New Wireless Vulnerabilities: KRACK

A security researcher recently demonstrated that there are fundamental flaws in WPA2, the protocol that manages encryption for wireless connections. These flaws, if exploited properly, allow an attacker to see all the traffic passing between a target computer/phone/smart device and their destination.

This attack is not easy to execute and is not yet being widely used, but it impacts any device that connects using WPA2, including phones, computers, and other devices, such as wireless tvs, game consoles, Amazon Echo, etc.

How does this affect NYU?

We use Cisco equipment and have already enabled the recommended workaround. Patches will be applied as soon as they are available

What can I do?

As always, the most important thing is to apply updates for your computer and mobile devices promptly. Last month’s Windows patch already included its fix for this vulnerability and Apple released their fixes this week.

Vendors were informed of this vulnerability before it was made public and have been working on fixes. Here are some that have been released:

Can you explain the hack in more detail?

When an individual initially connects to Wi-Fi, before they visit any websites, their laptop or phone will do something called a four-way handshake. This is a process that checks that the password the user has provided is correct, and establishes the encrypted connection between the wireless router and the device.  However, the researcher was able to show a way to interfere with that initial handshake between your device and the WiFi router in a way that allows them to decrypt the traffic you exchange over WiFi.  In order for this to work, the attacker must be physically close to the victim

Once the attack is successful, the hacker can do many malicious things, for example, inject malware into otherwise ok sites. Using other widely-available tools, the hacker could also break web encryption, meaning that they would be able to see all of your sensitive traffic, including for example, banking information or credit card transactions.

References:

Full explanation of vulnerability: https://www.krackattacks.com/

Vulnerability Notes DB: https://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=228519&SearchOrder=4

List of Updates available:

https://www.bleepingcomputer.com/news/security/list-of-firmware-and-driver-updates-for-krack-wpa2-vulnerability/

https://char.gd/blog/2017/wifi-has-been-broken-heres-the-companies-that-have-already-fixed-it