• Legacy
  • Academy
  • Business
  • PayTech
  • Ignite
  • Cellcos
  • Wired
  • CovidTech
  • Library
  • Touch Base
Subscribe
CW Pakistan

Computerworld Pakistan

CW Pakistan
  • Legacy
  • Academy
  • Business
  • PayTech
  • Ignite
  • Cellcos
  • Wired
  • CovidTech
  • Library
  • Touch Base
  • Business

KRACK: Researcher Discovers Flaws In WPA2 Authentication

  • October 18, 2017
  • Content Desk
Total
0
Shares
0
0
0

KRACK: Researcher Discovers Flaws In WPA2 Authentication

A researcher has released details on vulnerabilities in the Wi-Fi Protected Access II (WPA2) protocol, which he calls KRACK. Attacks taking advantage of the issues that makeup KRACK will work against all modern protected Wi-Fi networks. To put it another way, if a given device supports Wi-Fi it is likely impacted by the KRACK vulnerabilities. This is because the weaknesses are in the Wi-Fi standard itself, not in a given product or implementation.

Details of the problems with WPA2 were revealed on Monday morning by Mathy Vanhoef, a researcher studying at Katholieke Universiteit Leuven (KU Leuven) with the imec-DistriNet Research Group. Several months ago, in a brief to those impacted the most, US-CERT described the disclosure as such:

“US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others…”

The brief goes on to say that since the vulnerabilities are protocol-level issues,

“most or all correct implementations of the standard will be affected.”

A draft version of the paper being presented Monday, later officially released by Vanhoef after it was leaked, says the KRACK attack “abuses design or implementation flaws in cryptographic protocols to reinstall an already-in-use-key.”

“Concretely, attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted. This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on,” explains a post on the website Vanhoef developed to disclose KRACK.

Today’s AI is already a reality and full of opportunities to enrich and improve human lives.

Again, as the notice by US-CERT pointed out, KRACK isn’t just about compromising login credentials. There are layers of risk and potential damage when it comes to attacks on WPA2 with KRACK. However, it’s important to note that the main attack is against the 4-way handshake, so it’s going after the client – not access points. Also, it’s important to remember that KRACK doesn’t render the mathematics used to prove the security of the 4-way handshake useless. As a proof-of-concept, Vanhoef released a video of a KRACK attack against Android, noting that such attacks are devastating against Linux and Android versions 6.0 or higher.

What you should do about KRACK:

For home users:

Update your clients (phones and laptops), and contact your ISP to see if the gear needs an update. At no time should you stop using WPA2.

For those working in the office:

Vanhoef suggested disabling client functionality on routers and access points, and disabling 802.11r.

Please note, during his research Vanhoef discovered that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others were all vulnerable to some variation of a KRACK attack.

However, iOS and Windows are not vulnerable to the key reinstallation attack. At the same time, both are still vulnerable to attacks against the group key handshake, and both could be indirectly attacked via the key reinstallation attack if it targets the AP (both support 802.11r).

The following CVE-IDs are related to the issue, at the time this story was posted, none of them were updated with additional information:

CVE-2017-13077, 13078, 13079, 13080, 13081, 13082, 13084, 13086, 13087, 13088

Please note: While the KRACKen has been released, this story is developing. According to Vanhoef 41-percent of Android devices are vulnerable to KRACK attacks. That number is closer to 50-percent considering the data available on the Android Developer’s website on October 16.

In the time between writing the paper and disclosure, Vanhoef says attacks against macOS and OpenBSD have become easier.

Update: Aruba Networks has released updates to address KRACK vulnerabilities. They’ve also published an FAQ for customers. In addition Cisco has also published information for customers. US-CERT has a list of affected vendors on it’s advisory.

CSO will update it with further information as details become available. We’ve reached out to several vendors and ISPs, and will share their comments once they respond.

This article originally appeared on the IDG Network by Steve Ragan. 

