Key ReInstallation Attack, or KRAck Attack by Mathy Vanhoef


Key Reinstallation Attacks, or KRACKs (follow the link for the full article). The 3rd message of the 4 way handshake is mimicked by the attacker, forcing a client to reinstall the same encryption key over and over. This can be done because Access Points can re-transmit message 3 if they don’t receive an appropriate response, meaning that a client can also receive the message multiple times. It’s especially effective against anything using wpa_supplicant, such as Android Phones.

To counter this, I assume some kind of security patch or other will be released soon, but this could mean the replacement of WPA-2. Only now we have a lot more replacing to do than when other protocols were replaced, which means a lot of devices are still going to be using WPA-2.

Edit: Also, I’m sure you guys already know this (we are on after all) but please, protect your shit. Don’t do stupid stuff like make your online bank account password boobies12 and then save it in a cookie.

(Thomas) #2

boobs12? who the hell would use that. boobs69 is a much better choice.

(Harry) #3

It doesn’t seem to be a router vulnerability. So no need for WPA3 I think. It is a client side vulnerability and routers need not to be patched.

Do you need WPA3?

Not really!

Ubuntu, Fedora, OpenBSD have already released patches. Other vendors will release soon considering the severity of the attack.

OpenBSD was notified of the vulnerability on 15 July 2017, before CERT/CC was involved in the coordination

Microtik also released an article recently: RouterOS NOT affected by WPA2 vulnerabilities

It’s been a long time actually

(Harry) #4

But there are no boobs while 69 :expressionless:

(Harry) #5