Newly discovered Wi-Fi security protocol vulnerability leaves most consumers' traffic open to eavesdropping


The Wi-Fi Protected Access II protocol - the de-facto standard for consumer Wi-Fi security - is vulnerable to an attack that allows malicious hackers to eavesdrop on Wi-Fi traffic.

The exploit is called KRACK, short for Key Reinstallation Attacks, and it works by affecting the four-way handshake used to establish a key for traffic encryption. The attack happens at the third step of the process when a key can be resent multiple times and when resent in a certain way, a cryptographic nonce can be reused so that the whole security operation is compromised.


The whole research around the KRACK has been kept a secret in the past weeks, right before the scheduled public announcement at 8am ET on Monday.

Some companies like Aruba and Ubiquiti that sell wireless access points (WAPs) to the government and other large parties have already updates that patch this exploit, but the overwhelming majority of WAPs will be patched much later, and many will not be patched at all.

With this in mind, HTTP website traffic becomes exposed, but you can still have a secure browsing experience if you visit HTTPS only websites.

source: Ars Technica

FEATURED VIDEO

2 Comments

1. Humphrey.One

Posts: 33; Member since: Nov 14, 2013

One more reason to get a VPN.

2. mikehunta727 unregistered

"In this demonstration, the attacker is able to decrypt all data that the victim transmits. For an attacker this is easy to accomplish, because our key reinstallation attack is exceptionally devastating against Linux and Android 6.0 or higher. This is because Android and Linux can be tricked into (re)installing an all-zero encryption key (see below for more info). When attacking other devices, it is harder to decrypt all packets, although a large number of packets can nevertheless be decrypted. " Dang, it seems like Android is currently affected by it the worst Nonetheless this is crazy

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.