 This is Think Tech Hawaii. Community Matters here. Welcome back to the Cyber Underground. I'm Dave Stevens, your host and here with me today. I'll call her in the network guy, Professor Capulani Community College. Today we're going to talk about something that's a failure in our system. After 14 years of faithfully serving us, WPA2 Wi-Fi protected access is now broken and we don't have a replacement. So let's talk about this with Hal right now. Hal, what do you know? What do I know? What do you know, man? Thank you very much. This is called crack, smell of the cave. Key re-installation attack. Attack, great. So it's always been that if you wanted to crack someone's Wi-Fi network password, you had to lurk around and capture that password when it could get sent around the network and then take it, run it through some kind of password cracker, should take time, go through brute force or dictionary attacks trying to guess words until you're able to essentially guess the right password. With key re-installation attacks, don't need it anymore. You don't even need the password. You can insert your own encryption key. So you control the encryption, you can decrypt whatever you want. Let's back this up for a minute for our viewers who don't really know up to this point what we're talking about. Well, let's just talk about Wi-Fi routers are the central hubs of all Wi-Fi networks and we all trust them. Our smartphones use them, our laptops use them, all our internet of things, all the webcams, everything, they use these Wi-Fi routers and the Wi-Fi routers usually have some selections for encryption. So they give you some security in your username and password when you log into the Wi-Fi network. And you're usually given, I don't know why these still show up, but WEP or the encrypted from way back in the 90s, it's still there. That's been broken forever. TKIP, T-K-I-P is an option, but broken in 2009. So there's still options out there and I don't know why, but WPA2 appeared in 2004 and has been around just as the standard for all this Wi-Fi for 14 years. I had a marriage that didn't last 14 years. So everything comes to an end eventually. You got a refresh, and especially with cybersecurity, we tell everybody so many times over and over again, it's a running game. You got to keep moving the moment you're still for too long, someone's going to find out how to get to you and this is one of them. Actually, WPA2, not a bad standard considering that it held up for 14 years. Yes, truly. Actually, it's a pretty good track record. Solid. But it's just inevitable sooner or later with enough people poking at it, you know, you're going to break anything, give it enough time and resource. So there was a standard came up on the IEEE, which does all the standards pretty much for all these electronics. This is a standard that came out in late 2003, implemented in 2004, I believe. And the thing that we're going to be talking about is actually a gap in the actual procedure of executing this standard. Somebody didn't think, what if this thing happens, what do we do now? And a few like Windows and iOS actually thought, well, it's not on the standard, but we're going to do something about it anyway. It wasn't a perfect solution and you can still break it. But at least in Windows and iOS, you're a little safer. But in Linux and Android, which are the smartphones out there, it's really bad. So you're going to tell us about that, right? How we do this and why it's so bad. Yeah. So these, if you read these papers, this paper, these researchers that discover this, they actually kind of stumbled on that. They were looking at the standard and without getting too technical, there's this handshake that has to occur between the device and the wireless access point where the encryption key is exchanged. And one of the researchers said, gee, I wonder what happens if I just try to keep refreshing that key over and over. And it found out that you can actually, you can decide what the key will be. You can give it a new key and it'll be very happy to accept it and start to use your encryption key. Now with encryption, the way that it works, the key is used to scramble the data so that unauthorized people can't read it. Well, if you have the key, guess what? You can read all of the data. And change it. And actually, yeah, you could actually insert your own, then change things and change messages and pretty much own the network and do anything, almost anything that you might want to do. So I'm logging in on my Wi-Fi to my bank, and the bank hasn't set up good security, right? You could, using this attack, use this to get my username and password for my bank account. I could use this vulnerability to set myself up as a man in the middle. So you think you're talking to your bank's website, and the bank's website thinks that they're talking to you, but you're really both talking to me. So everything is going through me. So you just pass it on. You send something to the bank, it comes to me. I look at it. Ooh, that's very interesting. And then I send it out. Pass it on. Send it off to the bank. The bank sends a response back. I get it first. I look at it. That's very interesting. And then I send it back to you. And neither side knows that this man in the middle is lurking there, just looking at everything that's passing by. And the man in the middle, that's a classic attack. That's a classic attack. Everyone wants to be the man in the middle because it's a complete stealth attack. If no one knows you're there, you