Dutch Mathy Vanhoef has published KRACK against WPA2. There is a common implementation flaw in WPA2 that allows decryption of WiFi traffic in at least several cases. Linux and Android devices are worst affected.
WPA2 is basically sound, there is no need to change the security system like when WEP was broken, just a software/firmware update will do the trick. Meanwhile it is good to double check you are using TLS on top of WPA2 for your connections.
A direct link to Mathy's paper is at:
The Cert VU # is VU#228519 and covers 10 CVE's.
The krack attacck page at:
has multiple links on it to demo, details and tools (python scripts) that are being cleaned up for public disemination.
Without a doubt, the problem can be seen in a MiTM attack and be severe. Hopefully no other vectors will present themselves.
Many companies have found that only minor code tweaks, of just a few lines, correct the problem.
I'm sure we will hear much more about this in the near future.
On the Krachattack page, Mathy had this to say under FAQs:
Are other protocols also affected by key reinstallation attacks?
We expect that certain implementations of other protocols may be vulnerable to similar attacks. So it's a good idea to audit security protocol implementations with this attack in mind. However, we consider it unlikely that other protocol standards are affected by similar attacks (or at least so we hope). Nevertheless, it's still a good idea to audit other protocols!
So you expect to find other Wi-Fi vulnerabilities?
“I think we're just getting started.” — Master Chief, Halo 1
Thought I would start a discussion forum on this. However, moving to this Discussion Forum to avoid duplicity.
Looking through the various online postings, blogs, etc., I noticed several vendors that I listed on my last slide at the CWNP conference: are not mentioned.
This piques my curiosity since at least two of the companies are in 100+ countries and 125+ ports.
I did notice that one of the vendors that I did list is unaffected.
All of the companies I am familiar and experienced with, are for Outdoor environments more than Indoor.
Not sure exactly which list you are talking about ? Do you mean the "notified by CERT/US" list ?
Some companies were notified directly before CERT was notified. Others notified by CERT or ICASI. Still others may not be CERT subscribers - but hard to believe.
I noticed in Mathy's report he stated that some systems were not susceptible because they did not use a defacto state machine implementation.
I am sure that some companies will obscure this weakness, at least for the time being.
Howard, I like your optimism :-)
Yes, there are companies that do NOT even follow CERT org or any type of CVE or IAVM.
As I identified in my post, I am concerned because at least 2 vendors that I am familiar with are not listed on any WPA2 Krack vulnerability list, though both exist in 100+ countries and 125+ ports. One vendor's equipment I have actually implemented and installed; this vendor is also utilized by WISPs in the USA (I am a WISPA member). I liked this vendor because they actually support and implemented 192-bit AES (didn't know non-USA vendors actually did this).
There is a lot of confusion out there in the world about Krack, even among vendors, IT staff, and journalists. Even Google (YouTube) has gone overboard, seemingly because they don't understand serious malware investigation and reporting. Mathy's Youtube account was blocked for several hours as a threat - and they have issued no explanation, or apology, for their confusion.
Many are focusing on client device weakness, but AP's are equally broken, including those used along with fancy firewalls and expensive authentication methods. The recommended solution for some installations using Fast Roaming has been to disable it !
A big part of the problem is that many companies are using older products whose manufacturer has/had/have no plans to update older versions of firmware. This is going to take awhile. The best we can do is apply fixes to our own gear as soon as they are made available.
What I am concerned with are other protocol bugs, perhaps lurking in the background, that just haven't been noticed - and not just WPA2 bugs. At least one of the current CVE's was predictable by any software engineer who had read the 802.11 and understood the importance of testing for re-use - several years ago.
Although software libraries allow manufacturers to churn out bloatware faster, and using cheaper programming talent, it does not allow for the analysis and testing required in good software.
It is very interesting looking at how various companies are responding to the Krack issue.
Some companies, like TP-LINK, seem to have a very straightforward approach to which of their products are affected.
Others are pretty much remaining mum on the subject.