ISDCF Forum

A public forum to discuss ISDCF topics.

General questions, industry news, updates and more. If you're not sure where to post or have some feedback about the forum, then this is a great place to start.

Moderator: jamiegau

#2035
WPA2 is the most common protocol used for protecting WiFi signals from being used by nefarious people for horrible things. As of 16 October, WPA – and all its variants of WPA1, WPA2, personal and enterprise, including with TKIP, AES and GCMP – is officially broken. Until repairs are made to all equipment involved in a WiFi network – that means, equipment providing the signal and equipment using the signal – it is no longer a valuable security tool. The force is called KRACK = Key Reinstallation Attacks

The entire world has been informed today about a flaw that was first written about in the security community in May of 2017. That means that hackers are now informed and tools are available for script kiddies to play around with. If you provide a WiFi Signal that the public can get to which also attaches to part of your network, be afraid. Turn it off until updates to the equipment you are using are made available and performed, or you become skilled in using other protocols (like VPN).

<iframe width="560" height="315" src="https://www.youtube.com/embed/Oh4WURZoR98" frameborder="0" allowfullscreen></iframe>
[If iframe gets striped, the video is at: <https://youtu.be/Oh4WURZoR98>]
The above video shows how a Man in the Middle attack is easily mounted against a user connected to the system, intercepting the data flow as if it weren't encrypted. Although a properly set up website with https (SSL) encryption will still hide a users data, an improperly set up SSL site (estimated to be up to 20% of sites) will not protect the user.

It is possible that a user will go to a site, see that it is protected by the classic lock symbol appearing on the URL line of the browser, then get hacked while thinking they are securely passing credit cards, email addresses, password and other information. The video shows Match.co.uk being broken in this way.

The discoverer of the attack says in his paper that the problem is a weakness in the WiFi standard itself, not any particular product. See: Breaking WPA2 by forcing nonce reuse – https://www.krackattacks.com

This means that if WPA was implemented correctly as specified by chip manufacturers and the Wi-Fi consortium, then it is now broken. [And yes, it was a really silly flaw. The code checked that a process was done but allowed that the handshake code could be sent again...hey...communication, it doesn't always work, right? OK; what if I send all zeros a 2nd time? Hey! I'm in!]

Updates will be required on all devices; routers, phones, portable computers, whether Android or Apple or Samsung or Cisco or Belkin or Linksys or Debian or Ubuntu or any of the suppliers of chips like Broadcom or ...well, everyone. There is a site tracking information on these companies: https://www.bleepingcomputer.com/news/s ... erability/

Other articles:
<https://www.schneier.com/blog/archives ... ttac.html>

<https://www.wordfence.com/blog/2017/10 ... gn=101617>

What is the good news? First, trusting a wifi network has always been hit or miss. A poorly set up system would allow me to break into your computer on the other side of the room...or at least have a chance of it. So, now more people will be wary.

Another good point is that equipment which does not get patches out quickly – I'm thinking 3rd party Android phones from smaller suppliers for example, they are going to be known for the bad actors that they are.

Finally, I suppose it will get more of us onto VPN, where a good tunnel still works. Yahoo! more things to know...

=-=-=
There is another crack that just hit the public as well, this one called ROCA.

ROCA has to do with a horror for the many corporations which have used a particular bed of generator numbers to fulfill the promise of randomness when generating public keys. Keywords: RSA keys, Infineon-developed RSA Library version v1.02.013, factorization

We all know public key encryption, yes? The attack is on public key encryption.

Too detailed to make a simple summary article. But it is a condemnation of keeping things hidden as a method for security – what's called "Security Through Obsurity".  When open and public, we can all see if there are hooks for the bad guys or the government (redundant?), or just plain errors a lot sooner. Here's is the detailed Technica article about it:
Millions of high-security crypto keys crippled by newly discovered flaw <https://arstechnica.com/information-te ... nian-ids/>