1. Home
  2. Forums Index
  3. Browser Side / Smartphone, Wireless, and Mobile Technologies 11:48 pm May 20, 2026

Forum Moderators: bakedjake

Message Too Old, No Replies

High Severity WPA2 WiFi Vulnerabilities, Dubbed KRACK, Key Reinstalltion Attacks

         

engine

10:36 am on Oct 16, 2017 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



WPA2 wireless access points might be a bigger risk to use following proof of concept research that could mean that many access points remain vulnerable for a very long time after a fix is released.

Researchers indicated that a KRACK attack exploits a four-way handshake that is used to establish an encryption key. At the third point of the process the key can be sent multiple times. Under certain circumstances a cryptographic hack can re-use the key in a way that will undermine the encryption.

The proof-of-concept exploit is called KRACK, short for Key Reinstallation Attacks. The research has been a closely guarded secret for weeks ahead of a coordinated disclosure that's scheduled for 8 a.m. Monday, east coast time.High Severity WPA2 WiFi Vulnerabilities, Dubbed KRACK, Key Reinstalltion Attacks [arstechnica.com]


More information at [krackattacks.com...]

[kb.cert.org...]

engine

4:19 pm on Oct 16, 2017 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



Update: It appears that Microsoft has already fixed this on its systems, and the automatic update will "push it" to devices.
Google says it has a fix, but patches won't be issued until November 6 for its own devices. Anyone else with Android is probably way behind the curve.
Linux is also affected, but no updates are currently known as of now, and Apple has not yet confirmed if it is vulnerable.

Here's an update from the WiFI alliance, which wants to assure people that there's no evidence of this in the wild.
[wi-fi.org...]

iamlost

5:00 pm on Oct 16, 2017 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Fascinating easy read:

Instead, I want to talk about why this vulnerability continues to exist so many years after WPA was standardized. And separately, to answer a question: how did this attack slip through, despite the fact that the 802.11i handshake was formally proven secure?

Falling through the KRACKs [blog.cryptographyengineering.com] by Matthew Green, 16-October-2017.


RE: Linux mitigation and patches...
* DSA-3999-1 wpa -- security update [debian.org]
* WPA packet number reuse with replayed messages and key reinstallation [w1.fi] (Note: txt file)

keyplyr

6:05 pm on Oct 16, 2017 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



So on my Android phone I won't use public WiFi until after Nov 6 I guess. That's not much of an issue. My mobile network 4g Lite is nearly as fast and I have unlimited bandwidth.

engine

8:19 pm on Oct 16, 2017 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



That's only Google's Pixel phones from November 6 when they push the updates. Many handset makers are way behind on updates, and far too slow, imho.

keyplyr

8:34 pm on Oct 16, 2017 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Home & office I use my biz WiFi account from Cox ISP. When I get over there, I'll check to see if there's a WPA2 update on my router. I've installed updates before.

motorhaven

10:24 pm on Oct 16, 2017 (gmt 0)

10+ Year Member Top Contributors Of The Month



DD-WRT pushed out an update last week containing a fix. I believe Microsoft's started pushing out around the same time. One of our routers here doesn't have an update, probably never will, but this attack can be mitigated by either the client or the router. Best to make sure your client devices have the fix so you're good no matter what you connect to.

henry0

5:45 am on Oct 17, 2017 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



@Keyply, I never used my droid on any public NW.
However if needed for my devices I use the marvelous little thing known as "BiteBird" with which one I can connect all over the world.

keyplyr

5:50 am on Oct 17, 2017 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



henry0 - thanks for the recomendation. I use a different VPN that does the same thing.

bill

8:11 am on Oct 17, 2017 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



I'm glad this one isn't something that can be taken advantage of remotely. An attacker would have to be in WiFi range of your device to do anything.

Then, if you've got all your traffic encrypted Krack isn't going to be able to do much. Run everything thru a VPN, HTTPS, SSH and you'll be safer.

The biggest PITA of this whole thing is Android devices. It's going to take forever to get these things up-to-date, if patches are ever issued for some hardware. I'm not as concerned about my own devices as I am about other people's.

keyplyr

8:26 am on Oct 17, 2017 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



No updates ready for my Cox router.
No updates ready for my Samsung TV
And nothing for my Android devices either.

Well that's reassuring. Glad to see they're on top of things.

MayankParmar

2:20 pm on Oct 18, 2017 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month



My Windows Phone and PC updated with the fix on October 10.

The world needs to ditch Android.

keyplyr

5:49 pm on Oct 18, 2017 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Ha... the world IS ditching the windows phones.

[webmasterworld.com...]
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Browser Side / Smartphone, Wireless, and Mobile Technologies 11:48 pm May 20, 2026