The security protocol used to protect the vast majority of WiFi connections has been broken. This will expose wireless internet traffic to malicious attack, according to the researcher who discovered this weakness.
It doesn’t bode well that the mainstream media is also ignoring this problem completely because it’s a very big deal. Anytime the mainstream media brushes something off, most start asking questions. Unfortunately, none of the answers we have so far to those questions are of comfort.
Considering every single cellphone now has WiFi in it and this major “weakness” could affect almost everyone. According to ARS Technica, researchers have disclosed a serious weakness in the WPA2 protocol that allows attackers within range of vulnerable device or access point to intercept passwords, e-mails, and other data presumed to be encrypted, and in some cases, to inject ransomware or other malicious content into a website a client is visiting.
The proof-of-concept exploit is called KRACK, short for Key Reinstallation Attacks. The research has been a closely guarded secret for weeks ahead of a coordinated disclosure that was scheduled for 8am Monday, East Coast time. A website disclosing the vulnerability said it affects the core WPA2 protocol itself and is effective against devices running the Android, Linux, macOS, Windows, and OpenBSD operating systems, as well as MediaTek Linksys, and other types of devices. The site warned attackers can exploit it to decrypt a wealth of sensitive data that’s normally encrypted by the nearly ubiquitous Wi-Fi encryption protocol. –ARS Technica
“This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on,” researcher Mathy Vanhoef, of the Katholieke Universiteit Leuven in Belgium wrote. “The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.”
Krack Attacks, the website, went on to warn that visiting only HTTPS-protected Web pages wasn’t automatically a remedy against the attack either. Since many improperly configured sites can be forced into dropping encrypted HTTPS traffic and instead of transmitting unencrypted HTTP data, this is not a safer option. An attacker can use a script known as SSLstrip to force a site like match.com (dating website) to downgrade a connection to HTTP. The attacker is then able to steal an account when the Android device logs in.
The video below shows how this weakness can be exploited on an Android device.
“Although websites or apps may use HTTPS as an additional layer of protection, we warn that this extra protection can (still) be bypassed in a worrying number of situations,” the researchers explained. “For example, HTTPS was previously bypassed in non-browser software, in Apple’s iOS and OS X, in Android apps, in Android apps again, in banking apps, and even in VPN apps.”
The main concern is that cell phones which have this weakness won’t get upgraded with the “patch” or the fix for this until it’s discarded and new phone replaces it. Virtually every cell phone out there has WiFi in it. Most are eventually orphaned by their manufacturers, receiving no future updates at all. These devices, along with nearly all “consumer” WiFi access points in homes and small businesses will never be fixed and always open to attacks. In addition to the unavailability of a cell phone patch, the majority of consumer and small-business WiFi access points will never be patched either and could remain vulnerable for years if not a decade or longer.
When something this disturbing is found one often wonders if the process was corrupted either negligently or on purpose. Especially considering this wasn’t found sooner.
The fix is to use a cable to connect your computer to your router. I don’t use the wireless with my computer, just a big yellow cable.
I also don’t use a cellphone. I have one for games, and I occasionally use it to look up something on the internet. I never use it for anything critical. If something happens to it, I can throw it away and buy another one real cheap at the Dollar General.
I use the older WEP 128 bit for my home wi-fi and Wireless Distribution System( WDS) security. I run wi-fi all over my five acres. It can be a pain to set up, but it is pretty bullet proof. A government with a big enough computer can break it, but not many others can.
I dislike WPA2 because it was too automatic. I’m old school, I want to know what is happening with my secure stuff.
Dude, WEP is horrible. I can own WEP encryption in less than ten minutes. WPA2 was the way to go until now. Archivist has it 100% correct. Use a cable, until Microsoft has the patch on a Windows system. I looked at the issue today and it looks easy enough to patch on some devices. Ironically Microsoft will be able to patch easier than others, because they didn’t implement it correctly. Other vendors will probably have a patch pretty soon. The big trouble is WiFi hand off, like in a Corporations, where you walk from access point to another. So wait for the patch and apply it to both your WiFi router/access point and your endpoints, phones, tablets and computers.
