Wi-Fi flaw could leave your router wide open to attack

The warning issued is stark, saying that nearly all implementations are affected.

The research paper can be downloaded from here (PDF), additional information on the vulnerability and the researchers on the Krack Attacks website. The researchers presenting the talk are Mathy Vanhoef and Frank Piessens of KU Leuven and imec-DistriNet, Maliheh Shirvanian and Nitesh Saxena of the University of Alabama at Birmingham, Yong Li of Huawei Technologies in Düsseldorf, Germany, and Sven Schäge of Ruhr-Universität Bochum in Germany.

"Free Software community has a wide range of networking software that enables manipulation of Wi-Fi traffic".

An attacker can force these nonce resets by collecting and replaying retransmissions of message three of the 4-way handshake.

Attackers create a script that finds a WPA2 network, then make a carbon copy of it and change the WiFi channel.

Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attacks. Each time it receives this message, it will reinstall the same encryption key, and thereby reset the incremental transmit packet number (nonce) and receive replay counter used by the encryption protocol. "Essentially, to guarantee security, a key should only be installed and used once".

In the attack the encryption of a WPA2 connection is simply bypassed.

Liverpool intend to 'dominate' Manchester United during Anfield clash, insists Emre Can
Liverpool is now in sixth place with 13 points after its fourth draw this season. JURGEN KLOPP , Liverpool manager , on Manchester United's cautious tactics.

Faculty prepares for classes - or picket line
In Owen Sound, more than 1,000 students will have classes cancelled Monday at Georgian College if a strike begins. The faculty regrets the effect on students, but many understand the issues at play, said Zwiers.

Dubai police will ride hoverbikes straight out of 'Star Wars'
Criminals in Dubai ought to be shaking in their boots as police in the United Arab Emirates have introduced a flying motorbike. An inbuilt safety mechanism limits the maximum speed and altitude of the aircraft in order to prevent accidents.

The main flaw the researchers discovered affects the key, and is achieved by "manipulating and replying cryptographic handshake messages". The attack includes the but is not limited to recovering login credentials (ie, email addresses and passwords).

The vulnerability allows criminals to hack into a password-protected network.

However, those sites without HTTPS should probably be considered insecure and any data going to them across a Wi-Fi connection lacks the additional encryption and is likely open to interception.

US-CERT (Computer Emergency Readiness Team) has already issued an advisory that warns: "US-CERT has become aware of several key management vulnerabilities in the four-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol".

It's worth noting that for hackers to exploit the vulnerability they need to be in close proximity to the Wi-Fi connection they're targeting, though some connections have pretty strong signals meaning a hacker could theoretically access your Wi-Fi connection from across the road or from an neighbouring house.

If you're anxious about your security, various solutions can help you mitigate the problem while you wait for hardware companies to update router firmware. However, older devices do not get the latest security updates anymore and are likely to be vulnerable. "Here, they may go through the same procedure; too many people never check or implement router updates as it's something often too complicated for the home user to be involved in".

Latest News