http://www.androidpolice.com/2017/10/16/major-vulnerability-discovered-wpa2-wi-fi-security-protocol-affects-android-pretty-much-everything-else/
Emphasis added.
It's things like this that make me very wary of running an old, unsupported, phone or anything else. I would like to think that it would make companies offer longer periods of support, but, yeah, right.
Cheers,
Scott.
Security researcher Mathy Vanhoef at KU Leuven discovered a critical vulnerability in WPA2, which was published earlier today. According to his report, it is possible to use a Key Reinstallation Attack (KRACK) to decrypt network traffic, thus exposing much of the user's online activity. This is possible because when a device connects to a WPA2 network, a '4-way handshake' occurs where an encryption key is generated. That key is used for all subsequent traffic, but KRACK forces an old key to stay in use.
I recommend going to the source link below if you want the full technical explanation, but in summary, using an existing key opens up users to possible man-in-the-middle attacks. This allows the hacker to see most internet traffic, except data sent over HTTPS. However, KRACK can be used in conjunction with software that disables HTTPS on sites that have not set up HTTPS correctly (as seen in the above video). Many sites and apps will revert to non-secure HTTP when HTTPS is not working, making things worse.
As mentioned above, virtually every device and operating system that uses Wi-Fi is vulnerable to this attack right now. This includes Android, and to rub salt in the wound, another security researcher found that wpa_supplicant (the Wi-Fi client used by Android and most Linux distributions) is even easier to break into due to other issues. According to the report, Android 6.0 and higher is vulnerable.
There is some good news, believe it or not. This can be patched with a simple software update, but only on the client side. In other words, the fix has to be applied to every device you connect to your network, and a router/access point update won't address the problem (unless an access point is running as a client, for example as an extender).
As for Android devices, Google says that anything running the November 6 2017 security patch level will be protected. That patch hasn't been released yet, and even when it does, it will likely take months to reach major devices. There's no word on updates for Chrome OS, or for Google's own Wi-Fi routers/access points, will arrive. Information about updates for other access points and devices can be found here.
Emphasis added.
It's things like this that make me very wary of running an old, unsupported, phone or anything else. I would like to think that it would make companies offer longer periods of support, but, yeah, right.
Cheers,
Scott.