Breaking WPA2

Sometimes we are reminded that the "noise" of policy drowns out important practical news. Today is one of those days. While we sit around worrying about Harvey Weinstein and Trump's latest tweet, it turns out that the encryption protocol at the core over almost all WiFi is vulnerable to attack.

Here is the report from Krack Attack. They open:

We discovered serious weaknesses in WPA2, a protocol that secures all modern protected Wi-Fi networks. An attacker within range of a victim can exploit these weaknesses using key reinstallation attacks (KRACKs). Concretely, attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted. This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.

The web site Tech Solvency has an ongoing blog that summarizes the effects. Their bullet point summary:

* Flaw with the protocol itself - so *anything* speaking Wi-Fi will need to be patched (both client *and* server), including the long tail of legacy, EOL, and cheap IoT gear that will likely never be patched - so replacing hardware will be the only option.
* Assume all Wi-Fi networks are observable until then (core mitigation: use a VPN).
* Android and Linux are the most vulnerable. Much harder to exploit on Windows or iOS.

I will leave it to the more technically minded of our contributors to explain the flaw in more detail, but the details don't seem to matter. If initial reports are true, this is a "big deal" -- a potential vulnerability in virtually all WiFi systems.