On October 16, 2017, Mathy Vanhoef and Frank Piessens of imec-DistriNet published a paper detailing their discovery of security weaknesses in WPA2. WPA2 (Wi-Fi Protected Access II) is a widely used security protocol developed by the Wi-Fi Alliance for the purpose of encrypting and securing the traffic on Wi-fi connections between the Wi-fi router and endpoints. WPA2 (and its earlier version WPA) has long replaced its predecessor WEP (Wired Equivalent Privacy) protocol due to serious security weaknesses in the latter.
Dubbed "KRACK" (key reinstallation attack), the vulnerability, if exploited, can allow an attacker the compromise the seemingly secure Wi-fi connection of a user, thus potentially stealing sensitive information like passwords or credit card information. We say "potentially" because nowadays most websites are accessed using secure "HTTPS" connections which encrypts the traffic between the user and the website independently from the encryption occurring on the Wi-fi level between the user and the access-point due to WPA2 protection which is now ineffective. Nevertheless, there are still millions of websites who use the un-encrypted HTTP protocol or that have an erroneous implementation of HTTPS which leaves the users at risk."Whenever someone joins a Wi-Fi network, a 4-way handshake is executed to produce a fresh encryption key for all subsequent traffic. To guarantee security, a key should be installed and used only once. But by using the key reinstallation attack (KRACK), an attacker can trick a victim into reinstalling an already-in-use key allowing him to steal sensitive information or even, depending on the network configuration, inject malware into a website." [Source]
Mitigation and Vendors Information:
To mitigate the vulnerability, an OS patch (upgrade) must be performed to a version that fixes this vulnerability. Vendors have already started developing and releasing patches for their Wi-fi products. Below are few links to most common vendors:
A comprehensive list for all vendors can be found here.
Assigned CVEs:
CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake.
CVE-2017-13078: Reinstallation of the group key (GTK) in the 4-way handshake.
CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the 4-way handshake.
CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake.
CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake.
CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it.
CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.
CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
Proof of Concept:
The below is a proof of concept for KRACK attack against an Android smarphone. Additional information can be found on https://www.krackattacks.com/.
--
Elie Bassil
linkedin.com/in/eliebassil
4 comments
Write commentshttps://ufc-218.co/
ReplyUFC 218
UFC 218 Fight
UFC 218 Time
UFC 218 Live
UFC 218 Live Stream
Holloway vs Aldo Live
Holloway vs Aldo Live Stream
Holloway Fight
Aldo Fight
UFC 218 Date
UFC 218 Fight Date
https://ufc-218.co/
https://ufc-218.co/
Replyhttps://ufc-218.co/
https://ufc-218.co/
https://ufc-218.co/
https://ufc-218.co/
https://ufc-218.co/
https://ufc-218.co/
https://ufc-218.co/
https://ufc-218.co/
https://ufc-218.co/
https://ufc-218.co/
https://ufc-218.co/
https://ufc-218.co/
MLS Cup Final
ReplyMLS Cup Final 2017
MLS Final
MLS Final 2017
MLS Cup
MLS Cup 2017
MLS Cup Finals
MLS Cup Finals 2017
MLS Cup Championship
MLS Cup Championship 2017
MLS Championship 2017
MLS Cup Championship
MLS Cup Final Date
MLS Cup Final Time
https://mlscupfinal.com/
MLS Cup Final 2017 Time
MLS Cup Final Live
MLS Cup Final Live Stream
MLS Cup Final 2017 Live
MLS Cup Final 2017 Live Stream
MLS Final Live
MLS Final 2017 Live
MLS Final Live Stream
MLS Final 2017 Live Stream
MLS Cup Championship Live
MLS Cup Championship 2017 Live Stream
MLS Soccer Final
MLS Soccer Final 2017
MLS Soccer
MLS Soccer 2017
MLS Cup Live
MLS Cup Live Stream
MLS Cup 2017 Live Stream
https://mlscupfinal.com/
https://mlscupfinal.com/
https://mlscupfinal.com/
https://mlscupfinal.com/
Joshua vs Parker
ReplyParker vs Joshua
Joshua vs Parker Live
Joshua vs Parker Live Stream
Parker vs Joshua Live
Parker vs Joshua Live Stream
Joshua vs Parker Fight
Anthony Joshua vs Joseph Parker
Joseph Parker vs Anthony Joshua
Anthony Joshua vs Joseph Parker Fight
Joseph Parker Fight
Parker Fight
Joshua Fight
Anthony Joshua Fight
EmoticonEmoticon