Technical Discussion
  >> Security Related Issues


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | 2 | (show all)   Print Thread
Standard User micksharpe
(legend) Mon 16-Oct-17 14:07:17
Print Post

WPA2 security handshake broken


[link to this post]
 
BBC News: Wi-fi security flaw 'puts devices at risk of hacks'

The researchers added the attack method was "exceptionally devastating" for Android 6.0 or above and Linux.

Key Reinstallation Attacks: Breaking WPA2 by forcing nonce reuse

'Sir, please,' she said ... 'Will you not share your wisdom with us?'
'I have no wisdom,' he told her.
'Your experiences, then?'
'They have been trivial, uninteresting, and full of error.'
Iain M. Banks -- Feersum Endjinn

Edited by micksharpe (Mon 16-Oct-17 14:07:37)

Standard User bobble_bob
(knowledge is power) Mon 16-Oct-17 17:17:17
Print Post

Re: WPA2 security handshake broken


[re: micksharpe] [link to this post]
 
"The attacker has to be physically nearby and if there is encryption on the web browser, it is harder to exploit."


Encryped web browser the same as encrypted connections to a website?
Standard User micksharpe
(legend) Mon 16-Oct-17 17:38:51
Print Post

Re: WPA2 security handshake broken


[re: bobble_bob] [link to this post]
 
Yes. They are referring to HTTPS.

'Sir, please,' she said ... 'Will you not share your wisdom with us?'
'I have no wisdom,' he told her.
'Your experiences, then?'
'They have been trivial, uninteresting, and full of error.'
Iain M. Banks -- Feersum Endjinn


Register (or login) on our website and you will not see this ad.

Standard User bobble_bob
(knowledge is power) Mon 16-Oct-17 17:45:36
Print Post

Re: WPA2 security handshake broken


[re: micksharpe] [link to this post]
 
Well that helps abit then.

We also made a proof-of-concept script that exploits the all-zero key (re)installation present in certain Android and Linux devices. This script is the one that we used in the demonstration video. It will be released once everyone had a reasonable chance to update their devices (and we have had a chance to prepare the code repository for release).


Why would the author release a proof of concept? This bug has presumably been around for years, and so far no evidence it has been exploited. So other than the author at the time no one knew about it, yet soon as the proof of concept comes out everyone will know how it works. I get vendors need to know so they can release a patch, but there is no way every single device in the world will be patched so some will remain vulnerable
Standard User micksharpe
(legend) Mon 16-Oct-17 18:28:28
Print Post

Re: WPA2 security handshake broken


[re: bobble_bob] [link to this post]
 
In reply to a post by bobble_bob:
Why would the author release a proof of concept?
To force the industry to do something about it. Otherwise, they would just sit on their hands.

'Sir, please,' she said ... 'Will you not share your wisdom with us?'
'I have no wisdom,' he told her.
'Your experiences, then?'
'They have been trivial, uninteresting, and full of error.'
Iain M. Banks -- Feersum Endjinn
Standard User mHm
(newbie) Mon 16-Oct-17 23:19:15
Print Post

Re: WPA2 security handshake broken


[re: bobble_bob] [link to this post]
 
Why would the author release a proof of concept? This bug has presumably been around for years, and so far no evidence it has been exploited. So other than the author at the time no one knew about it, yet soon as the proof of concept comes out everyone will know how it works. I get vendors need to know so they can release a patch, but there is no way every single device in the world will be patched so some will remain vulnerable


Looking at the original paper and the author's website about this, it would appear that vendors were informed as early as July 2017. (https://www.krackattacks.com/#faq)
Standard User billford
(elder) Tue 17-Oct-17 08:33:07
Print Post

Re: WPA2 security handshake broken


[re: bobble_bob] [link to this post]
 
In reply to a post by micksharpe:
Yes. They are referring to HTTPS.
In reply to a post by bobble_bob:
Well that helps abit then.
Not on this site it doesn't crazy

Bill
A level playing field is level in both directions.

_______________________________________Planes and Boats and ... ______________BQMs: IPv4 IPv6
Standard User ian72
(eat-sleep-adslguide) Tue 17-Oct-17 10:38:12
Print Post

Re: WPA2 security handshake broken


[re: billford] [link to this post]
 
In reply to a post by billford:
In reply to a post by micksharpe:
Yes. They are referring to HTTPS.
In reply to a post by bobble_bob:
Well that helps abit then.
Not on this site it doesn't crazy


Yes, I am very concerned that someone will see what I am doing on this site or get my username and password so that they can post things in my name. Keeps me awake at night wink

This is just a forum. If you don't use the same password here as on other sites then someone intercepting use of the forum isn't going to be able to do much harm.
Standard User billford
(elder) Tue 17-Oct-17 10:45:33
Print Post

Re: WPA2 security handshake broken


[re: ian72] [link to this post]
 
In reply to a post by ian72:
Yes, I am very concerned that someone will see what I am doing on this site or get my username and password so that they can post things in my name. Keeps me awake at night wink
You miss the point.

It's not just your forum traffic that can be intercepted, it's all your wi-fi traffic for that session...

This site (and other non-https sites) simply provide an easier way in.

Bill
A level playing field is level in both directions.

_______________________________________Planes and Boats and ... ______________BQMs: IPv4 IPv6

Edited by billford (Tue 17-Oct-17 10:49:10)

Standard User ian72
(eat-sleep-adslguide) Tue 17-Oct-17 10:51:14
Print Post

Re: WPA2 security handshake broken


[re: billford] [link to this post]
 
No, I was responding to the concern you have about this site not being HTTPS (you used it as an example). This site not being HTTPS is not a big issue as it is very low risk. Sites that are higher risk have more reason to be HTTPS which would add another level of security over the transport medium. Personally I wouldn't use sensitive sites over the Internet at all without HTTPS as I treat the Internet as a completely untrusted network - irrespective of whether my WLAN is protected.

Edited by ian72 (Tue 17-Oct-17 10:52:11)

Pages in this thread: 1 | 2 | (show all)   Print Thread

Jump to