Author Topic: Just When You Thought Internet Security Couldn't Get Any Worse  (Read 152 times)

ArnoldW2

  • Trusted Member
  • Guru
  • ******
  • Posts: 463
    • View Profile
Just When You Thought Internet Security Couldn't Get Any Worse
« on: October 17, 2017, 05:12:01 PM »

ALL wifi networks' are vulnerable to hacking, security expert discovers

The security protocol used to protect the vast majority of wifi connections has been broken, potentially exposing wireless internet traffic to malicious eavesdroppers and attacks, according to the researcher who discovered the weakness.

Mathy Vanhoef, a security expert at Belgian university KU Leuven, discovered the weakness in the wireless security protocol WPA2, and published details of the flaw.

https://www.theguardian.com/technology/2017/oct/16/wpa2-wifi-security-vulnerable-hacking-us-government-warns

https://www.krackattacks.com/

benali72

  • CCF Winner's Circle - Supporter
  • Wise Sage
  • *
  • Posts: 2592
    • View Profile
Re: Just When You Thought Internet Security Couldn't Get Any Worse
« Reply #1 on: October 17, 2017, 08:14:12 PM »
Thanks, Arnold.

If I read the articles correctly, you're not vulnerable if you're using HTTPS over WPA2, but if you use WPA2 encryption only, you are vulnerable.

Time to update a lot of routers!

I wonder if the router vendors will be able to offer downloadable firmware updates to fix this, or whether the only option will be new routers?

Also, I wonder if WPA2 is fixable via a fix, or whether it will have to be junked and we go on to "WPA3" ?  The Guardian article seems to say that WPA2 is fixable via a fix.

The Gorn

  • I absolutely DESPISE improvised sulfur-charcoal-salt peter cannons made out of hollow tree branches filled with diamonds as projectiles.
  • Trusted Member
  • Wise Sage
  • ******
  • Posts: 21725
  • Gorn Classic, user of Gornix
    • View Profile
Re: Just When You Thought Internet Security Couldn't Get Any Worse
« Reply #2 on: October 17, 2017, 08:45:40 PM »
I skimmed a tiny bit of the Krack site's explanation. It's a man-in-the-middle attack and it relies on a predictable pattern of exchanging ciphers when setting up the connection.

My gut feeling is that such attacks will be unavoidable unless each end uses something similar to private/public key cryptography so that a middleman can't intercept states of the connection setup.

In other words each end of the connection will have to share some identity info in order to make the connection truly private.

Any such scheme as WPA that relies on dynamic setup of connections with unknown user hardware and firmware at each end will be vulnerable. They'll probably redesign the WPA protocol to avoid THIS attack but a new protocol will have its own weakness waiting to be exploited.

The only airtight fix to this I can think of is to make all users of wifi be known parties with their own crypto keys. There goes all possible anonymity. Even a Starbucks wifi will know who you are.  >:(
« Last Edit: October 17, 2017, 08:55:53 PM by The Gorn »
Gornix is protected by the GPL. *

* Gorn Public License. Duplication by inferior sentient species prohibited.

benali72

  • CCF Winner's Circle - Supporter
  • Wise Sage
  • *
  • Posts: 2592
    • View Profile
Re: Just When You Thought Internet Security Couldn't Get Any Worse
« Reply #3 on: October 17, 2017, 08:56:19 PM »
Regarding my previous post, I read over the papers again and now understand --

1. No need for WPA3, WPA2 can be patched to fix this
2. Users need to update both their PC OS and router firmware to be safe (doing only one or the other leaves you vulnerable still)

Of course, in light of Gorn's post, all this fixes only the immediate vulnerability that has been discovered... which could only be the first of many.

unix

  • Trusted Member
  • Wise Sage
  • ******
  • Posts: 3370
    • View Profile
Re: Just When You Thought Internet Security Couldn't Get Any Worse
« Reply #4 on: October 18, 2017, 05:40:34 AM »
so when does the Android OS get a patch? Meaning Samsung in my case.
 
Brawndo. It's got what plants crave.

The Gorn

  • I absolutely DESPISE improvised sulfur-charcoal-salt peter cannons made out of hollow tree branches filled with diamonds as projectiles.
  • Trusted Member
  • Wise Sage
  • ******
  • Posts: 21725
  • Gorn Classic, user of Gornix
    • View Profile
Re: Just When You Thought Internet Security Couldn't Get Any Worse
« Reply #5 on: October 18, 2017, 06:17:35 AM »
Regarding my previous post, I read over the papers again and now understand --

1. No need for WPA3, WPA2 can be patched to fix this
2. Users need to update both their PC OS and router firmware to be safe (doing only one or the other leaves you vulnerable still)

Of course, in light of Gorn's post, all this fixes only the immediate vulnerability that has been discovered... which could only be the first of many.

I'm just voicing an opinion based on my own intuition of the process that's going on in wireless secured networks to create connections.

I say what I did because, after all, WPA was supposed to be secure and fairly bulletproof - the designers supposedly anticipated any possible hacks. Except they didn't.

I'm guessing that any revision of the protocols will have similar design oversights that may take years to uncover, just like this one. It's not like a mathematical proof of unhackability is possible.
Gornix is protected by the GPL. *

* Gorn Public License. Duplication by inferior sentient species prohibited.

benali72

  • CCF Winner's Circle - Supporter
  • Wise Sage
  • *
  • Posts: 2592
    • View Profile
Re: Just When You Thought Internet Security Couldn't Get Any Worse
« Reply #6 on: October 18, 2017, 10:38:37 AM »
I'm just voicing an opinion based on my own intuition of the process that's going on in wireless secured networks to create connections.

I understand. And I think you nailed it right on the head. I wouldn't be surprised at all if we see similar vulnerabilities exposed in the future.