i KNEW you'd have a video for this straight away. I woke up, checked my phone, saw this and thought 'can't wait to see the computerphile video about this. I love your videos
Considering Windows released an update to patch this before the media published anything, yeah I would say so. It's common place for the tech industry to find out first and have a window to fix it before the news runs with it. Once the news publishes it there is the risk of the attacks becoming more widespread.
After seeing these videos on it, and reading the paper, that attack seems soooo profound! You see exceptionally simple exploits and blatant lack of security in implementations of many things, but it amazes me that a protocol such as this, has such a basic vulnerability that's part of it's standard. Ironically, implementations that disregard the standard are more secure... That's
Well, the systems most at risk are those which tried to patch a vulnerability to a different, less dangerous problem. Ironically fixing one hole created a much bigger one. Perhaps not following the spec was intentional though. If you sense a potential problem with the official implementation you may just choose not to follow the suspect part of the spec. Tou don't nessesarily need to know exactly what the problem is either. A vague notion that part of the spec has an issue might be enough to avoid the issue almost accidentally...
I've heard that this vulnerability is not specified in the WPA2 standard, it's just a non-specified part of the WPA2 standard that is most commonly set up in an exploitable way.
My Computer Hardware & Networking teacher said it best (though it wasn't about WiFi, it was about disk encryption): The street between the Standard and the Implementation is mostly potholes.
"it needs the be patched, it'll be patched, and then we can all go back to using wifi". Unless we have an android phone, or use wifi repeater hardware that will never see a firmware update, or etc etc. sigh. :(
Thank goodness no-one was ever stupid enough to put wifi in cheap consumer electronics and household appliances that couldn't be patched to fix things like this. Then we'd have really been in trouble...
Selek Somewhat ironically, pre-Marshmallow devices are better off than Marshmallow or newer. This is due to a fix for a prior bug that went in to Android 6, and is what introduced the worst-possible-outcome zero-nonce when enduring KRACK.
Hey, at least this one CAN be patched. There's an exploit in the USB protocol relating to plug and play that literally cannot be patched because it would break USB. Leave in exploit, or stop using USB. Those are your options...
This sounds similar to the way enigma was broken: forcing reuse of the same key sequence points against varied data (suspected) to get the key back. (Especially the crib dragging, as with the weather reports that were expected in some transmissions.) - ?
I thought WAP2 was supposed to stop traffic and reset the key if more than one TKIP / MIC failure occured within 60 seconds. Wouldn't that limit brute force attacks?
Theres a bit of a mistake near the end. The brute forcing methods described in this video apply to Windows and MacOS because keys are reused. That means with some amount of known information the attacker can guess the key. wpa_supplicant used on Linux and Android clears its key resulting in a zeroed-key which means no brute forcing is necessarily because now the key is known. While this is what's demonstrated by the security researcher it would be trivial to go a bit further and compare known information to repeated used keys and then guess the key making Windows and MacOS susceptible so to say "on certain operating systems its relatively benign" is incorrect. Forgery should be possible on any unpatched system that accepts the use of TKIP. So the main other feature of zero-key: forgery is still possible on systems not affected by zero-key like Windows and MacOS. Since both of these OSes happily accept TKIP and most any fairly new router is set to use either TKIP or CCMP (AES) then there is nothing protecting these systems against forgery once keys are guessed.
When they were talking about XORing the results I immediately thought about Prof. B's videos on WWII Lorenz cracking and lo and behold they did mention it in the description. Since no one reads the description I figured I'd post this anyway.
In short.. During WW2 German Enigma failed before it was sending weather info and time at the beginning of the message using the encrypted codes.. If you knew those, you could easily decrypt any message.. Same concept
Win Dias word, it was hella easy to decrypt enigma. u just had to write up an algorithm, translate it into base 5 instructions implemented as physical wiring connections on a high voltage electro-mechanical early prototype computer, then piece of cake from there It definitely made it easier, but easy is probably saying too much. Also, I think the fact of characters never looping back to themselves was probably a greater vulnerability
It just makes you think how many other exploits are sitting in the code of critical applications and haven't made it into the mainstream to be fixed yet
I read an entire article and now watched this lovely video but I still don't freaking get it. I am supposed to graduate as an IT engineer next year ! god damn it
I'm an electronics and telecom major it would be really great if you can make a playlist of all computer science and security videos from your channel and anyone would just skim through it anytime. I'm currently learning CS and the way you explain things it's really awesome but I always have to find videos related to the same topic like stack heap DS etc... and searching consumes a lot of time. Plz do the needful. Thanks!!
