Update: Security flaw discovered in WPA2 @MicrochipTech @EspressifSystem @cypresssemi

Adafruit 2867

Remember that security flaw in WPA2 all the way back from… yesterday we wrote about? There’s an update to this news specifically for Wi-Fi products at Adafruit –

Here’s what we’ve found for resources so far.

From Microchip – VU#228519 – Wi-Fi Protected Access II (WPA2) Vulnerabilities.
From Espressif – Patches for WiFi Vulnerabilities (CERT VU#228519).
From Cypress (WICED) – nothing so far 10/17/2017 (and nothing in the forums?).
From Raspberry Pi – Forum posts.

We’ll update this as we know more, post any helpful links in the comments.

What is this all about? From KRACKATTACKS.COM (Key Reinstallation Attacks, breaking WPA2 by forcing nonce reuse, Discovered by Mathy Vanhoef of imec-DistriNet, KU Leuven)

We discovered serious weaknesses in WPA2, a protocol that secures all modern protected Wi-Fi networks. An attacker within range of a victim can exploit these weaknesses using key reinstallation attacks (KRACKs).

Concretely, attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted. This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.

The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected. To prevent the attack, users must update affected products as soon as security updates become available. Note that if your device supports Wi-Fi, it is most likely affected. During our initial research, we discovered ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attacks. For more information about specific products, consult the database of CERT/CC, or contact your vendor.

Have an amazing project to share? The Electronics Show and Tell is every Wednesday at 7:30pm ET! To join, head over to YouTube and check out the show’s live chat and our Discord!

Join us every Wednesday night at 8pm ET for Ask an Engineer!

Join over 38,000+ makers on Adafruit’s Discord channels and be part of the community! http://adafru.it/discord

CircuitPython – The easiest way to program microcontrollers – CircuitPython.org

New Products – Adafruit Industries – Makers, hackers, artists, designers and engineers! — New Products 11/15/2024 Featuring Adafruit bq25185 USB / DC / Solar Charger with 3.3V Buck Board! (Video)

Python for Microcontrollers – Adafruit Daily — Python on Microcontrollers Newsletter: A New Arduino MicroPython Package Manager, How-Tos and Much More! #CircuitPython #Python #micropython @ThePSF @Raspberry_Pi

EYE on NPI – Adafruit Daily — EYE on NPI Maxim’s Himalaya uSLIC Step-Down Power Module #EyeOnNPI @maximintegrated @digikey

Adafruit IoT Monthly — The 2024 Recap Issue!

Maker Business – Adafruit Daily — Apple to build another chip at TSMC Arizona

Electronics – Adafruit Daily — SMT Tip – Stop moving around!

Get the only spam-free daily newsletter about wearables, running a "maker business", electronic tips and more! Subscribe at AdafruitDaily.com !

1 Comment

  1. Carter Nelson
    October 18, 2017 at 12:05 pm

    For RPi’s running Raspbian, update is available now. Just run:

    sudo apt-get update
    sudo apt-get upgrade

    Then make sure version of wpasupplicant is upgraded:

    dpkg -s wpasupplicant | grep Version

    should see:

    Version: 2:2.4-1+deb9u1

Sorry, the comment form is closed at this time.

Filed under: wireless — by phillip torrone

Comments (1)