A worst-case scenario has unfolded today for Wi-Fi devices. Researchers at a university in Belgium discovered a way to completely defeat the encryption that WPA2 provides on Wi-Fi networks.
This affects all modern Wi-Fi equipment, from mobile phones to tablets to workstations, routers, printers and more. This is a big deal and has very widespread security implications.
Wordfence has released a public service announcement about this issue (a PSA) due to its wide impact. We provide a description of what the problem is and what to do about it, along with additional resources.
This affects every device you own that uses Wi-Fi. If your device uses public Wi-Fi, you are at higher risk. The vendors that make your products are working on patches which they will release in the coming days. As they release the patches, you will need to update your devices and hardware.
The good news is that this vulnerability does not require you to replace any hardware. It is fixable through a software update.
The devices and hardware you will need to update, once patches are released, include the following:
-Desktop workstations
-Laptops/notebooks
-Mobile phones
-Tablets and e-readers that use Wi-Fi
-Home and office routers
-Home devices like NEST, Amazon Echo and Google Home
-Printers, both home and office, that use Wi-Fi
-Any other device that uses Wi-Fi
-You should prioritize devices that use public Wi-Fi higher than your other devices. This puts mobile phones and tablets at the top of the list.
Black Monday
Another vulnerability known as “ROCA” was also announced today. This vulnerability involves an attack on public key encryption which may weaken the way we authenticate software when installing it. It affects many other systems that rely on public/private key encryption and signing. Fixing this also requires you to update your devices using vendor-released software updates, so keep an eye out for security updates for your devices and workstations that fix any ROCA-related issues.
The combination of KRACK and ROCA is why we are referring to today as “Black Monday.” These are both severe vulnerabilities, and they emerged on the same day.
It is imperative that we get the word out about these vulnerabilities so that our friends and colleagues can update their devices before they are exploited. Please spread the word.
Meet ROCA, the Exploit Worse Than KRACK That Puts Millions of High-Security Crypto Keys at Risk
KRACK, the famous WiFi exploit, appears to be taking over your Monday? Wait for an even worse security flaw. A crippling vulnerability has put the security of millions of encryption keys at risk, with some of those being used in national identity cards, software signing, and trusted platform modules protecting government and enterprise computers. In yet another wild Monday, researchers have revealed a fatal weakness in a widely used cryptography code library found in chips made by a German company but used by several tech giants, including Google and Microsoft.
Dubbed as ROCA (Return of Coppersmith’s Attack), the vulnerability has been discovered in the generation of RSA keys used by a software library adopted in cryptographic smartcards, security tokens and other secure hardware chips. The exploit enables a “practical factorization attack, in which the attacker computes the private part of an RSA key,” the researchers wrote. More importantly, the attack works for all commonly used key lengths, including 1024 and 2048 bits, and affects chips manufactured as early as 2012.
While KRACK may have been taking all of the news space, ROCA is an even bigger issue since while KRACK only works for attackers that are within range, ROCA has serious ramifications both in the government and outside. “Imagine a Shadowbrokers-like organization posts just a couple of private keys on the Internet and claims to have used the technique to break many more,” Steel said.
Researchers will share details of ROCA at the ACM CCS conference on November 2.
We're told you'll need somewhere in the region of $30,000 in cloud computing power to crack a 2,048-bit RSA key pair generated by the dodgy Infineon hardware. For 1,024-bit keys, which are generally crap anyway, it is trivial to factorize a vulnerable private key.
“The attack is practical, although it’s unlikely to be cost-effective for large-scale attacks,” Dan Cvrcek of Enigma Bridge told El Reg on Monday. “The current indicative processor times for 1,024 and 2,048 bit keys are 97 vCPU days ($40 to $80) and 51,400 vCPU days ($20,000 to $40,000), respectively.
“Worst hit, at the moment, seems to be ... whole-disk encryption, as well as for securing access to some cloud platforms, but it extends to non-repudiation signatures, email signing, access to VPN and buildings, e-Health cards, and e-IDs."
Cvrcek estimated that Infineon's TPMs are "25 to 30 per cent of TPMs used globally." The flawed Infineon chipset has been integrated into motherboards, laptops including Chromebooks, authentication systems, trusted boot mechanisms, and cryptographic tokens sold by computer and device makers worldwide.
Major vendors including HP, Lenovo and Fujitsu have released software updates and mitigation guidelines.
Microsoft Has Already Fixed the “Fatal” WiFi Exploit And So Have Many Others
Remember, Vanhoef’s research was kept a closely guarded secret to give vendors and companies enough time to work on a patch. At the time of speaking, several have already released a patch to fix this damning flaw. While Google and Apple are yet to bring a patch, Microsoft in a statement wrote that it has already released a security update to address the issue.
The fix needs to be done on all WiFi devices WAP and endpoints. Problem was this has been a flaw for years and most vendors were notified in august about this.
I cannot see most ISP's pushing out a fix on their WiFi routers as quick, months, or even years before it's fixed.
