leave Your Wi-Fi Open To Snooping“>BuzzFeed
Published by