Total
0
Shares
Share 0
Tweet 0
Pin it 0
Related Topics
  • Android
  • Apple
  • CISCO
  • iOS
  • KRACK
  • macOS
  • the Wi-Fi Protected Access II
  • Windows
  • WPA2
Content Desk

Previous Article
  • Computerworld

Chairman PTA Announces 5G Trial Licensing in Pakistan

  • October 18, 2017
  • Content Desk
View Post
Next Article
  • Computerworld

Mobilizing Blue Collar Workforce: JazzCash Collaborates with Fori Mazdoori

  • October 19, 2017
  • Content Desk
View Post
You May Also Like
View Post
  • Business
  • Wired

Flat-lining ICT exports

  • Sub Editor
  • January 26, 2023
View Post
  • Business
  • Wired

All You Need to Know About Pakistan’s Influencer Industry – Walee Pak Influencer Industry Insights Report 2021-22

  • Sub Editor
  • January 24, 2023
View Post
  • Business
  • Wired

The fastest growing jobs in Pakistan right now

  • Sub Editor
  • January 20, 2023
View Post
  • Business
  • Wired

SBP makes it easier for IT exporters to increase their income

  • Sub Editor
  • January 15, 2023
View Post
  • Business
  • Cellcos

Annual Report on Cybersecurity 2022 by PTA

  • Sub Editor
  • January 11, 2023
View Post
  • Business
  • PayTech

Businessmen in Islamabad want investors to turn profits into cryptocurrency assets.

  • Sub Editor
  • January 6, 2023
View Post
  • Business

Researchers developed a risky quantum decryption technique.

  • Sub Editor
  • December 23, 2022
View Post
  • Business
  • Wired

Zong 4G, Hands Pakistan Partner with Parks & Horticulture Authority to Develop Urban Forest in Multan

  • Sub Editor
  • December 13, 2022
View Post
  • Business

Jazz Signs Agreement: Garaj For Cloud Services

  • Sub Editor
  • December 3, 2022
View Post
  • Business

A Look At Karachi Qualifying Round Of Digital Pakistan Cyber Security Hackathon 2022 By Ignite

  • Sub Editor
  • December 2, 2022
View Post
  • Business

Sen. Senate: Google Will Soon Start Doing Business in Pakistan.

  • Sub Editor
  • November 24, 2022
View Post
  • Business

PTA Grants IoT Licences To Two Fresh Businesses

  • Sub Editor
  • November 10, 2022
View Post
  • Business
  • Wired

Pakistan at 75: LSE Summit in 2022

  • Sub Editor
  • October 28, 2022
View Post
  • Business

SECP Fixes Massive Data Leak Of Registered Company Information

  • webdesk
  • September 13, 2022
View Post
  • Business

Massive Data Breach The EDF Website of the Commerce Ministry

  • webdesk
  • September 1, 2022
View Post
  • Business

PTA Offers Two Local Businesses LDI Licenses

  • webdesk
  • August 2, 2022
View Post
  • Business

Permitting WeChat Service: SECP Says Go!

  • webdesk
  • August 2, 2022
View Post
  • Business

SBP Management Attends OICCI Interactive Meeting With Members To Allay Concerns

  • webdesk
  • August 2, 2022
View Post
  • Business

SECP To Introduce Companies for Digital Asset Management

  • webdesk
  • August 1, 2022
View Post
  • Business

STZA Signs Letter Of Intent with China’s SEDA To Further Technical Collaboration

  • webdesk
  • August 1, 2022

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

about
About
Launched in 1967 internationally, Computerworld Magazine is the oldest tech magazine/media property brand in the world. Today Computerworld (abbreviated as CW) is an ongoing decades old professional publication which in 2014 "went digital”. In Pakistan Computerworld was launched in 1995. Initially providing news to IT executives only, once CIO Pakistan from the same family launched, and took over the domain, CW Pakistan has slowly emerged as a holistic technology news platform reporting everything tech in the country. It remains the oldest running continuous IT media publishing platform in the country and approaching 3 decades of existence, it has been the industry’s biggest benchmark and hopes to continue for years to come.
Read more
Explore Computerworld Sites Globally
  • ComputerWorld.es
  • computerworld.com.pt
  • Computerworld.com
  • cw.no
  • computerworldmexico.com.mx
  • computerwoche.de
  • computersweden.idg.se
  • computerworld.hu
  • cwi.it
  • project.nikkeibp.co.jp
Content from other IDG brands
  • PCWorld
  • Macworld
  • Infoworld
  • TechHive
  • GameStar
  • Network world
CW Pakistan
  • CWPK
  • CXO
  • WALLET
  • Demo
CW Media & all its sub brands are copyrighted to SPIN-IDG Wakhan Media Inc., the publishing arm of NCC-RP Group. Site is designed by Crunch Collective ©️ 2022

Input your search keywords and press Enter.