This is Bad! Wifi Has Been Compromised!

Stay tuned on this one!

Severe flaw in WPA2 protocol leaves Wi-Fi traffic open to eavesdropping

Ars Technica – Dan Gooden = “An air of unease set into the security circles on Sunday as they prepared for the disclosure of high-severity vulnerabilities in the Wi-Fi Protected Access II protocol that make it possible for attackers to eavesdrop Wi-Fi traffic passing between computers and access points.

The proof-of-concept exploit is called KRACK, short for Key Reinstallation Attacks. The research has been a closely guarded secret for weeks ahead of a coordinated disclosure that’s scheduled for 8 a.m. Monday, east coast time. An advisory the US CERT recently distributed to about 100 organizations described the research this way:

US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven, will be publicly disclosing these vulnerabilities on 16 October 2017.

According to a researcher who has been briefed on the vulnerability, it works by exploiting a four-way handshake that’s used to establish a key for encrypting traffic. During the third step, the key can be resent multiple times. When it’s resent in certain ways, a cryptographic nonce can be reused in a way that completely undermines the encryption.

A Github page belonging to one of the researchers and a separate placeholder website for the vulnerability used the following tags:

WPA2
KRACK
key reinstallation
security protocols
network security, attacks
nonce reuse
handshake
packet number
initialization vector

Researchers briefed on the vulnerabilities said they are indexed as: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088. One researcher told Ars that Aruba and Ubiquiti, which sell wireless access points to large corporations and government organizations, already have updates available to patch or mitigate the vulnerabilities.

The vulnerabilities are scheduled to be formally presented in a talk titled Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 scheduled for November 1 at the ACM Conference on Computer and Communications Security in Dallas. It’s believed that Monday’s disclosure will be made through the site krackattacks.com. The researchers presenting the talk are Mathy Vanhoef and Frank Piessens of KU Leuven and imec-DistriNet, Maliheh Shirvanian and Nitesh Saxena of the University of Alabama at Birmingham, Yong Li of Huawei Technologies in Düsseldorf, Germany, and Sven Schäge of Ruhr-Universität Bochum in Germany. The researchers presented this related research in August at the Black Hat Security Conference in Las Vegas.

The vast majority of existing access points aren’t likely to be patched quickly, and some may not be patched at all. If initial reports are accurate that encryption bypass exploits are easy and reliable in the WPA2 protocol, it’s likely attackers will be able to eavesdrop on nearby Wi-Fi traffic as it passes between computers and access points. It might also mean it’s possible to forge Dynamic Host Configuration Protocol settings, opening the door to hacks involving users’ domain name service.

It wasn’t possible to confirm the details reported in the CERT advisory or to assess the severity at the time this post was going live. If eavesdropping or hijacking scenarios turn out to be easy to pull off, people should avoid using Wi-Fi whenever possible until a patch or mitigation is in place. When Wi-Fi is the only connection option, people should use HTTPS, STARTTLS, Secure Shell and other reliable protocols to encrypt Web and e-mail traffic as it passes between computers and access points. As a fall-back users should consider using a virtual private network as an added safety measure, but users are reminded to choose their VPN providers carefully, since many services can’t be trusted to make users more secure. This post will be updated as more information becomes available.”

Now You Can Read a Kindle in the Tub?

If you want to…

Amazon finally makes a waterproof Kindle, after 10 years of Kindles

The Verge – By: Lauren Goode – “Amazon has been selling Kindles for 10 years now, but “waterproof” hasn’t appear on its list of incremental technological advancements until now. The company just announced a new version of its popular e-reader that builds on last year’s Kindle design and now has an IPX8 waterproof rating.

The new Kindle Oasis — the same name as last year’s premium Kindle — has jumped up in size, moving from a 6-inch screen to a 7-inch screen. It has an aluminum back, which gives it a more premium look and feel than the Kindles with soft-touch plastic.

Unlike last year’s Kindle Oasis, which used a magnetic case you attached to the e-reader to extend its battery life, the new Oasis relies entirely on its built-in battery. It has a similar physical design, with one thicker side that tapers down on the other side, for one-handed reading. But Amazon has made a point of saying that it managed to fit in a bigger battery, while keeping the tapered side of the device at 3.4 millimeters.

The resolution of the e-paper display is the same at 300 ppi, but it has a couple extra LED lights now for a brighter, more even-looking display. And it also has ambient light sensors that adjust the brightness as you move from room to room, or from outdoors to indoors. (The earlier Voyage Kindle does this, too.)

There are physical page-turn buttons, plus the touchscreen page-turn option; Amazon says it’s worked on both the hardware and software side of things to make page-turning feel faster.

But the big news with the upgraded Oasis is its waterproofing, a long-requested feature from some Kindle fans. (Yes, last year’s model was called Oasis and wasn’t waterproofed.) The new e-reader has been tested in two meters of water for up to 60 minutes. It’s also been tested in different water environments, like hot tubs, pools, and bubble baths. Amazon declined to say how it waterproofed the Kindle, but since it still has an open USB port for charging, it’s recommending that people stand the Kindle upright after it’s been submerged.

The proof is in the pouring: the Oasis’ waterproofing gets a quick test. Audible fans will be happy, as well: the new Oasis has a built-in Audible app. This doesn’t mean you can listen to Audible from the Kindle itself — it still doesn’t have any speakers — but you can start an audio book from the device and stream it over Bluetooth to a set of headphones or a speaker.

The new Oasis ships at the end of October and is replacing last year’s Oasis, leaving four Kindles total in Amazon’s lineup: the original Kindle ($80), the Kindle Paperwhite ($120), Kindle Voyage ($200), and the Oasis, which starts at $250 for an 8GB model. That’s double the base storage of previous Kindles, which Amazon says is to accommodate the storage of audio books. It also connects over both Wi-Fi and 4G LTE.

Amazon has been notoriously coy when it comes to saying how many units of Kindle it has sold — which was the first piece of hardware Amazon ever made and sold — but Kevin Keith, Amazon’s general manager of devices, said in an interview that sales are still “quite good,” with “tens of millions” sold. He also noted that Kindle is in more countries than any other Amazon device.

‘Kindle’ has indeed become synonymous with ‘e-reader’ over the past decade, but that doesn’t necessarily mean Amazon will enjoy the same kind of Kindle success over the next 10 years. In 2016, data showed that ebook sales were down, while sales of physical books surged. And in 2015, a Pew research report on American device ownership showed that e-reader ownership was down significantly from the year prior. According to non-Amazon data, it seems to have reached its peak in 2011.

But a spokesperson for Amazon said that Kindle is still as ‘relevant as ever,’ pointing out that Kindle sales are up year-over-year globally and that it had its best-selling day ever on Prime Day of this year.

For now, at least, there’s a new Kindle you can drop in the bath, the hot tub, or wherever else you enjoy your ebooks when you need a break from the internet.

Update: This article has been updated to include more context on Kindle sales from Amazon. Also, the price of the new Kindle was reported incorrectly in an earlier version of this article. The story has been updated to reflect that it is listed as $249.99 ($250), not $248.”