Wednesday, 18 October 2017

This Is One Smart Belgian

You'd kinda expect to hear more about this
The wi-fi connections of businesses and homes around the world are at risk, according to researchers who have revealed a major flaw dubbed Krack. It concerns an authentication system which is widely used to secure wireless connections. Experts said it could leave "the majority" of connections at risk until they are patched. The researchers added the attack method was "exceptionally devastating" for Android 6.0 or above and Linux
Presumably (if it's for real), the www & banking industries are in utter shock, as well they might be.  As well might we all.  As usual, the bigger the issue the less attention it gets...  

A sounds like a pretty thoroughgoing *patch* will be required.  A massive kick in the nuts for a priori reasoning about what's "mathematically proven" to be secure.  Safely encrypted?  In the real world, there's always a flaw!  No limits to human ingenuity - "what one man can invent, another can discover"  (S.Holmes, 1903).

It's worth taking a look at the lucid write-up** by Mathy Vanhoef, the bright Belgian who discovered the mighty cockup.  That is one articulate geek!  Beautiful prose on a complex topic in what, presumably, is not his mother tongue. The whole thing reads like the remarkable Enigma exploits of Turing, Tutte et al at Bletchley Park

If only all technical issues had such excellent advocates, eh?  (Bit of a coincidence, the timing of that cartoon).


** in the original version of this post I linked to Vanhoef's 'KrackAttack' website.  Subsequently, McAfee has started warning about that site!  Who knows what to think?!  But I've removed the link.  There are plenty of places around the www where you can read Vanhoef's fine prose.     


Matt said...

It's not great for WiFi networks although it seems the fix can be implemented client side so it's only 50% as bad as it could have been.

The banks won't care - over the top of the (encrypted) WiFi, the banking websites will use HTTPS (SSL/TLS) which will keep the traffic secure even if the WiFi is compromised.

Nick Drew said...

Matt, you doubtless understand this better than I but the write-up seemed to suggest HTTPS was compromised as well, in certain circumstances

Anonymous said...

KRACK doesn't disprove the mathematical basis of encryption, what it does is say if someone has the key they can decrypt. May as well state that locked doors are useless because keys can be copied - well, yes, but someone has to copy the key first... And KRACK makes the equivalent of key copying trivial.

Anyone trying to use the flaw also has to be in wireless range, so the damage is limited.

Plus, as Matt says, SSL mitigates most issues, and would only be circumvented if any attacker was also able to use SSLStrip.

Matt said...

If you can't join the WiFi network, then you can't implement MITM/proxy attacks against HTTPS (such as SSLstrip).

With KRACK you can inject packets into the (non-AES encrypted) WiFi network so these attacks become possible. On AES it seems you can only decrypt so it's only going to be a problem for connections that are not encrypted over the WiFi.

Even with the ability to inject packets, it still requires the server end to have been badly implemented and allow downgrade attacks or permit some content to be HTTP only (and so can present a 'fake' login dialogue for example).

If your bank does this, you have larger problems than your home WiFi being vulnerable to attack.

None of this is to say it's not a problem. It's just some perspective is needed. Yes, if you are on public WiFi you should be more careful but this was always the case.

At home, you are less likely to be targeted but it may happen. Be smart - don't use the same password for all sites as if one is transmitted in the clear it can be captured and used to log into your bank.

Also, don't post loads of personal details on social media (mother's maiden name, town of birth etc) where these are used as secondary authentication questions or for password recovery means.

Thud said...

Pretty sure with clear lines of sight I can shoot you before you get in range of my home wifi! a bit extreme I admit.

Nick Drew said...

KRACK doesn't disprove the mathematical basis of encryption

that much I get, anon: I know my maths - but it does reinforce the vital role Sod's Law plays in the real world of practical applications

(hence my reference to Bletchley Park: how many of their breakthroughs came from German lapses - of procedure or discipline - rather than technical flaws in Enigma or more pertinently 'Tunny' / Lorenz)

and I'm still impressed by matey and his Belgian reasoning!

Electro-Kevin said...


(Best campsite from that Turing Guide.)

Timbo614 said...

As I undrestand it there is no mathematical compromise entailed. The attack essentially exploits a vulnerability that has always been there. Essentially ANY/every client device that correctly follows the standard and it's reccomendations is vulnerable!

From reading here and there I gather that you do NOT have to replace/update your router in most cases but if you have "repeater" points - these will be affected too becuase it becomes a client in that situation.

so a short list as examples of client devices:

Laptops (Windows, MacOS, Linux etc.)
Phones (iOS, Android etc.)
Tablets (iPad, Microsoft Surface, Android etc.)
eReaders (Kindle, Nook etc.)
IOT devices
Internet Personal Assistants (Amazon Echo/Dot/Alexa, Google Home, Apple HomePod)
Home automation (door entry, lighting, HVAC, thermostats etc.)
Home entertainment (TVs, HiFi, games consoles, media servers)
Connected (Internet) appliances etc.
Wireless repeaters or bridges
A router using WiFi as its Internet connectivity source
WiFi-enabled IP Cameras (CCTV) or WiFi baby monitors
Connected motor vehicles (cars)
Any other client device using WPA2

to coin a phrase: Oh Sh*t!

Nick Drew said...

What about smart meters ?!?!

Matt said...

Smart meters are mobile not WiFi aren't they?