Articles Featured
KRACK Attack: Vulnerabilities in Wi-Fi Protected Access and Wi-Fi Protected Access II
October 17, 2017
0
, , , ,

We are all exposed to the Krack Wi-Fi security vulnerability—a flaw that puts any person using wireless internet at risk of being hacked.

The Krack security exploit was discovered by Mathy Vanhoef, a cybersecurity expert at Belgian university KU Leuven, who will present his research at the Computer and Communications Security (CCS) conference later this month.

“We discovered serious weaknesses in WPA2, a protocol that secures all modern protected WiFi networks,” Vanhoef wrote in a blogpost describing the vulnerability. “An attacker within range of a victim can exploit these weaknesses using key reinstallation attacks (KRACKs). Concretely, attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted.”

“This implies all these networks are affected by (some variant of) our attack. For instance, the attack works against personal and enterprise Wi-Fi networks, against the older WPA and the latest WPA2 standard, and even against networks that only use AES.”

 

Multiple Cisco wireless products are affected by these vulnerabilities

In a statement, today Cisco acknowledged multiple wireless products are affected by these vulnerabilities and said it will release software updates to address these vulnerabilities. There is a workaround that addresses the vulnerability in CVE-2017-13082. There are no workarounds that address the other vulnerabilities described in this advisory.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa

Apple also claims to have fixed the issue in certain versions of its operating systems, including iOS used on iPhones and watch OS used on the Apple Watch, and macOS used on Apple Macs. The patches, however, are mostly available only for trial versions of the software and therefore are available only for developers.

 “Microsoft released security updates on October 19 and customers who have Windows Update enabled and applied the security updates are protected automatically,” the company said in a statement. “We updated to protect customers as soon as possible, but as a responsible industry partner, we withheld disclosure until other vendors could develop and release updates.”

 

Google has yet to issue any fixes for the Krack attack method, saying in a statement on Monday that it is working on ways to resolve it.

A research paper with the title of “Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2” was made publicly available. This paper discusses seven vulnerabilities affecting session key negotiation in both the Wi-Fi Protected Access (WPA) and the Wi-Fi Protected Access II (WPA2) protocols. These vulnerabilities may allow the reinstallation of a pairwise transient key, a group key, or an integrity key on either a wireless client or a wireless access point. Additional research also led to the discovery of three additional vulnerabilities (not discussed in the original paper) affecting wireless supplicant supporting either the 802.11z (Extensions to Direct-Link Setup) standard or the 802.11v (Wireless Network Management) standard. The three additional vulnerabilities could also allow the reinstallation of a pairwise key, group key, or integrity group key.

About author

Ibrahim Sajid Malick

Related items

/ You may check this items as well

ubiquity of simply anonymized mobility datasets and are giving room to privacy concerns.

Privacy: Can WiFi data be anonymous?

We are all exposed to the Krack Wi-Fi security vul...

Read more

‘My God, it’s better’: Emma can write again thanks to a prototype watch, raising hope for Parkinson’s disease – Transform

Microsoft researcher Haiyan Zhang created a watch ...

Read more
Homeland Security is using FireEye Cyber Threat map?

Priceless Product Placement of FireEye Cyber Threat Map

It appears Department of Homeland Security has put...

Read more

There are 0 comments

Leave a Reply

Your email address will not be published. Required fields are marked *