It's time to get patching again. Another widespread vulnerability affecting practically everyone and everything that uses Wi-Fi was revealed on Monday, allowing hackers to decrypt and potentially look at everything people are doing online.
Researcher Mathy Vanhoef, from Belgian university KU Leuven, released information on his hack, dubbing it KRACK, for Key Reinstallation Attack. Vanhoef's description of the bug on his KRACK website is startling: "This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites."
What's behind the vulnerability? It affects a core encryption protocol, Wi-Fi Protected Access 2 (WPA2), relied on by most Wi-Fi users to keep their web use hidden and secret from others. More specifically, the KRACK attack sees a hacker trick a victim into reinstalling an already-in-use key. Every key should be unique and not re-usable, but a flaw in WPA2 means a hacker can tweak and replay the "handshakes" carried out between Wi-Fi routers and devices connecting to them; during those handshakes, encryption keys made up of algorithmically-generated, one-time-use random numbers are created. It turns out that in WPA2, it's possible for an attacker to manipulate the handshakes so that the keys can be reused and messages silently intercepted.
The researchers, who said the attack was particularly severe for Android and Linux users, showed how devastating an attack could be in the demonstration video below:
For those users whose routers, PCs and smartphones don't yet have updates, there are some measures they can take to protect their online privacy. A Virtual Private Network (VPN) software could protect them, as it will encrypt all traffic. Only using HTTPS encrypted websites should also benefit the user, though there are exploits that can remove those protections. Changing the Wi-Fi password won't prevent attacks, but it's advisable once the router has been updated.
Vanhoef is promising more too. Though he admitted some of the KRACK attacks would be difficult to carry out, he's to release more information on how to make them significantly easier to execute, especially for Apple's macOS and the OpenBSD operating system. _________________ Router: Asus RT-N18U (rev. A1)
May the Force and farces be with you! Live long and proper!
KRACK fixes for Broadcom were completed in 33678, including k26 (33655) & k24 (33656), but build 33679 is missing many files. Thus, use 33772 (or newer).
As for other chipsets besides Broadcom, the build above already includes fixes for "most devices" (i.e. non-proprietary drivers), Mediatek, QCA/Atheros, and Marvell based chipsets (source 1, source 2). I don't know when any chipsets besides those ones were fixed.
Remember, your clients also need to be patched against the KRACK vulnerability (clients = your PCs and smartphones and stuff).