Why we can’t have nice things: WiFi is now broken

Dan Goodin, Ars Technica:

An air of unease set into the security circles on Sunday as they prepared for the disclosure of high-severity vulnerabilities in the Wi-Fi Protected Access II protocol that make it possible for attackers to eavesdrop Wi-Fi traffic passing between computers and access points.

The proof-of-concept exploit is called KRACK, short for Key Reinstallation Attacks. The research has been a closely guarded secret for weeks ahead of a coordinated disclosure that’s scheduled for 8 a.m. Monday, east coast time.

That reveal is scheduled for a few minutes from now. This is real “sky is falling” news, basically impacting the majority of WiFi using folk who use WPA2 to protect their WiFi connections.

More from the article:

The vast majority of existing access points aren’t likely to be patched quickly, and some may not be patched at all. If initial reports are accurate that encryption bypass exploits are easy and reliable in the WPA2 protocol, it’s likely attackers will be able to eavesdrop on nearby Wi-Fi traffic as it passes between computers and access points. It might also mean it’s possible to forge Dynamic Host Configuration Protocol settings, opening the door to hacks involving users’ domain name service.

Take a few minutes to read this announcement page, which lays out all the detail on the attack. At the very least, scroll down to the Q&A section a bit more than halfway down the page.

The bad news is, this impacts pretty much everyone using WPA1 and WPA2 and you can’t fix this by, say, changing your password.

The good news:

Implementations can be patched in a backwards-compatible manner. This means a patched client can still communicate with an unpatched access point, and vice versa. In other words, a patched client or access points sends exactly the same handshake messages as before, and at exactly the same moments in time. However, the security updates will assure a key is only installed once, preventing our attacks. So again, update all your devices once security updates are available.

A nightmare, but not a total unfixable nightmare. But things are going to be sketchy for some time. Check for HTTPS on your URLs. If you are using HTTP, assume someone can read every part of your communication.