KRAK Attack Vulnerability on WPA2 client-side.

madscientist_42
Posts: 95
Joined: Tue Feb 21, 2017 10:17 pm

KRAK Attack Vulnerability on WPA2 client-side.

Postby madscientist_42 » Mon Oct 16, 2017 3:58 pm

Heads up, folks!

https://www.krackattacks.com/

Basically, there's a design flaw in the standard for WPA2 that allows for a key re-installation attack on WPA2. All key exchange types are vulnerable. AES-CCMP is semi-resilliant to the attack, as is Enterprise. TKIP and GCMP are very, very vulnerable. It allows someone to inject themselves as a MITM between the client and the AP with minimal ability to detect that the attack has occurred.

Patches are out or about to be out for implementations of the supplicant part of the stack. You will need to update things when Espressif updates the driver stack for the ESP32 and their other WiFi devices.

Lucas.Hutchinson
Posts: 79
Joined: Tue Apr 26, 2016 5:10 am

Re: KRAK Attack Vulnerability on WPA2 client-side.

Postby Lucas.Hutchinson » Mon Oct 16, 2017 7:16 pm

Looks like Espressif had prior disclosure and have already pushed fixes to the master branch of the IDF.
They will also soon be releasing v2.1.1 with the fix and it will be in the upcoming v3.0 release.

https://esp32.com/viewtopic.php?f=13&t= ... 687#p15687

madscientist_42
Posts: 95
Joined: Tue Feb 21, 2017 10:17 pm

Re: KRAK Attack Vulnerability on WPA2 client-side.

Postby madscientist_42 » Mon Oct 16, 2017 8:18 pm

Lucas.Hutchinson wrote:Looks like Espressif had prior disclosure and have already pushed fixes to the master branch of the IDF.
They will also soon be releasing v2.1.1 with the fix and it will be in the upcoming v3.0 release.

https://esp32.com/viewtopic.php?f=13&t= ... 687#p15687
Epic. I suspected they'd be on top of this. Thing is, folks, **WE** need to be as on-top of this. If you've got product out there using WiFi...you need to get ready to push an update when 2.1.1 or 3.0 comes out. Seriously.

Who is online

Users browsing this forum: Majestic-12 [Bot] and 275 guests