On Mon, 16 Oct 2017 21:27:30 +0530 "tv.deb...@googlemail.com" <tv.deb...@googlemail.com> wrote:
> On 16/10/2017 21:12, Curt wrote: > > https://www.krackattacks.com/ > > > > Our attack is especially catastrophic against version 2.4 and above of > > wpa_supplicant, a Wi-Fi client commonly used on Linux. Here, the client > > will > > install an all-zero encryption key instead of reinstalling the real key. > > > > Uh-oh. > > > > > It was addressed in Debian by DSA-3999-1 I think, but will probably > linger for a long time on routers, phones, appliances and IoT all over > the world. After Bluetooth a few weeks ago, now wpa2 wifi, most of the > wireless consumer electronic have it's base covered and ripe for cracking... It's crucial to understand that there's a huge difference in severity between BlueBorne and and KRACK: the former "allows attackers to take control of devices", and "does not require the targeted device to be paired to the attacker’s device, or even to be set on discoverable mode" (!) [https://www.armis.com/blueborne/], whereas the latter 'simply' breaks WPA2, and can't really hurt you insofar as you're using secure higher level protocols (ssh, SSL/TSL, HTTPS). I don't mean to say that KRACK isn't nevertheless a huge problem, but it doesn't seem to be nearly as serious as BlueBorne, and it isn't going to be catastrophic to anyone not treating WiFi as a really secure protocol. E.g., on my home network, I do use WPA, but I still require SSH and so on for internal communication between my local hosts. Celejar
