Wifi and Millions of High-Security Crypto Keys Are Not Secure
The past couple days we have seen some major security issues that have hit the media outlets.
The main one that many are focused on is the "KRACK"(Key Reinstallation AttaCK) vulnerability in the WPA2 security on most wifi devices. While there are patches already available for some platforms and devices, most vendors are scrambling to get a patch out quickly.
The video below gives more details about the vulnerability.
Here is a list of vendors and their status on the patch:
Apple: The iPhone and iPad maker confirmed to sister-site CNET that fixes for iOS, macOS, watchOS and tvOS are in beta, and will be rolling it out in a software update in a few weeks.
Arris: a spokesperson said the company is "committed to the security of our devices and safeguarding the millions of subscribers who use them," and is "evaluating" its portfolio. The company did not say when it will release any patches.
Aruba: Aruba has been quick off the mark with a security advisory and patches available for download for ArubaOS, Aruba Instant, Clarity Engine and other software impacted by the bug.
AVM: This company may not be taking the issue seriously enough, as due to its "limited attack vector," despite being aware of the issue, will not be issuing security fixes "unless necessary."
Cisco: The company is currently investigating exactly which products are impacted by KRACK, but says that "multiple Cisco wireless products are affected by these vulnerabilities."
"Cisco is aware of the industry-wide vulnerabilities affecting Wi-Fi Protected Access protocol standards," a Cisco spokesperson told ZDNet. "When issues such as this arise, we put the security of our customers first and ensure they have the information they need to best protect their networks. Cisco PSIRT has issued a security advisory to provide relevant detail about the issue, noting which Cisco products may be affected and subsequently may require customer attention.
"Fixes are already available for select Cisco products, and we will continue publishing additional software fixes for affected products as they become available," the spokesperson said.
In other words, some patches are available, but others are pending the investigation.
Espressif Systems: The Chinese vendor has begun patching its chipsets, namely ESP-IDF and ESP8266 versions, with Arduino ESP32 next on the cards for a fix.
Fortinet: At the time of writing there was no official advisory, but based on Fortinet's support forum, it appears that FortiAP 5.6.1 is no longer vulnerable to most of the CVEs linked to the attack, but the latest branch, 5.4.3, may still be impacted. Firmware updates are expected.
FreeBSD Project: A patch is actively being worked on for the base system.
Google: Google told sister-site CNET that the company is "aware of the issue, and we will be patching any affected devices in the coming weeks."
HostAP: The Linux driver provider has issued several patches in response to the disclosure.
Intel: Intel has released a security advisory listing updated Wi-Fi drives and patches for affected chipsets, as well as Intel Active Management Technology, which is used by system manufacturers.
LineageOS: The Android operating system patched the bug in 14.1 builds, the developers confirmed in a tweet.
Linux: As noted on Charged, a patch is a patch is already available and Debian builds can patch now, while OpenBSD was fixed back in July.
Netgear: Netgear has released fixes for some router hardware. The full list can be found here.
Microsoft: While Windows machines are generally considered safe, the Redmond giant isn't taking any chances and has released a security fix available through automatic updates.
Microchip: The company has a list of patches available.
MikroTik: The vendor has already released patches that fix the vulnerabilities.
OpenBSD: Patches are available.
Ubiquiti Networks: A new firmware release, version 3.9.3.7537, protects users against the attack.
WatchGuard: Patches for Fireware OS, WatchGuard legacy and current APs, and for WatchGuard Wi-Fi Cloud have become available.
Wi-Fi Alliance: The group is offering a tool to detect KRACK for members and requires testing for the bug for new members.
Wi-Fi Standard: A fix is available for vendors but not directly for end users.
This is why it is important to stay updated so when you get the chance, update your systems and devices and stay secure.
Also Another Security Flaw
Around the same time news broke out about the "KRACK" flaw, there was another flaw that dealt with cryptographic encryption keys such as a 2048-bit RSA key.
With a process known as factorization, a properly generated 2048-bit RSA key should take several quadrillion years to be factorized with a regular PC. However, a flaw in a widely used Infineon code library allows factorization to be done within 17 days given the right resources. The flaw lets attackers impersonate key holders and decrypt their data. "The flaw affects only RSA encryption keys, and then only when they were generated on a smartcard or other embedded device that uses the Infineon library."
The factorization can be dramatically accelerated by spreading the load onto multiple computers. While costs and times vary for each vulnerable key, the worst case for a 2048-bit one would require no more than 17 days and $40,300 using a 1,000-instance machine on Amazon Web Service and $76 and 45 minutes to factorize an affected 1024-bit key. On average, it would require half the cost and time to factorize the affected keys. All that's required is passing the public key through an extension of what's known as Coppersmith's Attack.
Estonia's government recognized this flaw and warned that "750,000 digital IDs issued since 2014 were vulnerable to attack." The ID card public key database is being closed to prevent abuse according to Estonian Officials.
You can read the full details here:
Can Blockchain Help With These Types Of Security Issues?
Being that blockchains are databases and proven to have a strong security process, perhaps there are ways to incorporate blockchain technology into the wifi functionality as well as the ID database used for the smartcards mentioned above.
I think it's definitely possible. With the right code and hardware, this could expand the applications of blockchain and lead to more mass adoption. I could be a bit far fetched but this is something to consider.
Conclusion
It's quite alarming to see the recent security issues arise lately. These are ones that are discovered by researchers that go through the proper process to protect our data and help keep us secure but there are many other flaws/vulnerabilities that aren't publically disclosed. The constant cat and mouse game in cybersecurity is an intense obstacle to tackle and maintain. Let's hope we can stay ahead and keep our data secured.