This isn't the first time a key was broken because someone sent two or more similar messages using the same key. In fact, that was how the Lorenz Machine was broken during WW2.
mathematically, nothing is completely uncrackable-even for passwords that take longer than the life of the universe to crack, there is always a chance to crack the password.
John Thimakis Well, because it's pretty much true, nothing is unbreakable, it only depends on the current state of knowledge, computing power to use and time.
Quantum would mean you know when someone has intercepted a message. Also, quantum decryption would annihilate any currently used encryption. Basically, as far as I understand, it would be useless using any known encryption algorithm vs a quantum decryptor, and you will only ever know if a message was intercepted. IMO, encryption will die, and only thing left is knowing if someone read your message, or part of. Please correct me if I am wrong :).
Alex B "They" have to code and deploy a fix, with the "they" being whomever is responsible for the WiFi stack on a particular device, such as Microsoft, Debian, Ubuntu, Apple, Google (and all of their OEM chain, hahaha), etc. For the nitty gritty, here's an example of one of the fixes from OpenBSD ftp.openbsd.org/pub/OpenBSD/patches/6.0/common/041_net80211_replay.patch.sig
no, that captures the handshake for password cracking via rainbow/statistical/brute/hybrid methods this is a technicality of how tkip works to use counters in increasing encryption complexity imagine knowing what the psrng would generate as someone tries to log into facebook next for their session key, you could then assume their generated session key and mess with their account without needing to know their password even though its far more complicated than just discovering their password.
This seems pretty possible to mitigate by going "oops start over" and reconnecting from the start of you get a second message 3. Am I missing something?
*_...puzzling your description: ►in a key-update-chain, one-use-keys may be used a second time to send the next key, if, ‘co-random’ not-otherwise-recognizable..._*
It sounds like this to be a flaw mainly in the encryption used, itself, rather tha the Wi-Fi standard that used it. Hypethetically, it's still actually secure. It's just that the loopholes mentioned in this video causes the encryption mechanisms to break, thereby making the standard insecure. The flaw in this standard's more its reliance on its encryption, its ultimate trust, than anything else. If I were the standard's designer, I would've expected something like this to happen, and design the standard accordingly, for it's better wisdom not to rely on chance, but on one's expectency for something like this to happen.
I kind of dislike how they state something like "WPA2 was mathematically proven to be secure" and then something like "But it is not secure now", which makes it sound like a mathematic proof, in general, is not reliable. The mathematically proven part is still secure, the attack is about abusing a fail-safe (the retransmission of packet 3) that is not part of the mathematical description.
Great content as always and thanks for sharing. One tiny criticism of something I've noticed on at least a couple of videos: the audio sync is like a couple of seconds late on the scenes showing the working on paper (also see the GANs video for another example)
So, the attacker or the Access Point sends Message3 continually to the client making it reset its encryption counter, which makes all encryption blocks be encrypted by the same random number of strings. So in the end all blocks are encrypted with the same number which provides for ample opportunities for brute forcing that number. I think I get it :D. And from what I've read in a review, the WPA2 stander specifies that the client should reset it's counter if it receives Message 3 again. So the krack is in the standard itself.
I reacted to the part where he said it's a theoretical possibility to reach the maximum of a 128 bit number in this situation. I assume then that the starting number is randomized and arbitrary?
So from what I understand this is only able to be done at close range, and only doable during the connection establishment. So if your computer is always on, and always connected to the WiFi, this can't be used against you. Am I correct?
To keep this secure, the entire 4-step handshake have to start over from 0 with a NEW random key exchange before trying to connect again, rather than trying to continue the login...
Forgive me if this is a really dumb question, but I am honestly a bit confused. Does the malicious person trying to intercept data need to be physically close by (i.e. within range of your wifi) to get in and intercept data, or is this the kind of thing that can be done remotely somehow?
I don't know if it's you or RU-vid, but I'm only getting HD options (1080p and 1440p). On my regular laptop these don't load properly - I always switch to something lower - so I'm unable to watch this video.
Man in the middle takes the message and sends something different instead right? In this case here the attacker doesnt need to alter the message, just cause it to repeat multiple times to be able to decrypt the key