KrAcKeD wifi
A Wi-Fi encryption vulnerability sent the entire tech industry scrambling, leaving a vast majority of Wi-Fi devices and networks from many vendors vulnerable to eavesdropping, traffic manipulation, and packet injection by attackers. The vulnerability – KRACK – is caused by a flaw in the four-way handshake used in Wi-Fi's WPA2 security. This allows devices to be exploited by an attacker in the wild, causing them to reuse nonces and, as a result, undermine the encryption and privacy altogether.
If you're wondering if your home network is vulnerable, it is. If you're wondering if your phone and computer are also vulnerable, they are. Devices affected also include many connected to the Internet of Things in both industrial and home settings. Some vendors, having been briefed before the public release of KRACK’s details, met Monday’s announcement already having patches available – but those need to actually be applied to devices. Many vendors, and many more devices that either have not yet been updated or are difficult to update, remain vulnerable to KRACK. We can not state enough how vital it is to patch your devices.
The impacts include, but are not limited to, the following:
The potential long-term damages in IoT associated with a successful attack include permanently breaking trust models (requiring firmware changes or device replacement), compromise of credentials and any associated damages that result, and even identity theft or theft of sensitive private information.
There’s good news and bad news. The good news is you don’t have to wait for a new security standard (e.g. WPA3) to come out and be adopted. The other good news is that fixes exist for many devices and modules. he bad news is that, for IoT, updating devices is often non-automatic, difficult, or impossible. For example, fixing a device that makes use of an affected, e.g., Espressif module not only requires patches released by Espressif, but your device’s firmware needs a patch developed by its manufacturer that applies the module’s patch. Furthermore, unfortunately, many IoT devices do not support user-serviceable upgrading, are not actively supported, or users simply do not know how to upgrade them.And according to HD Moore, a network security researcher at Atredis Partners, for IoT the end definitely isn't near.
“We’re probably still going to find vulnerable devices 20 years from now,” he said in a recent Wired piece (https://www.wired.com/story/krack-wi-fi-iot-security-broken/).
Thankfully there are things you can do:
Hologram users rejoice – no hardware or software produced by Hologram was or is vulnerable to the KRACK Attack. Other vendors, however, aren't so lucky.Raspberry Pi announced Pis were vulnerable until the patched versions of the Debian packages (https://raspberrypi.stackexchange.com/questions/73879/rpi-vulnerable-for-wi-fi-wpa2-krack-attack/73880#73880) were available for Raspbian. Thankfully the company released a patch available in the public Raspbian repo. Espressif discovered several critical key-management vulnerabilities and has released a patch (http://espressif.com/en/media_overview/news/espressif-releases-patches-wifi-vulnerabilities-cert-vu228519?position=0&list=W1-rtfr4C9e1Vhf5JEhY_1EPZ-Dag7NT6M7sJEphvS0). They also encourage all Espressif chipset users to upgrade their systems as soon as possibleA comprehensive list of affected vendors can be found here (http://www.zdnet.com/article/here-is-every-patch-for-krack-wi-fi-attack-available-right-now/).