An air of unease set into the security circles on Sunday as they prepared for the disclosure of high-severe vulnerabilities in the Wi-Fi Protected Access II protocol that make it possible for attackers to eavesdrop Wi-Fi traffic passing between computers and access points.

The proof-of-concept exploit is called KRACK, short for Key Reinstallation Attacks. The research has been a closely guarded secret for weeks ahead of a coordinated disclosure that's scheduled for 8 a.m. Monday, east coast time. An advisory the US CERT recently distributed to about 100 organizations described the research this way:

According to a researcher who has been briefed on the vulnerability, it works by exploiting a four-way handshake that's used to establish a key for encrypting traffic. During the third step, the key can be resent multiple times. When it's resent in certain ways, a cryptographic nonce can be reused in a way that completely undermines the encryption.

A Github page belonging to one of the researchers and a separate placeholder website for the vulnerability used the following tags:

• WPA2
• KRACK
• key reinstallation
• security protocols
• network security, attacks
• nonce reuse
• handshake
• packet number
• initialization vector

Researchers briefed on the vulnerabilities as: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088. One researcher told Ars that Aruba and Ubiquiti, which sell wireless access points to large corporations and government organizations, already have updates available to patch or mitigate the vulnerabilities.

The vulnerabilities are scheduled to be formally presented in a talk titled Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 scheduled for November 1 at the ACM Conference on Computer and Communications Security in Dallas. It's believed that Monday's disclosure will be made through the site krackattacks.com. The researchers presenting the talk are Mathy Vanhoef and Frank Piessens of KU Leuven and imec-DistriNet, Maliheh Shirvanian and Nitesh Saxena of the University of Alabama at Birmingham, Yong Li of Huawei Technologies in Düsseldorf, Germany, and Sven Schäge of Ruhr-Universität Bochum in Germany. The researchers presented this related research in August at the Black Hat Security Conference in Las Vegas.

The vast majority of existing access points aren't likely to be patched quickly, and some may not be patched at all. If initial reports are accurate that encryption bypass exploits are easy and reliable in the WPA2 protocol, it's likely attackers will be able to eavesdrop on nearby Wi-Fi traffic as it passes between computers and access points. It might also mean it's possible to forge Dynamic Host Configuration Protocol settings, opening the door to hacks involving users' domain name service.

It wasn't possible to confirm the details reported in the CERT advisory or to assess the severity at the time this post was going live. If eavesdropping or hijacking scenarios turn out to be easy to pull off, people should avoid using Wi-Fi whenever possible until a patch or mitigation is in place. When Wi-Fi is the only connection option, people should use HTTPS, STARTTLS, Secure Shell and other reliable protocols to encrypt Web and e-mail traffic as it passes between computers and access points. As a fall-back users should consider using a virtual private network as an added safety measure, but users are reminded to choose their VPN providers carefully, since many services can't be trusted to make users more secure. This post will be updated as more information becomes available.

It is understood the bug is present in modern Intel processors produced in the past decade. It allows normal user programs – from database applications to JavaScript in web browsers – to discern to some extent the layout or contents of protected kernel memory areas.

The fix is to separate the kernel's memory completely from user processes using what's called Kernel Page Table Isolation, or KPTI. At one point, Forcefully Unmap Complete Kernel With Interrupt Trampolines, aka FUCKWIT, was mulled by the Linux kernel team, giving you an idea of how annoying this has been for the developers.

Crucially, these updates to both Linux and Windows will incur a performance hit on Intel products. The effects are still being benchmarked, however we're looking at a ballpark figure of five to 30 per cent slow down, depending on the task and the processor model. More recent Intel chips have features – such as PCID – to reduce the performance hit. Your mileage may vary.

Intel Issues Updates to Protect Systems from Security Exploits

Intel and Its Partners have Made Significant Progress in Deploying Updates as Software Patches and Firmware Updates

SANTA CLARA, Calif., Jan. 4, 2018 — Intel has developed and is rapidly issuing updates for all types of Intel-based computer systems — including personal computers and servers — that render those systems immune from both exploits (referred to as “Spectre” and “Meltdown”) reported by Google Project Zero. Intel and its partners have made significant progress in deploying updates as both software patches and firmware updates.

Intel has already issued updates for the majority of processor products introduced within the past five years. By the end of next week, Intel expects to have issued updates for more than 90 percent of processor products introduced within the past five years. In addition, many operating system vendors, public cloud service providers, device manufacturers and others have indicated that they have already updated their products and services.

