All your WIFI are belong to us: Major vulnerability in WPA2 to be released
MPG has long advised wired internet for performance reasons, as well as advising against public WiFi locations.
WiFi is apparently vulnerable to a complete loss of security.
For the techie, emphasis added:
Key Reinstallation A acks: Forcing Nonce Reuse in WPA2
We introduce the key reinstallation attack. This attack abuses design or implementation aws in cryptographic protocols to reinstall an already-in-use key. This resets the key’s associated parameters such as transmit nonces and receive replay counters. Several types of cryptographic Wi-Fi handshakes are a ected by the attack.
Finally, we confirmed our findings in practice, and found that every Wi-Fi device is vulnerable to some variant of our attacks. Notably, our attack is exceptionally devastating against Android 6.0: it forces the client into using a predictable all-zero encryption key.
All Wi-Fi clients we tested were vulnerable to our attack against the group key handshake. This enables an adversary to replay broadcast and multicast frames. When the 4-way or fast BSS tran- sition handshake is attacked, the precise impact depends on the data-confidentiality protocol being used. In all cases though, it is possible to decrypt frames and thus hijack TCP connections. This enables the injection of data into unencrypted HTTP connections. Moreover, against Android 6.0 our attack triggered the installation of an all-zero key, completely voiding any security guarantees.
Rather worryingly, our key reinstallation attack even occurs spontaneously if certain handshake messages are lost due to back- ground noise. This means that under certain conditions, implementations are reusing nonces without an adversary being present.
Less technical, from an email I received from EasyDNS.com:
WPA2, the encryption algorithm in use today on nearly all WIFI access points has been discovered to have a major security flaw which renders them hackable.
The upshot is that attackers will be able to read all data traversing the WIFI access point (another reason to use VPN sessions to further encrypt your data before it flows over the air). Security researchers will release their findings at Computer and Communications Security (CCS) on November 1, 2017. My understanding of this so far is that once the paper drops and the inevitable exploits follow, both the access point and the clients will need vendor patching to be secure. Think “heart bleed” to the exponent “shell shock”.
Security researchers will release their findings at Computer and Communications Security (CCS) on November 1, 2017. My understanding of this so far is that once the paper drops and the inevitable exploits follow, both the access point and the clients will need vendor patching to be secure. Think “heart bleed” to the exponent “shell shock”.
MPG: every iPhone and iPad and laptop and similar user relying on WiFi should take pause, particularly at public WiFi access points that might not get patched (remember Equifax screw-up? No need to remember, it is now at present a worse screwup).
Don H writes that Apple already has a patch, albeit only in beta versions of macOS and iOS. The claims in that link are that once the iPhone/iPad/Mac are patched that they will be safe to use anywhere. Kudos to Apple for rolling this out quickly (assuming that happens).
This site and diglloyd.com use https which and as far as I understand it protects user data, but that is not a statement of fact, only what I believe is correct, having worked with encryption as an engineer for some years.
It might be a discard your WiFi routers and get secure ones, if they cannot be updated to address the flaw.
WPA2: Broken with KRACK. What now?