All modern Wi-Fi routers are threatened

KRACK researchers: "The attack works against all modern protected Wi-Fi networks"
16 October 2017   3134

On Sunday, 15.10.2017, a Wi-Fi security research results were published. This is reported by the Ars Technica. 

What research? 

The research is called KRACK (Key Reinstallation Attacks). The research has been a big secret for weeks ahead of a coordinated disclosure that is scheduled for 8 a.m. Monday, east coast time. US CERT described the KRACK:

US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven, will be publicly disclosing these vulnerabilities on 16 October 2017.
 

US CERT team

What had researchers found? 

According to official website of KRACK, they've discovered serious weaknesses in WPA2, a protocol that secures all modern protected Wi-Fi networks. An attacker within range of a victim can exploit these weaknesses using key reinstallation attacks (KRACKs). The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites. The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected.

Researchers says that if your device supports Wi-Fi, it is most likely affected. They've discovered that: 

  • Android 
  • Linux 
  • Apple 
  • Windows 
  • OpenBSD 
  • MediaTek 
  • Linksys
  • and others.

are in danger. 

Demo

As a proof-of-concept team executed a key reinstallation attack against an Android smartphone. In this demonstration, the attacker is able to decrypt all data that the victim transmits. For an attacker this is easy to accomplish, because our key reinstallation attack is exceptionally devastating against Linux and Android 6.0 or higher. 

FAQ

KRACK team also released big FAQ list. We are publishing the most interesting.

  • Do we now need WPA3?
    • No, luckily implementations can be patched in a backwards-compatible manner. This means a patched client can still communicate with an unpatched access point, and vice versa.
  • Should I change my Wi-Fi password?
    • Changing the password of your Wi-Fi network does not prevent (or mitigate) the attack.
  • Is my device vulnerable?
    • Probably. Any device that uses Wi-Fi is likely vulnerable. Contact your vendor for more information.
  • Should I temporarily use WEP until my devices are patched?
    • NO! Keep using WPA2.

Learn more at KRACK official website.

Java SE 14 to be Available

Java SE 14 is as a regular support period version for which updates will be released before the next release
18 March 2020   182

After six months of development, Oracle released the Java SE 14 (Java Platform, Standard Edition 14), which uses the OpenJDK open source project as its reference implementation. Java SE 14 maintains backward compatibility with previous releases of the Java platform; all previously written Java projects will work without changes when launched under the new version. Ready-to-install Java SE 14 builds (JDK, JRE, and Server JRE) are prepared for Linux (x86_64), Windows, and macOS. The Java 14 reference implementation developed by the OpenJDK project is fully open under the GPLv2 license with GNU ClassPath exceptions that allow dynamic linking to commercial products.

Java SE 14 is categorized as a regular support period for which updates will be released before the next release. As a branch with a long service life (LTS), you should use Java SE 11, updates for which will be released until 2026. The previous Java 8 LTS branch will be supported until December 2020. The next LTS release is scheduled for September 2021. Recall that since the release of Java 10, the project has switched to a new development process, which implies a shorter cycle of generating new releases. New functionality is now being developed in one constantly updated master branch, in which ready-made changes are included and from which branches are released every six months to stabilize new releases.

These are some of the changes and updates:

  • Added experimental support for pattern matching in the instanceof operator, which allows you to immediately determine the local variable to access the checked value.
  • Experimental support has been added for the new “record” keyword, which provides a compact form for defining classes, avoiding the explicit definition of various low-level methods, such as equals (), hashCode () and toString (), in cases where data is stored only in fields, the behavior of work with which does not change.
  • This declaration will automatically add implementations of the equals (), hashCode (), and toString () methods in addition to the constructor and methods that control the change of data (getter).
  • Standardized and enabled by default is support for a new form of switch statements that does not require a break statement, allows you to combine duplicate labels, and allows use not only in the form of an operator, but also as an expression.
  • The experimental support for text blocks has been expanded - a new form of string literals that allows you to include multiline text data in the source code without using character escaping and preserving the original text formatting in the block
  • The informative value of diagnostics in case of NullPointerException exceptions has been expanded.
  • A preliminary version of the jpackage utility has been implemented, which allows you to create packages for self-contained Java applications.
  • A new memory allocation mechanism has been added to the G1 garbage collector, taking into account the specifics of working on large systems using the NUMA architecture.
  • Added API for tracking on-the-fly JFR events (JDK Flight Recorder), for example, for organizing continuous monitoring.
  • Added the jdk.nio.mapmode module, which offers new modes (READ_ONLY_SYNC, WRITE_ONLY_SYNC) for creating mapped byte buffers (MappedByteBuffer) that reference non-volatile memory (NVM).
  • A preliminary version of the Foreign-Memory Access API has been implemented, which allows Java applications to safely and efficiently access memory areas outside the Java heap by manipulating new abstractions of MemorySegment, MemoryAddress, and MemoryLayout.
  • Ports for Solaris OS and SPARC processors (Solaris / SPARC, Solaris / x64 and Linux / SPARC) declared obsolete with intent to delete.

Get more at the Oracle website.