Intel continues to believe that the performance impact of these updates is highly workload-dependent and, for the average computer user, should not be significant and will be mitigated over time. While on some discrete workloads the performance impact from the software updates may initially be higher, additional post-deployment identification, testing and improvement of the software updates should mitigate that impact.

System updates are made available by system manufacturers, operating system providers and others.

Intel will continue to work with its partners and others to address these issues, and Intel appreciates their support and assistance. Intel encourages computer users worldwide to utilize the automatic update functions of their operating systems and other computer software to ensure their systems are up-to-date.

Intel Warned Chinese Companies of Chip Flaws Before U.S. Government

Decision to disclose issue to select few customers, including Lenovo and Alibaba, has ripple effects through security and tech industries

Jan. 28, 2018

In initial disclosures about critical security flaws discovered in its processors, Intel Corp. notified a small group of customers, including Chinese technology companies, but left out the U.S. government, according to people familiar with the matter and some of the companies involved.

The decision raises concerns, security researchers said, as it potentially could have allowed information about the chip flaws, dubbed Spectre and Meltdown, to fall into the hands of the Chinese government before being publicly divulged. There is no evidence any information was misused, the researchers said.

Weeks after word of the flaws first surfaced, Intel’s choices about who would receive advance warning continue to ripple through the security and tech industries.The flaws were first identified in June by a member of Google’s Project Zero security team. Intel had planned to make the discovery public on Jan. 9—people working to protect systems from hacks often hold off on announcements while fixes are devised—but sped up its timetable when the news became widely known on Jan. 3, a day after U.K. website the Register wrote about the flaws.

Because the flaws can be leveraged to sneak sensitive data out of the cloud, information about them would be of great interest to any intelligence-gathering agency, said Jake Williams, president of the security company Rendition Infosec LLC and a former National Security Agency employee. In the past, Chinese state-linked hackers have exploited software vulnerabilities to get leverage on their targets or expand surveillance.

It is a “near certainty” Beijing was aware of the conversations between Intel and its Chinese tech partners, because authorities there routinely monitor all such communications, Mr. Williams said.

Representatives from China’s ministry in charge of information technology didn’t respond to requests for comment. The country’s foreign ministry has in the past said it is “resolutely opposed” to cyberhacking in any form.

An Intel spokesman declined to identify the companies it briefed before the scheduled Jan. 9 announcement. The company wasn’t able to tell everyone it had planned to, including the U.S. government, because the news was made public earlier than expected, he said.

In the months before the flaws were publicly disclosed, Intel worked on fixes with Alphabet Inc.’s Google unit as well as “key” computer makers and cloud-computing companies, Intel said in an emailed statement to The Wall Street Journal.

An official at the Department of Homeland Security said staffers learned of the chip flaws from the Jan. 3 news reports. The department is often informed of bug discoveries in advance of the public, and it acts as an authoritative source for information on how to address them.

“We certainly would have liked to have been notified of this,” the official said.

The NSA was similarly in the dark, according to Rob Joyce, the White House’s top cybersecurity official. In a message posted Jan. 13 to Twitter, he said the NSA “did not know about these flaws.” A White House spokesman declined to comment further, referring instead to the tweet.

. . . .

The DHS also stumbled with its initial guidance. The agency’s Computer Emergency Response Team first linked to an advisory stating the only way to “fully remove” the flaws was by replacing the chip. CERT now advises users instead to patch their systems.

The DHS should have been looped in early on to help coordinate the flaws’ disclosure, Joyent’s Mr. Cantrill said. “I don’t understand why CERT would not be your first stop,” he said.

Users with infected routers can remove the dangerous Stage 2 and Stage 3 components of VPNFilter by rebooting the device. However, Stage 1 of VPNFilter will persist after a reboot, potentially allowing the attackers to reinfect the compromised routers.

The web address the FBI seized on Wednesday, ToKnowAll[.]com, could have been used to reinstall Stage 2 and Stage 3 malware, but all traffic to this address is now being directed to a server under the FBI's control.

The FBI nonetheless is urging all small office and home router owners to reboot devices even if they were not made by one of the affected vendors. This will help neuter the threat and help the FBI identify infected devices.

The Justice Department said the FBI-controlled server to which infected devices are now communicating with will collect the IP addresses of each device.