/ security

Krack Attack. The first major WPA2 flaw

Today was the release a major WPA2 flaw. It's the first a flaw in the protocol is found (as opposed to flaws due to weak passwords). The flaw was discovered in July this year and was under embargo so most vendor could fix their FW with a backyard compatible fix.

First of all, the "Krack attack" found a major vulnerability in how WPA2 protocol exchanges the key. The good news is that we don't need to create a WPA3, since there exists a backyard compatible fix for WPA2.

The main is idea :

During the WPA2 handshake, it is possible to replay a particular message (message 3 of the 4-way handshake). This forces the victim to reinstall the key and thus resetting the receive packet number and nounce.

Here's a diagram of the 4-way handshake (from wikipedia)
4-way-handshake

You can read more details on the paper of the researcher who discovered it:
https://www.krackattacks.com/

You should double check your wifi AP and update the FW. Some vendor (like my Netgear R8000 I currently use at home) still don't have a fix, but it should be coming soon. Also, you will need to update your client as well (keeping your iOS, windows up to date).

But the more troubling are all the IOT devices that probably don't have any FW updates. Security for IOT is quickly becoming a disavantage for connecting things around. This shouldn't be the case as long as the device manufacturer put the resources at it.