Monday, October 16, 2017

Oh great. WiFi security is pretty broken

This seems pretty bad:
This is my interpretation of the KRACK attacks paper that describes a way of decrypting encrypted WiFi traffic with an active attack.

tl;dr: Wow. Everyone needs to be afraid. It means in practice, attackers can decrypt a lot of wifi traffic, with varying levels of difficulty depending on your precise network setup. My post last July about the DEF CON network being safe was in error.

Details

This is not a crypto bug but a protocol bug (a pretty obvious and trivial protocol bug).

When a client connects to the network, the access-point will at some point send a random key to use for encryption. Because this packet may be lost in transmission, it can be repeated many times.

What the hacker does is just repeatedly sends this packet, potentially hours later. Each time it does so, it resets the "keystream" back to the starting conditions. The obvious patch that device vendors will make is to only accept the first such packet it receives, ignore all the duplicates.
This effects everything that has WiFi, which these days means just about everything.  There is a tool in circulation to exploit this.

The punchline is that I haven't heard of any patches being available for this.  I will let y'all know when they start coming out.

UPDATE 16 October 2017: 09:58: There's a great deal of practical information here:
  • www.krackattacks.com is now up!
  • Attacks against Android Phones are very easy! Oh dear 🙁 Best to turn off wifi on these devices until fixes are applied.
  • Windows and Mac OS users are much safer. Updates for other OSes will come quite quickly, the big problem is embedded devices for whom updates are slow / never coming
  • For the very technical, the CVE list is at the bottom of this post.
  • The main attack is against clients, not access points. So, updating your router may or may not be necessary: updating your client devices absolutely is! Keep your laptops patched, and particularly get your Android phone updated
Android phones get patched more slowly than iPhones do.  You should probably turn off WiFi on your Android phone until you get a patch.

No comments: