Krack Attacks (WiFi WPA2 Vulnerability) - Computerphile
ฝัง
- เผยแพร่เมื่อ 14 พ.ค. 2024
- Secure WiFi is broken - Dr Mike Pound & Dr Steve Bagley on the Krack Attack discovered by researchers in Belgium.
Mike's description of crib dragging relates to Professor Brailsford's discussions of WWII Lorenz cipher cracking:
Fishy Codes: • Fishy Codes: Bletchley...
Zig Zag Decryption: • Zig Zag Decryption - C...
IBM PC: • IBM PC - Computerphile
Password Cracking: • Password Cracking - Co...
The researchers who discovered the vulnerability: bit.ly/C_CrackAttack
/ computerphile
/ computer_phile
This video was filmed and edited by Sean Riley.
Computer Science at the University of Nottingham: bit.ly/nottscomputer
Computerphile is a sister project to Brady Haran's Numberphile. More at www.bradyharan.com
at last, Philip Seymour Hoffman & Tobey Maguire in the same movie
LOOOOL
This hahaha
More like Counter strike hostage and smart call me carson
Ahahahahah
What a comment 😂
Crossover episode? Can't wait for tournament arc
But is it canon?
AnotherUselessNick No this is filler
did someone say TOURNAMEEENT AAAAAARC
Rykehuss HYYYYYYYYYPE (Rocket starts)
Quim Last n
he krac but he also attac
Stepan Stolyarov but most importantly nonce! 😂
Clap clap
He's got a lot upstairs.....it was an Atic Atac.
Perfect profile pic for it as well
I wish these guys were my professors!
Especially both of them together; discussing
They are for these brief 10 minutes!
Study at Nottingham
the blond guy looks like pulled out directly from a 90s film...
i KNEW you'd have a video for this straight away. I woke up, checked my phone, saw this and thought 'can't wait to see the computerphile video about this. I love your videos
A Computerphile topical video?? Yes please!
A Pound/Bagley crossover?? Yes please!
A yes please chain?? Yes please
Damn that was fast
A little too fast...
Something tells me everybody got a memo before the media and common people.
Considering Windows released an update to patch this before the media published anything, yeah I would say so. It's common place for the tech industry to find out first and have a window to fix it before the news runs with it. Once the news publishes it there is the risk of the attacks becoming more widespread.
It was found by 1 person but his supervisor is added under an honorary authorship.
What about his hypervisor?
The hypervisor was virtually included ;)
oh no you didn't.
KRACK attacks are new and dangerous, but they can be stopped with WiFi encryption provided by PureVPN.
This is a joke right? Advertising like this?
I really enjoy the videos you guys make. been paid to program for 6 years and still enjoy this channel
Fascinating video. Thanks for making this so quickly after the announcement.
Dr. Pound and Dr. Bagley, 2 of my 3 favourite speakers on Computerphile
Excellent summary of the attack! Straight and to-the-point, with helpful tidbits along the way.
You guys are the best! Thank you for all this golden goodness of computerphility.
Every time I see Mark, I know that something interesting is going to happen
This is awesome stuff. I'm glad I found this channel.
After seeing these videos on it, and reading the paper, that attack seems soooo profound! You see exceptionally simple exploits and blatant lack of security in implementations of many things, but it amazes me that a protocol such as this, has such a basic vulnerability that's part of it's standard. Ironically, implementations that disregard the standard are more secure... That's
Well, the systems most at risk are those which tried to patch a vulnerability to a different, less dangerous problem.
Ironically fixing one hole created a much bigger one.
Perhaps not following the spec was intentional though.
If you sense a potential problem with the official implementation you may just choose not to follow the suspect part of the spec.
Tou don't nessesarily need to know exactly what the problem is either.
A vague notion that part of the spec has an issue might be enough to avoid the issue almost accidentally...
I've heard that this vulnerability is not specified in the WPA2 standard, it's just a non-specified part of the WPA2 standard that is most commonly set up in an exploitable way.
If there are two ways to do something, and one of them leads to disaster, some lazy son-of-a-gun will make that one the standard way of doing it.
My Computer Hardware & Networking teacher said it best (though it wasn't about WiFi, it was about disk encryption): The street between the Standard and the Implementation is mostly potholes.
Top 10 anime crossovers..
kek
Mike is OP
just wanted to say this is a great comment
What!?
Don't say you understand Computerphile if you don't even know the lore..
This sounds similar to the way enigma was broken: forcing reuse of the same key sequence points against varied data (suspected) to get the key back. (Especially the crib dragging, as with the weather reports that were expected in some transmissions.) - ?
If only Allan Turing were alive today! He would be in this discussion, I am sure.
Yes, I remember reading about those damn weather reports!
RL
Actually it reminds me of Prof. Brailsford video about the Lorentz machine...
Having seen the film Imitation Game, I did think this sounded somewhat familiar.
I thought WAP2 was supposed to stop traffic and reset the key if more than one TKIP / MIC failure occured within 60 seconds. Wouldn't that limit brute force attacks?
As soon as you introduced Mike into the video I was like 'aye, Mike's here :D, weird seeing two of you in 1 video' love it though!
Mike Pound and Steve Bagley. An exciting day this will be for me.
"it needs the be patched, it'll be patched, and then we can all go back to using wifi". Unless we have an android phone, or use wifi repeater hardware that will never see a firmware update, or etc etc. sigh. :(
ZXGuesser This sadly is true in way too many cases. The amount of smartphones with Marshmallow or lower is staggering.
Thank goodness no-one was ever stupid enough to put wifi in cheap consumer electronics and household appliances that couldn't be patched to fix things like this. Then we'd have really been in trouble...
Selek Somewhat ironically, pre-Marshmallow devices are better off than Marshmallow or newer. This is due to a fix for a prior bug that went in to Android 6, and is what introduced the worst-possible-outcome zero-nonce when enduring KRACK.
Hey, at least this one CAN be patched.
There's an exploit in the USB protocol relating to plug and play that literally cannot be patched because it would break USB.
Leave in exploit, or stop using USB. Those are your options...
Android phones suck. [shots fired]
Theres a bit of a mistake near the end. The brute forcing methods described in this video apply to Windows and MacOS because keys are reused. That means with some amount of known information the attacker can guess the key. wpa_supplicant used on Linux and Android clears its key resulting in a zeroed-key which means no brute forcing is necessarily because now the key is known. While this is what's demonstrated by the security researcher it would be trivial to go a bit further and compare known information to repeated used keys and then guess the key making Windows and MacOS susceptible so to say "on certain operating systems its relatively benign" is incorrect.
Forgery should be possible on any unpatched system that accepts the use of TKIP. So the main other feature of zero-key: forgery is still possible on systems not affected by zero-key like Windows and MacOS. Since both of these OSes happily accept TKIP and most any fairly new router is set to use either TKIP or CCMP (AES) then there is nothing protecting these systems against forgery once keys are guessed.
If I could have a penny for every NONCE that was used _only once_ , I would have the _same_ penny.
Not really. Odds are the very same number has been used but maybe not by you.
richb313 Don't force my hand; I don't want to kill the joke 😒
How many Germans does it take to change the light bulb?
One. Because they are effective and have no sense of humor.
eyyy this comment richer than my self esteem.
Was waiting for your video on this.
Yeah, probably one of those vulnerabilities which many institutions knew about it, was exploiting it for years, and didn't revealed it to anyone.
Wow, it's amazing that this exploit wasn't found earlier!
This is the superhero team up movie I've been waiting for. No Justice League for me.
Ethernet Master Race
*Category 7* .
Extra - shielded and buried underground for least possible chance of emission.
I like the cut of your jib.
Hey Dave, is it you who is vocal on the SDE legends kickstarter?
@@Cleric775 And DON'T FORGET THE LEAD. :D
Ohhh yeah, I was waiting for this
"the belgian university" *giggles* I know belgium is small but we really have a few universities :)
't Is waarschijnlijk de KU Leuven geweest, die chappies zijn niet normaal wanneer het aankomt op cryptografie lijkt het wel
Well done Victor!
I never understand what they're on about but I still watch
Steve, Great show! Sometime could you do a show on Hardware you personally use. Thanks.
I love this channel and I'll be happy if You add subtitles
This video and the comments are gold
Nice, ty for the clearer explanation then yesterdays pdf :D
When they were talking about XORing the results I immediately thought about Prof. B's videos on WWII Lorenz cracking and lo and behold they did mention it in the description. Since no one reads the description I figured I'd post this anyway.
Love the dot matrix printer paper for note taking!! Gold!
Mike's introduction was the best
It could be a totally innocent and genuine thing, but I had captions on and lost it at Mikes first line introduing him as Dr Pound.
Mike!!! The legend!
I'm an electronics and telecom major it would be really great if you can make a playlist of all computer science and security videos from your channel and anyone would just skim through it anytime. I'm currently learning CS and the way you explain things it's really awesome but I always have to find videos related to the same topic like stack heap DS etc... and searching consumes a lot of time. Plz do the needful. Thanks!!
You should’ve put Mike in the thumbnail for the views
They did
JamEngulfer then make it bigger. You barely see it
Only Mike
LordOfRandomStuff I assumed target audience of this channel is a bit better than what your comment implies tbh
LordOfRandomStuff Mike IS in the thumbnail - on the left.
I just saw an article about this and my first thought was, "This would be better explained by Computerphile...".
Great content as always and thanks for sharing. One tiny criticism of something I've noticed on at least a couple of videos: the audio sync is like a couple of seconds late on the scenes showing the working on paper (also see the GANs video for another example)
Thank God for computerphile. I was too lazy to read it...
Good job lads..... exactly how I would have explained it
Name a more iconic duo
the statement "in general its secure until yesterday"😂😂
You know a video is serious when they bring in 2 experts
Finally, a legit arrow in a thumbnail
I reacted to the part where he said it's a theoretical possibility to reach the maximum of a 128 bit number in this situation. I assume then that the starting number is randomized and arbitrary?
It just makes you think how many other exploits are sitting in the code of critical applications and haven't made it into the mainstream to be fixed yet
Professor Brailsford approves of your guessed plaintext attack.
Going to do a video on ROCA aswell?
So basically to patch the problem we need to substitute the resetting of counters used for producing the key-stream, is it? would that be solving the problem or are there some other vulnerabilities in the protocols?
Which is why end to end encryption is so important
This seems pretty possible to mitigate by going "oops start over" and reconnecting from the start of you get a second message 3. Am I missing something?
Thanks for the great explanation gentlemen!
Was this proven after confirmed attacks I've seen videos talking about hand shake attacks for getting WiFi keys.
to fix the vulnerability in Linux make sure to update package wpa_supplicant to version 1 : 2.6-11
I read an entire article and now watched this lovely video but I still don't freaking get it. I am supposed to graduate as an IT engineer next year ! god damn it
So from what I understand this is only able to be done at close range, and only doable during the connection establishment. So if your computer is always on, and always connected to the WiFi, this can't be used against you. Am I correct?
And 5yrs later, we are all still using wpa2.
So is patch gonna be WPA3, just something they'll do with WPA2 or something they'll do on phones or routers?
It sounds like this to be a flaw mainly in the encryption used, itself, rather tha the Wi-Fi standard that used it. Hypethetically, it's still actually secure. It's just that the loopholes mentioned in this video causes the encryption mechanisms to break, thereby making the standard insecure.
The flaw in this standard's more its reliance on its encryption, its ultimate trust, than anything else. If I were the standard's designer, I would've expected something like this to happen, and design the standard accordingly, for it's better wisdom not to rely on chance, but on one's expectency for something like this to happen.
Awsome video
Could you also make a video about ROCA (Return of Coppersmith’s Attack).
So, someone doing an attack needs to be sitting within wifi range from you? Or control a device in such a position?
This can't be done through the internet, right? Because it happens before tcp traffic.
So if message 3 isn't sent the nonce and counter are going to be set back to 0 or whatever starting number but the same key stream is going to be used to encrypt the data?
So, the attacker or the Access Point sends Message3 continually to the client making it reset its encryption counter, which makes all encryption blocks be encrypted by the same random number of strings. So in the end all blocks are encrypted with the same number which provides for ample opportunities for brute forcing that number.
I think I get it :D.
And from what I've read in a review, the WPA2 stander specifies that the client should reset it's counter if it receives Message 3 again. So the krack is in the standard itself.
Worlds have collided.
A Roadie I never thought they were in the same anime universe. Their character designs are so different.
Would a fix for this be as simple as sending a new key with every message 3? Would the firmware updates be feasible?
I don't know if it's you or TH-cam, but I'm only getting HD options (1080p and 1440p). On my regular laptop these don't load properly - I always switch to something lower - so I'm unable to watch this video.
I love your videos guys!") DROP ALL TABLES
Tomas Canevaro '; UPDATE comments SET content = '' WHERE content LIKE '%")%'
Could you guys please do a video explaining Coin Hive, please?
Hé nice, Amiga 1000 in the back :) \0/
What happened to the audio? It sounds muffled with a mild hiss distort
*_...puzzling your description: ►in a key-update-chain, one-use-keys may be used a second time to send the next key, if, ‘co-random’ not-otherwise-recognizable..._*
Forgive me if this is a really dumb question, but I am honestly a bit confused. Does the malicious person trying to intercept data need to be physically close by (i.e. within range of your wifi) to get in and intercept data, or is this the kind of thing that can be done remotely somehow?
Yes
yer but you have access/connection to the wifi/network or are you saying that if group key update is set to zero and every authorised user has a certificate that your unable to capture anything relevant/security breach?, if you have access surely you could spoof a mac address and modify frame size to force packet loss and retransfer or something similar? its when you don't have access thats the hard part for hackers or the easy bit for poeple trying to secure their networks
Computerphile crossover!
Guess that's why he's still got the Mega STe and Amiga 2000 on standby in the background. Good luck hacking _those._
Windows... is safer... well, I lived long enough to hear that. I can die now! ;)
Just about all applications or websites which may contain interesting data already use encryption (https,sftp,ssh) on the application side ,so I don't see why this is such a big deal. Any ideas?
Wow. A crossover episode 😂
Ok, one thing I would really want to know but nobody is very clear about is this; If I patched my home router but still use ios7 devices on my home network and only on my home network are these connection safe, provided I don't go out to use public networks. Would really appreciate, getting some answers.
i fkn love mike
In short.. During WW2 German Enigma failed before it was sending weather info and time at the beginning of the message using the encrypted codes.. If you knew those, you could easily decrypt any message.. Same concept
Win Dias word, it was hella easy to decrypt enigma. u just had to write up an algorithm, translate it into base 5 instructions implemented as physical wiring connections on a high voltage electro-mechanical early prototype computer, then piece of cake from there
It definitely made it easier, but easy is probably saying too much. Also, I think the fact of characters never looping back to themselves was probably a greater vulnerability
Wasn't an attack like this always possible using software like LOIC to disrupt the connection and listen to the new handshake?
no, that captures the handshake for password cracking via rainbow/statistical/brute/hybrid methods
this is a technicality of how tkip works to use counters in increasing encryption complexity
imagine knowing what the psrng would generate as someone tries to log into facebook next for their session key, you could then assume their generated session key and mess with their account without needing to know their password even though its far more complicated than just discovering their password.
Supposing you use a compromised wifi network to connect to a VPN, is the VPN encryption secure or is also compromised?
This isn't the first time a key was broken because someone sent two or more similar messages using the same key. In fact, that was how the Lorenz Machine was broken during WW2.
Do basically you need physical access to the access point I device.
The audio for the marker is desynced at 2:00.
CROSSOVER EVENT!!
But to krack my wifi encription the atacker would still have to be in range of my wifi signal right? so there is a some what low risk situation if I´m in a quiet sub urban area without a lot of strangers where i would most likely notice a black van sitting infront of my house running the engine sometimes to power the battery. I mean i can´t get attacked by someone sitting in London while i´m loging in via wifi in oxford for example right?
thanks. now i feel much safer.
Looks like it's something like the "Zig Zag" video on the same channel which was published years ago...
Great channel but no subtitles,its so sad
question for you guys: the whitepaper of the exploit states that this is an exploit on the actual protocol not the specific implementation. However, I fail to understand why it is so. The AP doesn't receive M4 so it resends M3, that's not modeled on the formal proof of correctness, the AP should start all over again resending M1 like if the previous transaction never happened. Resending M3 until I get M4 sounds like an implementation flaw...
Microsoft has already released a patch for windows.
I dunno. But good question. Another one : do you need to update your Wifi drivers?.
Patches for Linux have been pushed out too. Developers are really on top of this problem!
Exactly; the only one Microsoft wants pilfering your privacy is Microsoft.