New
#1
Thanks for the heads up on that @AndreTen.
INTRODUCTION
We discovered serious weaknesses in WPA2, a protocol that secures all modern protected Wi-Fi networks. An attacker within range of a victim can exploit these weaknesses using key reinstallation attacks (KRACKs). Concretely, attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted. This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected. To prevent the attack, users must update affected products as soon as security updates become available. Note that if your device supports Wi-Fi, it is most likely affected. During our initial research, we discovered ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attacks. For more information about specific products, consult the database of CERT/CC, or contact your vendor.
The research behind the attack will be presented at the Computer and Communications Security (CCS) conference, and at the Black Hat Europe conference. Our detailed research paper can already be downloaded.
DEMONSTRATION
As a proof-of-concept we executed a key reinstallation attack against an Android smartphone. In this demonstration, the attacker is able to decrypt all data that the victim transmits. For an attacker this is easy to accomplish, because our key reinstallation attack is exceptionally devastating against Linux and Android 6.0 or higher. This is because Android and Linux can be tricked into (re)installing an all-zero encryption key (see below for more info). When attacking other devices, it is harder to decrypt all packets, although a large number of packets can nevertheless be decrypted. In any case, the following demonstration highlights the type of information that an attacker can obtain when performing key reinstallation attacks against protected Wi-Fi networks:
Read more: KRACK Attacks: Breaking WPA2
Microsoft will be first to release patch: www.neowin.net | microsoft-already-has-a-fix-for-the-wpa2-vulnerability
Actually, we get loads of these scares.
To me, it is irresponsible journalism to publicise it in such a manner, as it becomes a self fulfilling prophecy.
A couple of years ago, one of new UK newspapers publicised "new flash mob craze" concerning the authorities. As a result, flash mobs exploded in number!
There is no evidence as far as I can tell, the weakness has been hacked yet, but now the hackers know, and know where to look......
A more responsible article would say "Experts have identified a weakness and whilst we cannot provide details for security puposes, we have let appropriate authorities know. In meantime we recommend you do X,Y,Z etc."
Of course, journalists never care about the fallout from their articles, so long as they sell papers, or get advertising revenue from extra clicks etc.
This is one of those stories that is going to get blown out of all proportion.
This is authors own discovery... and he's hiding some crucial details for now, as far as I'm understanding it.
There is no attack in the wild atm, so equipment manufacturers do have some time to develop solutions. And he is not selling new equipment, because new solutions are also affected by this (it's in the way protocol works at the time of signing into network)
Guessing is not productive here... But, there are good reasons I can imagine. (and what is wrong with $$$ - world is running on it).
If he publish a paper (it is research work), I guess he is academic and publishing is part of his life (cruel too).
It is good he revealed this vulnerability, no matter how much you or anybody else don't like it. Otherwise, once it's known (and someone would get to it), bad guy would find out and we won't...
Looks like first patches will be OS related.
neowin.net | microsoft-already-has-a-fix-for-the-wpa2-vulnerability?