You are correct.
I assume you are using Backtrac.
BUT you have to match my wi-fi hardware
to make it work. I could be wrong, but
that was my understanding.
That was the basis for my assertion
that government level ability is needed
to crack the data.
I have really old stuff.
I don’t even think you could get it on Ebay.
You also have to match my WDS frequencies.
Yes, WEP is very “crackable”.
Obviously, so is WPA2. I don’t think
I’ll trust their patches.
A hard wired system is the safest, but most people here
aren’t going to run Fiber optic in order to get a 1/4 km
I run Linux, old hardware, and other things
that aren’t exotic so no one pays attention
to it for hacking purposes.
“..Obviously, so is WPA2…”
NO its not. The protocol is secure. its the implementation thats flawed and what the patches will fix.
But hey, keep on using older, outdated, and insecure protocols and OS’s and thinking that makes it better.
Backtrack? lol… hasn’t been in development/production in 3 or 4 years. Besides, who the heck uses pen testing distros for their OS??
Other than that, I agree. a wired connection is more secure than wireless from a drive-by standpoint
I didn’t say WEP was better, only that, I was more comfortable with it. I have one WPA2 wi-fi extender. It sits in the box.
I’m retired and cannot be ripping out my system to buy the latest and greatest every few years.
I don’t run Windows as a rule.
I certainly would never do anything requiring secure
internet access on a Windows machine or
my android cell phone using wi-fi.
Yes, the WPA protocol is secure, But patches for all the wi-fi AP’s out there will take years if at all. WEP cracking usually requires identical hardware, unless I’m wrong.
Which is my point. Yes you can crack it, but you need more information than just stuff radiated through the air.
Yes I’m a little out of date and I’m not an IT guy.
You tried Kali? Using then Reaver?
Ha – all the noobs and their ‘Kali’ (or before that backtrack).
You are aware of course that all that distro is is a compilation of available programs that can be installed on any Linux system?
kali uses friggen systemd as it’s init for crying out loud.. the same systemd that hijacks your system and obscures what’s really going on. Anyone with an iota of knowledge uses a real distro like Slackware (with its script based init) and installs the programs they require for pentesting themselves.
(Proud linux user since ’97)
See that van across the street? Go over and knock on the window…
My dogs would be barking non-stop.
I live on a single lane “Cane” road,
one of few that have been paved part way.
All my neighbors have house wi-fi.
7 houses live along the road but all
are on acreage and are some distance
from the road.
I really don’t think I have to worry.
I can’t knock on the window of that van, that van is rocking, so i won’t go knocking.
Is it a Chevy van? And that’s alright with me
occasionally use it to look up something on the internet.
You’re not blind yet? That seems to be the only thing on your mind.
I’ve been warning you all on here for years to shut all your WiFi and GPS off on your cell phones and NEVER EVER do any banking on your cell phones. Cell phones are like a prisoners ankle Track GPS device. NEVER PUT ANYTHING ON YOUR PHONE YOU DON’T WANT ANYBODY TO SEE.
You are late on this one, info has been given by Canadien press yesterday!
I takes 3 days for Canadian news to make it out of the tundra, so he is not late yet.
so why didnt you give us a big heads up EH?
