EVERY Wireless Network Vulnerable!

Fundamental flaw in WPA/WPA2 handshake... Time to pull the rest on my CAT6

Every Wi-Fi network at risk of unprecedented 'Krack' hacking attack

"The vulnerability is the first to be found in the modern encryption techniques that have been used to secure Wi-Fi networks for the last 14 years.

In theory, it allows an attacker within range of a Wi-Fi network to inject computer viruses into internet networks, and read communications like passwords, credit card numbers and photos sent over the internet.

The so-called “Krack” attack has been described as a “fundamental flaw” in wireless security techniques by experts. Apple, Android and Windows software are all susceptible to some version of the vulnerability, which is not fixed by changing Wi-Fi passwords.​

“It seems to affect all Wi-Fi networks, it’s a fundamental flaw in the underlying protocol, even if you’ve done everything right [your security] is broken,” said Alan Woodward of the University of Surrey’s Centre for Cyber Security.

“[It means] you can’t trust your network, you can’t assume that what’s going between your PC and router is secure.”

Most modern Wi-Fi networks have their traffic encrypted by a protocol known as WPA or WPA-2, which has existed since 2003 and until now has never been broken. This protects data as it travels from a computer or smartphone to a router, stopping hackers and spies from monitoring networks or injecting malicious code into the transfer.

Connecting to a secure network involves a four-way “handshake” between a device and a router to ensure that nobody else can decrypt the traffic. Researcher Mathy Vanhoef of the University of Leuven in Belgium found a way to install a new “key” used to encrypt the communications onto the network, allowing a hacker to gain access to the data. This could involve passwords, credit card numbers, photos and messages sent over a network to be stolen, or cyber attacks to be inserted into the traffic.

The attack cannot be carried out remotely, an attacker would have to be in range of a Wi-Fi network to carry it out. It would also not work on secured websites - those that use https at the start of their web address instead of http.

Prof Woodward said that the only way to fix the flaw would be to manually replace or patch every router in people’s homes. He said that while the attack was not technically easy, tools would soon spring up allowing criminals to carry out the attack."

 

Encryption flaws should be fixable via software, such as adding a WPA3 that isn't vulnerable. The fix needs to be at the router and all clients. I'll be checking daily for router and OS patches. I can't get everything off the wireless network, though, even with completing my CAT6 runs. I'm considering a second router - one just for devices that can't be patched like TV's on a separate IP address that's isolated from my non-entertainment network.

 

Damn! Well, if this Belgium guy can do it then the hackers are doing it and doing it now... I am not sure what to do in the interim...if there is anything that can be done except wait for the patches to the routers. I just got this new Hughes Net installed also...dammit.
The problem is not so much fixing the clients (include patch in updates) but I wonder about fixing the routers - meaning - will people have to be involved to update them and if so then it will turn into a real mess. This is really serious... Thanks 3M-TA3 and please keep us posted if you hear anything. I will be listening and watching too but I have seen nothing yet on the news sites.

 

Spent last weekend under my truck, looks like I'm going to be spending time under my house installing CAT6 to every device including TV's and other devices that don't move and have network jacks. I'm going to move my guest network to my backup router and configure per @BTPost above.

 

Whew! The scope of this is massive! Almost every home is using WiFi... I suppose some of companies that have access or control of the WiFi routers (Verizon, HughesNet, etc.) will be able to upgrade them via a broadcast but still the local user will have to get into them and set them to use WPA3 not such a big problem for me but I can see it will definitely be a huge mess for the majority of the folks (like many of my neighbors). I hope they are paying these WPA3 developers overtime cause we need it now...hopefully it is not totally different code for type of router, I doubt it.

 

Lots of companies use mobile computing on campus like hospitals and clinics. These people are going to have a much harder time protecting their vulnerabilities.

 

It's tough because we need to kill the vulnerability NOW, but at the same time need to ensure that there aren't unintended consequences like introducing new vulnerabilities on either end. I expect the engineers will be getting a LOT of overtime. Sucks because most of them are salaried so hopefully will get commensurate bonuses.

 

Good Job! Once I saw what Router OS would do, my Ciscoo days were over.
I feed a MikroTik RB750 from the fiber router supplied by the telco. That feeds a subnet that has a MikroTik 2.4 gig radio for the wireless. Anything such as a webserver goes out through the NAT on a forwarded port, and not the "factory" port for the device.
As a side note, run Torch under "tools" and look how many devices "phone home". I have anything below port 80 disabled. Chinese IP cameras are notorious for this.
In-network VPNs are your friend as well.

 

Patches are coming out, but it's going to be a constant game of hack, detect, patch, hack, etc.. Best to configure your network as has been suggested above because we never know when our pants are down our ankles or not anymore