• 登入
  • 立即登記
logo
  • 電腦資訊
0
HK$0
  • 前往購物車
  • 主頁
  • 學校時間表
  • 網上練習及測驗
      • 中文智 Net 星
      • 英文智 Net 星
      • 數學智 Net 星
      • 常識智 Net 星
      • 暑期智 Net 升
      • 劍橋英語:基礎考試 - 網上練習
      • 劍橋英語:基礎考試 - 歷屆試題
  • 網絡保安及支援
      • 學校防火牆
      • 學校支援服務
      • 學校備份系統
      • 影片播放系統
      • 學校電郵系統
      • 學校雲端系統
      • Wifi 900
  • SSL 憑證安裝
  • NOD32
      • NOD32 防毒軟件
      • NOD32 防毒軟件(家用版)
  • Tech. Bulletin
  • eParent
  • 聯絡School Net

Wi-Fi安全漏洞使"網絡設備面臨黑客攻擊的風險"

Wi-fi security flaw 'puts devices at risk of hacks'

BBC News 2017-10-23 10:07:34
http://www.bbc.com/news/technology-41635516

The wi-fi connections of businesses and homes around the world are at risk, according to researchers who have revealed a major flaw dubbed Krack.


It concerns an authentication system which is widely used to secure wireless connections.

Experts said it could leave "the majority" of connections at risk until they are patched.

The researchers added the attack method was "exceptionally devastating" for Android 6.0 or above and Linux.

A Google spokesperson said: "We're aware of the issue, and we will be patching any affected devices in the coming weeks."

The US Computer Emergency Readiness Team (Cert) has issued a warning on the flaw.

"US-Cert has become aware of several key management vulnerabilities in the four-way handshake of wi-fi protected access II (WPA2) security protocol," it said.

"Most or all correct implementations of the standard will be affected."

Computer security expert from the University of Surrey Prof Alan Woodward said: "This is a flaw in the standard, so potentially there is a high risk to every single wi-fi connection out there, corporate and domestic.

"The risk will depend on a number of factors including the time it takes to launch an attack and whether you need to be connected to the network to launch one, but the paper suggests that an attack is relatively easy to launch.

"It will leave the majority of wi-fi connections at risk until vendors of routers can issue patches."

Industry body the Wi-Fi Alliance said that it was working with providers to issue software updates to patch the flaw.

"This issue can be resolved through straightforward software updates and the wi-fi industry, including major platform providers, has already started deploying patches to wi-fi users.

"Users can expect all their wi-fi devices, whether patched or unpatched, to continue working well together."

It added that there was "no evidence" that the vulnerability had been exploited maliciously.

Tech giant Microsoft said that it had already released a security update.

Security handshake


The vulnerability was discovered by researchers led by Mathy Vanhoef, from Belgian university, KU Leuven.

According to his paper, the issue centres around a system of random number generation known as nonce (a number that can only be used once), which can in fact be reused to allow an attacker to enter a network and snoop on the data being sent in it.

"All protected wi-fi networks use the four-way handshake to generate a fresh session key and so far this 14-year-old handshake has remained free from attacks, he writes in the paper describing Krack (key reinstallation attacks).

"Every wi-fi device is vulnerable to some variants of our attacks. Our attack is exceptionally devastating against Android 6.0: it forces the client into using a predictable all-zero encryption key."

Dr Steven Murdoch from University College, London said there were two mitigating factors to what he agreed was a "huge vulnerability".

"The attacker has to be physically nearby and if there is encryption on the web browser, it is harder to exploit."

More details can be found at this website.

Krack explained

Prof Alan Woodward explained the issue to the BBC.


When any device uses wi-fi to connect to, say, a router it does what is known as a "handshake": it goes through a four-step dialogue, whereby the two devices agree a key to use to secure the data being passed (a "session key").

This attack begins by tricking a victim into reinstalling the live key by replaying a modified version of the original handshake. In doing this a number of important set-up values can be reset which can, for example, render certain elements of the encryption much weaker.

This attacks appears to work on all wi-fis tested - prior to the patches currently being issued.

In some it is possible to decrypt and inject data, enabling an attacker to hijack a connection. In others it is even worse as it is possible to forge a connection, which, as the researchers note, is "catastrophic".

Not all routers will be affected but the people this could be most problematic for are the internet service providers who have millions of routers in customers' homes. How will they make sure all of them are secure?

Krack explained


Prof Alan Woodward explained the issue to the BBC.

When any device uses wi-fi to connect to, say, a router it does what is known as a "handshake": it goes through a four-step dialogue, whereby the two devices agree a key to use to secure the data being passed (a "session key").

This attack begins by tricking a victim into reinstalling the live key by replaying a modified version of the original handshake. In doing this a number of important set-up values can be reset which can, for example, render certain elements of the encryption much weaker.

This attacks appears to work on all wi-fis tested - prior to the patches currently being issued.

In some it is possible to decrypt and inject data, enabling an attacker to hijack a connection. In others it is even worse as it is possible to forge a connection, which, as the researchers note, is "catastrophic".

Not all routers will be affected but the people this could be most problematic for are the internet service providers who have millions of routers in customers' homes. How will they make sure all of them are secure?

新聞分類

安全性及保安 軟件 硬件 手提電子產品 個人資料 科技 商業

新聞推薦

  • 最新更新
  • 相關類型

Creating strong passwrod

LADDERS 2019-05-30

放棄你以往所認知建立最強密碼的方法,並使用這個新的方法

targeting router

CNet 2018-04-17

美國和英國警告 俄羅斯黑客正瞄準數百萬台路由器

Wi-fi security flaw

BBC News 2017-10-23

Wi-Fi安全漏洞使"網絡設備面臨黑客攻擊的風險"

people-centric security

BBC News 2017-07-28

Facebook 呼籲,科技保安的發展應以人為本

ransomware attack

BBC News 2017-06-28

勒索軟件再次肆虐全球 造成動盪

targeting router

CNet 2018-04-17

美國和英國警告 俄羅斯黑客正瞄準數百萬台路由器

What is encryption?

BBC News Technology 2016-02-02

從科技上去解釋:甚麼是加密?

Web attack ransom

BBC News Technology 2015-11-13

瑞士電郵公司因網絡攻擊勒索而支付贖金

50,000 computer hacks

BBC News Technology 2015-07-17

芬蘭少年因入侵超過50,000台電腦而被定罪

Creating strong passwrod

LADDERS 2019-05-30

放棄你以往所認知建立最強密碼的方法,並使用這個新的方法

聯絡 School Net

  • 關於School Net
  • 九龍灣宏光道1號億京中心A座1O樓D室

  • Whatsapp 支援:+852 9025-1174
    銷售熱線:+852 2583-2675
    傳真:+852 3020-2695

  • info@schoolnet.hk

辦公時間

  • 星期一至五(公眾假期除外)

  • 早上九時半至中午十二時半

  • 下午二時至下午五時

  • *如有特別安排,將於網站內公佈

政策及條款

  • 使用條款
  • 退貨及退款政策
  • 隱私政策及安全
  • 付運政策
  • 聯絡我們
  • 校網電郵