Speaking of FBI, relative to Las Vegas and guns, LV wasn’t the largest mass shooting in US history. Rather, “Let’s start with the racist origins of gun control in the Jim Crow South. That’s right; ****the first gun control laws were meant to keep guns out of the hands of blacks, leaving them defenseless against the KKK.*** The worst massacres in American history weren’t Orlando and Las Vegas. As National Review’s Kevin Williamson recounts, “That happened in — depending on who is doing the counting — 1917 in East St. Louis (my notes: police chief estimated that 100 African-Americans had been killed. Renowned journalist Ida B. Wells reported in The Chicago Defender that 40–150 African-American people were killed during July in the rioting in East St. Louis. The NAACP estimated deaths at 100–200. A Congressional Investigating Committee concluded that no precise death toll could be determined, but reported that at least 8 whites and 39 African-Americans died), or in 1873 in Colfax, La., or in 1921 in Tulsa, Okla.(my notes: June 1, 1921, the Tulsa Tribune reported that 9 whites and 68 blacks had died in the riot, but shortly afterwards it changed this number to a total of 176 dead). or in 1919 in Arkansas. All of those were mob-violence episodes in which white terrorists, often working under the leadership of Democratic politicians, massacred African Americans, hundreds at a time.”
To be sure, not all were shot, though probably most were. Some were hanged, some were burned alive. Unarmed and defenseless blacks. But I think we can be confident unarmed, defenseless blacks were shot in numbers far surpassing Las Vegas.
Sources from Patriot Post, Oct. 17 2017
FoxNews ALERT Las Vegas guard Jesus Campos vanished after visiting urgent-care clinic, union leader says
He was either in the U.S. illegally, or he has just joined the Las Vegas Disappeareds. This makes two (2) now. That we know of.
More like 4 man.
They all used to work for Hillary. I know that stinkin’ biatch is in the mix somewhere.
This article is mistaken. It was Jesus Campos’ gonorrhea that vanished after going to the clinic.
Jesus Campos today….Jose Vargas tomorrow. Gooberment CIA spook.
Yep, a spook. Will he really appear on TV tomorrow?
Mandalay Bay security guard set to make TV appearance after avoiding media
Wrong again Test. The Largest Human Slaughter on US Soil happened at wounded Knee, of Native Americans after they gave up their rifles and weapons. Lesson Learned. Never ever give up your guns, if you like to live.
Did I not warn you about fucking with the Kurds?
The phone I am using went daffy yesterday throwing up all kind of warnings of viruses and other problems. I tinkered with it and made it worse, not that computer or phone savvy. Finally I got sick of it and wiped everything out losing all that was stored. Problem almost solved, just a few things I can’t figure out. Probably not related to this article.
I don’t rely on a cellphone to store phone numbers.
I have a paper list in my pocket, printed in small type so it all fits on one piece of paper.
It’s right there in my calendar book with my tiny print copy of the Constitution and my Captain D’s coupons.
I can’t stop laughing. Thank you. 😉
Skynet on Earth.
To hell with all of it and HANG all of the sons of bitches doing all of this crooked nonsense!
Reminds me of the book The Mind Parasites by Colin Wilson. 8,000,000 negroes were thrown off of Earth. . .
“A professor makes a horrifying discovery while excavating a sinister archeological site. For over 200 years, mind parasites have been lurking in the deepest layers of human consciousness, feeding on human life force and steadily gaining a foothold on the planet. Now they threaten humanity’s extinction. They can be fought with one weapon only: the mind, pushed to—and beyond—its limits. Pushed so far that humans can read each other’s thoughts, that the moon can be shifted from its orbit by thought alone. Pushed so that man can at last join battle with the loathsome parasites on equal terms.” [review found on Amazon]
No…there’s no hiding from the all-seeing eye.
All electronic communication is collected and stored for future use for blackmail or arrest.
Nothing to hide?
Who do you think you are fooling? They know all about you and your dirty little secrets.
Doesn’t much matter.
John McAfee says your device is most likely infected with keystroke malware already. Encryption is no use with this malware because it captures keystrokes BEFORE encryption.
He says if you have ever visited a porn site your equipment is infected with this program.
Claims he used to send his guys to Star Bucks to capture everyone’s passwords on their free WiFi to find out the most common ones.
Woulda made a good president.
In other words they can plant kiddie porn on your computer and put you away easy?
You have to ask?
I don’t think so.
Every major American tech company is in bed with CIA, just as in the old days all the major newspapers were.