October 16th, 2017
The security protocol used to protect the vast majority of WiFi connections has been broken. This will expose wireless internet traffic to malicious attack, according to the researcher who discovered this weakness.
It doesn’t bode well that the mainstream media is also ignoring this problem completely because it’s a very big deal. Anytime the mainstream media brushes something off, most start asking questions. Unfortunately, none of the answers we have so far to those questions are of comfort.
Considering every single cellphone now has WiFi in it and this major “weakness” could affect almost everyone. According to ARS Technica, researchers have disclosed a serious weakness in the WPA2 protocol that allows attackers within range of vulnerable device or access point to intercept passwords, e-mails, and other data presumed to be encrypted, and in some cases, to inject ransomware or other malicious content into a website a client is visiting.
The proof-of-concept exploit is called KRACK, short for Key Reinstallation Attacks. The research has been a closely guarded secret for weeks ahead of a coordinated disclosure that was scheduled for 8am Monday, East Coast time. A website disclosing the vulnerability said it affects the core WPA2 protocol itself and is effective against devices running the Android, Linux, macOS, Windows, and OpenBSD operating systems, as well as MediaTek Linksys, and other types of devices. The site warned attackers can exploit it to decrypt a wealth of sensitive data that’s normally encrypted by the nearly ubiquitous Wi-Fi encryption protocol. –ARS Technica
“This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on,” researcher Mathy Vanhoef, of the Katholieke Universiteit Leuven in Belgium wrote. “The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.”
Krack Attacks, the website, went on to warn that visiting only HTTPS-protected Web pages wasn’t automatically a remedy against the attack either. Since many improperly configured sites can be forced into dropping encrypted HTTPS traffic and instead of transmitting unencrypted HTTP data, this is not a safer option. An attacker can use a script known as SSLstrip to force a site like match.com (dating website) to downgrade a connection to HTTP. The attacker is then able to steal an account when the Android device logs in.
The video below shows how this weakness can be exploited on an Android device.
“Although websites or apps may use HTTPS as an additional layer of protection, we warn that this extra protection can (still) be bypassed in a worrying number of situations,” the researchers explained. “For example, HTTPS was previously bypassed in non-browser software, in Apple’s iOS and OS X, in Android apps, in Android apps again, in banking apps, and even in VPN apps.”
The main concern is that cell phones which have this weakness won’t get upgraded with the “patch” or the fix for this until it’s discarded and new phone replaces it. Virtually every cell phone out there has WiFi in it. Most are eventually orphaned by their manufacturers, receiving no future updates at all. These devices, along with nearly all “consumer” WiFi access points in homes and small businesses will never be fixed and always open to attacks. In addition to the unavailability of a cell phone patch, the majority of consumer and small-business WiFi access points will never be patched either and could remain vulnerable for years if not a decade or longer.
When something this disturbing is found one often wonders if the process was corrupted either negligently or on purpose. Especially considering this wasn’t found sooner.