All modern Wi-Fi routers are threatened

KRACK researchers: "The attack works against all modern protected Wi-Fi networks"
16 October 2017   561

On Sunday, 15.10.2017, a Wi-Fi security research results were published. This is reported by the Ars Technica. 

What research? 

The research is called KRACK (Key Reinstallation Attacks). The research has been a big secret for weeks ahead of a coordinated disclosure that is scheduled for 8 a.m. Monday, east coast time. US CERT described the KRACK:

US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven, will be publicly disclosing these vulnerabilities on 16 October 2017.

US CERT team

What had researchers found? 

According to official website of KRACK, they've discovered serious weaknesses in WPA2, a protocol that secures all modern protected Wi-Fi networks. An attacker within range of a victim can exploit these weaknesses using key reinstallation attacks (KRACKs). The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites. The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected.

Researchers says that if your device supports Wi-Fi, it is most likely affected. They've discovered that: 

  • Android 
  • Linux 
  • Apple 
  • Windows 
  • OpenBSD 
  • MediaTek 
  • Linksys
  • and others.

are in danger. 


As a proof-of-concept team executed a key reinstallation attack against an Android smartphone. In this demonstration, the attacker is able to decrypt all data that the victim transmits. For an attacker this is easy to accomplish, because our key reinstallation attack is exceptionally devastating against Linux and Android 6.0 or higher. 


KRACK team also released big FAQ list. We are publishing the most interesting.

  • Do we now need WPA3?
    • No, luckily implementations can be patched in a backwards-compatible manner. This means a patched client can still communicate with an unpatched access point, and vice versa.
  • Should I change my Wi-Fi password?
    • Changing the password of your Wi-Fi network does not prevent (or mitigate) the attack.
  • Is my device vulnerable?
    • Probably. Any device that uses Wi-Fi is likely vulnerable. Contact your vendor for more information.
  • Should I temporarily use WEP until my devices are patched?
    • NO! Keep using WPA2.

Learn more at KRACK official website.

What is Web3j?

Small review of lightweight Java and Android library for integration with Ethereum clients
15 December 2017   991

What is webj3?

web3j is a lightweight, highly modular, reactive, type safe Java and Android library for working with Smart Contracts and integrating with clients (nodes) on the Ethereum network:

web3j architecture
Web3j Architecture

This allows you to work with the Ethereum blockchain, without the additional overhead of having to write your own integration code for the platform.

According to the developers, these are the features:

  • Complete implementation of Ethereum's JSON-RPC client API over HTTP and IPC
  • Ethereum wallet support
  • Auto-generation of Java smart contract wrappers to create, deploy, transact with and call smart contracts from native Java code (Solidity and Truffle definition formats supported)
  • Reactive-functional API for working with filters
  • Ethereum Name Service (ENS) support
  • Support for Parity's Personal, and Geth's Personal client APIs
  • Support for Infura, so you don't have to run an Ethereum client yourself
  • Comprehensive integration tests demonstrating a number of the above scenarios
  • Command line tools
  • Android compatible
  • Support for JP Morgan's Quorum via web3j-quorum

It has five runtime dependencies:

  • RxJava for its reactive-functional API
  • OKHttp for HTTP connections
  • Jackson Core for fast JSON serialisation/deserialisation
  • Bouncy Castle (Spongy Castle on Android) for crypto
  • Jnr-unixsocket for *nix IPC (not available on Android)

It also uses JavaPoet for generating smart contract wrappers.

Lear more at GitHub.