are completely invisible, yet you get everything you want. And nobody knows they've been attacked, which is the perfect attack. Yeah, if you can get away, so folks, listen to me, you're never going to hear about the best hackers in the world. Just get over it. The best hackers in the world, you'll never know because they don't want to be known. That's why they're the best. And that's how they stay the best. They're invisible, and they're going to stay that way until they make a mistake. And they're not going to brag about what they do. So if they're the man in the middle and they're a good hacker, you never know. And that's perfect. Exactly the success of the man in the middle is not to let anybody know that, yeah, as soon as you know someone, someone is there, you're going to, oh, well, I can't do this. I'm going to shut this down. The whole idea is you just lurk there completely unknown, and you can see, just watch until you see what you're looking for, passwords, or account numbers, or whatever you might. Takes a lot of patience. Yeah, but you can sit, you can collect that whole steam of data. And then search through the data. And search for what you're looking for later. And especially in this day of big data, that's what big data is. You accumulate a massive amount of data, and then you go look for little interesting tidbits. So you could actually do that and use cloud resources to do it. So you wouldn't have to burn your own CPU. You're using the modern world to break what you need to break. So if I'm, we're doing a handshake. And the handshake is about two devices we previously are unaware of each other. And now I have to make you aware of me, step one. You have to respond, yes, I'm here, and I'm aware of you. And now I'm aware of whatever device I'm trying to contact. This is step two. Step three is where I say, here's a unique number and a little bit more information for you out there in the world. It's some MAC address and a couple other things, which we won't go into, but it's the unique identifiers from that computer to scramble up the key and make it harder to break the encryption. I send that to you with my unique number and a sequence number. So you know where in the sequence we are in this handshake. But if somebody intercepts that third step, what happens? What can you do? Every time you send that message with that same sequence number, I accept that key. So you can keep changing my key. You can tell, oh, we're going to use this key now. And so we're using your key. We're using your key. Clearly you can decrypt everything that's being passed. Right. And the reason this works is because the protocol is set up for things like what we call packet loss. But in the real world, no matter where you're sending data, every once in a while, a piece of that data gets dropped. And if the other end doesn't respond that it got it, you resend it. So that's the protocols expecting a resend because of packet loss. It's just a natural occurrence that happens everywhere. And that's one of those keys that people took advantage of. Do you think this is more of an exploit of a gap in procedures or is this an actual hack? No, it's more just leveraging and taking advantage of the procedure itself. This was thought to be the strength of WPA and WPA2 was that unlike WEP, WEP was the old broken protocol that we originally used on Wi-Fi networks. Wireless encryption protocol, WPE, right. And was found to be very, very weak. It used a single encryption key for everybody on the network to share. Oh, the shared secret, but everybody had it, right? WPA, its strength was every device has its own encryption key. So even if we're on the same network, we shouldn't be able to see each other's data. Theoretically, yeah. And these keys are refreshed periodically. You don't keep the same key forever. That's what that unique number is. What would they call a nonce? The refresh is exactly what you're talking about where that message gets sense. Okay, we're going to use this key now. And the wireless device accepts it because, oh yeah, this is what I'm supposed to do. WPA refreshes the key periodically because that's thought to be more secure. And because you broke in, you know the sequence number. So it knows. Oh, this is step three again. And if you've broken that far in, you know what they call a number once or a nonce, which is actually what they call an initialization vector or assault. A unique number that you add to the key of an algorithm to uniquely encrypt data for just that session. So we're talking about session keys. And a session is just as long as we're talking to each other. And the session can end after a length of time or if I go away and break the session. And that's when that refresh can occur. So we're always looking for that refresh. But if I know that nonce or initialization vector, the reuse of the same salt in that encryption algorithm is the weakness. We leave what's called Easter eggs. You can see what's going on in there and break that using crypt analysis. So, but this is so easy. And the tools came out almost as quick. And I'm not going to tell you what the tools are. So I'm not going to be held liable. No, no, no, we're not going there. But this is just kind of pointed. And nobody's really done anything about it. I've okay, tell me if you know, Cisco seems to have patched several devices already. Yeah. And I think one of the Unix, I think maybe it was PSD. Unix or something that, that had passed it. But the others, I'm sure are working