Security Alert! 你的Wi-Fi会受到KRACK的影响!

Mauro Rizzi

October 18, 2017

Serious security weakness discovered in WPA2 in the last day or two presents a serious security issue for Wi-Fi networks and the devices that use them.

WPA2, 这就是所有现代Wi-Fi网络的安全方式吗, has weaknesses that can be exploited by an attacker within range of a victim using key reinstallation attacks (KRACKs). 研究人员发现 Mathy Vanhoef, KRACK exploits limitations in implementations of the handshake processing in the 802.11 protocol.

它如何破解你的Wi-Fi?

There is a process by which every device is authenticated before it is allowed access to a Wi-Fi network. This process is invisible to the end-user so there would be no obvious way for you to know that a security break has occurred.

When your device uses a four-way authentication "handshake", it is the third step that is targeted. This is the step where a Wi-Fi client attempts to connect to a protected Wi-Fi network. The encryption key may be resent multiple times during this step, which if collected by the attackers and replayed in specific ways, 802.11 .安全加密可以被破解. For a more technically detailed explanation, check out Mathy Vanhoef’s 黑客攻击网站.

当Wi-Fi安全被KRACK破坏时会发生什么?

Many people blindly assume that whatever Wi-Fi network they are using, their personal and business data is protected from prying eyes. However, by exploiting the weaknesses as KRACK does, the attacker can eavesdrop on all 没有交通 你通过网络发送. That data might include sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on.

然而，也不全是坏消息

There are no automated tools that allow someone to deliver this attack in a simple way today. 事实上，铁集团的首席技术官 Alex Hudson says an attacker needs to be on the same Wi-Fi network as you in order to carry out any nefarious plans with KRACK. "You’re not suddenly vulnerable to everyone on the internet," he says.

In the meantime …

Stick to websites that use HTTPS encryption as data encrypted with a higher-level protocol like HTTPS and or TLS, is safe. Check for the green lock in the address bar that ensures your web browser shows it is safe to browse with HTTPs. Secure websites are still secure even with Wi-Fi security broken. 加密网站的url将以“HTTPS”开头,，而不安全的网站则以“HTTP”开头.“电子前沿基金会非常棒 HTTPS Everywhere浏览器插件 can force all sites that offer HTTPS encryption to use that protection.

If you’re using an encrypted virtual private network (VPN) then your traffic is secured even in case of a successful KRACK attack.

还有我的wifi密码?

This vulnerability does not expose nor reveal your Wi-Fi credentials in use on the network to an attacker. So, there’s no need to change the password as part of a mitigation. The exploit targets information that should have been encrypted by the WLAN infrastructure, so the attacker doesn’t need to crack your password to implement it.

Should I contact my network vendor regarding their products?

Your network vendor should be aware of KRACK and providing either patches or workarounds for their products.

如果您是ALE的客户或合作伙伴, update your OmniAccess and OmniAccess Stellar WLAN products to the latest available software releases which include patches for the flaw.

We are investigating the potential impact on all of our products and will publish updates as soon as possible on our ALE public website for security advisories. Check our 安全建议页面  定期获取最新资讯.