This just hit the news today and is kind-of a big deal that has quite a few people screaming bloody murder right now, and I figured you’d all like to hear about and discuss it here.
Paper (Source): https://papers.mathyvanhoef.com/ccs2017.pdf
ArsTechnica Article: https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/
TheVerge Article: https://www.theverge.com/2017/10/16/16481252/wi-fi-hack-attack-android-wpa-2-details
CNet Article: https://www.cnet.com/g00/news/krack-wi-fi-security-flaw-puts-all-wireless-devices-at-risk-of-hijack/
The Guardian Article: https://www.theguardian.com/technology/2017/oct/16/wpa2-wifi-security-vulnerable-hacking-us-government-warns
Topic Trending on Twitter: https://twitter.com/search?q=WPA2+Flaw
SNB Forums: https://www.snbforums.com/threads/security-wpa2-wi-fi-security-vulnerability-disclosed.41658/
4chan: https://boards.4chan.org/g/thread/62930716
That’s enough cited here. You can find hundreds of articles and forum threads just by googling the issue. Of course I’ve also found plenty of threads about it in hacking communities, scrambling to take advantage of this.
Reddit Discussions:
-
/r/Technology: https://www.reddit.com/r/technology/comments/76o8zx/severe_flaw_in_wpa2_protocol_leaves_wifi_traffic/
-
/r/Programming: https://www.reddit.com/r/programming/comments/76ohly/severe_flaw_in_wpa2_protocol_leaves_wifi_traffic/
-
/r/Programming (another discussion): https://www.reddit.com/r/programming/comments/76pb94/krack_attacks_breaking_wpa2/
-
/r/Privacy: https://www.reddit.com/r/privacy/comments/76oa2v/severe_flaw_in_wpa2_protocol_leaves_wifi_traffic/
-
/r/Security: https://www.reddit.com/r/security/comments/76nb61/krack_attacks_on_wpa2_xpost_rnetsec/
-
/r/Networking: https://www.reddit.com/r/networking/comments/76o6r7/psa_krack_attacks_wpa2/
-
/r/NetSec: https://www.reddit.com/r/netsec/comments/76onkk/the_krack_attack_info_will_be_available_here/
-
/r/NetSec (another discussion): https://www.reddit.com/r/netsec/comments/76ocy4/whats_wrong_with_wpa2_security_and_how_to_fix_it/
-
/r/Tech: https://www.reddit.com/r/tech/comments/76qfd6/severe_wifi_security_flaw_puts_millions_of/
Hopefully router companies and open firmware groups are pushing out updates to handle this. It seems several have already handled it with the latest updates (usually info on big security issues like this is kept from the public until most companies have already fixed the issue, to keep as many hackers out of the loop as possible).
As an end user, probably most can do is be sure to keep your operating system, router, access-point, and wireless card firmwares & drivers up-to-date, keep your VPNs on, and set your HTTPS Everywhere to block all unencrypted requests if you can.
But try not to freak out. Top comment in /r/Programming has a point:
So, in short:
- No, it’s not the death of WPA2.
- It can be fixed in a backward-compatible way.
- The main attack is a client vulnerability so you won’t need a new router to be safe.
Everyone, put down your pitchforks, calm down, and apt upgrade at your earliest convenience.
- Distribution security updates:
- Archlinux: https://git.archlinux.org/svntogit/packages.git/log/trunk?h=packages/wpa_supplicant
- Debian: https://lists.debian.org/debian-security-announce/2017/msg00261.html
Still, it’s really bad. Only power-users and people that really care about security and privacy are going to get those critical updates. Many networks are going to be wide open for attack now. I’d say most home networks, small businesses, and your local McDonalds and coffee shops will be.
Feel free to discuss and stay safe.