Heads up, folks!
https://www.krackattacks.com/
Basically, there's a design flaw in the standard for WPA2 that allows for a key re-installation attack on WPA2. All key exchange types are vulnerable. AES-CCMP is semi-resilliant to the attack, as is Enterprise. TKIP and GCMP are very, very vulnerable. It allows someone to inject themselves as a MITM between the client and the AP with minimal ability to detect that the attack has occurred.
Patches are out or about to be out for implementations of the supplicant part of the stack. You will need to update things when Espressif updates the driver stack for the ESP32 and their other WiFi devices.
KRAK Attack Vulnerability on WPA2 client-side.
-
- Posts: 95
- Joined: Tue Feb 21, 2017 10:17 pm
-
- Posts: 79
- Joined: Tue Apr 26, 2016 5:10 am
Re: KRAK Attack Vulnerability on WPA2 client-side.
Looks like Espressif had prior disclosure and have already pushed fixes to the master branch of the IDF.
They will also soon be releasing v2.1.1 with the fix and it will be in the upcoming v3.0 release.
https://esp32.com/viewtopic.php?f=13&t= ... 687#p15687
They will also soon be releasing v2.1.1 with the fix and it will be in the upcoming v3.0 release.
https://esp32.com/viewtopic.php?f=13&t= ... 687#p15687
-
- Posts: 95
- Joined: Tue Feb 21, 2017 10:17 pm
Re: KRAK Attack Vulnerability on WPA2 client-side.
Epic. I suspected they'd be on top of this. Thing is, folks, **WE** need to be as on-top of this. If you've got product out there using WiFi...you need to get ready to push an update when 2.1.1 or 3.0 comes out. Seriously.Lucas.Hutchinson wrote:Looks like Espressif had prior disclosure and have already pushed fixes to the master branch of the IDF.
They will also soon be releasing v2.1.1 with the fix and it will be in the upcoming v3.0 release.
https://esp32.com/viewtopic.php?f=13&t= ... 687#p15687
Who is online
Users browsing this forum: Baidu [Spider], Google [Bot] and 99 guests