feverishly. Feverishly. No, no, I, yeah. Now, this, this patch isn't for the access points. It's for the wireless devices. Every single wireless device, every phone, every tablet, every laptop is going to need to be updated. Because otherwise, though, that we mean vulnerable to this, this type of internet. It's amazing that every single device that we depend on right now for modern life is affected by this, this exploit, for lack of a better word, is this, this crack is going to kill everybody. If you don't watch out, how do we defend? We're all hooked on crack. We're all hooked on crack. Oh my God. Well, I knew that was going to happen eventually. But with this, with how do we protect ourselves? And we only got a couple minutes before or for commercials. So let's entice people to come back after the commercial. We'll ramp up to this. So we're going to talk about ways to protect ourselves, even if this is out there and can break our encryption, the WPA2. But before we talk about that, let's talk about some things you can do as soon as it comes out. If there's a patch, like an update for macOS, an update for Windows, an update for your Android phone. If it says this is the patch WPA2, do it. It's really, really important that you do this. If you don't, this could happen to you. Exactly, exactly. And so, and you should be asking for these patches. I mean, hopefully every operating system is working on it. How, how's your vendor, right? I don't, you know, I'm, you can see I'm a mac user. I use Apple devices. Apple has not fixed this yet. They said it was going to be, and I quote, a couple of weeks. And I thought, that's kind of leisurely considering how many things depend on wireless protocols right now. That's, that's bad iPad, iPhone, iPod. How many iPhones are out there? Oh my lord, right? And they just, they just put out a new one. So they got to, they got to patch that already. Okay, let's go to commercial. Let's entice people. We're gonna tell you about the ways you can protect yourself from this crack attack when we come after this commercial. We'll got to pay some bills. So be right back. Stay safe. Hello, I'm Helen Dora Hayden, the host of Voice of the Veteran. Seen here live every Thursday afternoon at 1 p.m. on Think Tech Hawaii. As a fellow veteran and veterans advocate with over 23 years experience serving veterans, active duty and family members, I hope to educate everyone on benefits and accessibility services by inviting professionals in the field to appear on the show. In addition, I hope to plan on inviting guest veterans to talk about their concerns and possibly offer solutions. As we navigate and work together through issues, we can all benefit. Please join me every Thursday at 1 p.m. for the Voice of the Veteran. Aloha. Aloha. My name is Mark Shklav. I am the host of Think Tech Hawaii's Law Across the Sea. Law Across the Sea comes on every other Monday at 11 a.m. Please join us. I like to bring in guests that talk about all types of things that come across the sea to Hawaii, not just law, love, people, ideas, history. Please join us for Law Across the Sea. Aloha. Welcome back. Hope you enjoyed the commercial. Now we're going to go into some safety protocols, but just to warm you up, this is the WPA2 crack spelled with a K and it's a break in the encryption protocol that allows people to reset the encryption key and play man in the middle and get all your data, replay your data, and even change your data so they can fool people into believing that the hacker is actually you. Very dangerous. Every Wi-Fi system out there right now uses WPA2 in personal and both enterprise editions. How's with me here? How the network guy. Network guy today. Let's talk about just to warm people up again. We were talking about what's almost safe and what really isn't safe. When we talk about the way WPA2 is implemented is the problem because the actual WPA2 is a good process, but if you implement it incorrectly, there's this egregious error. Now Windows and iOS, that's from Mac, they implemented this standard WPA2, but they varied from the standard in that they said, well, in this certain step where this exploit happens, we're going to do it a different way. And because they did it a different way, they're more secure than Linux, unfortunately, a little bit more secure. And of course, Android. And Linux and Android are wide open to this because of? It makes sense because open source, they're going to follow the standards meticulously. Oh, that's true. They follow the standards. And so they got, unfortunately, the biggest exposure to this because the standard itself is broken. So on Linux-based devices, Android-based devices, you can actually, this can be used to set your encryption key to zero. Just basically zero it out. Something tells me that wouldn't actually be an encryption key because when you multiply by zero, you get zero. Yeah, so you basically get zero for encryption key. So it's basically basically disabled. You just nulled it out. It's void, right? That just doesn't sound like a good solution at all. So now I get a look for all my Linux machines. Now I get a look for this fix. And for Android, especially version six and beyond, Linux and Android in those versions were using, what do they call it, WPA supplicant, which I today have not heard of until just this morning. Yeah, it's a library, right? That day. It's just one of the code libraries that helps them work with this. Yeah. And 2.4 and beyond was the version of this supplicant that needs to be upgraded. So if you're looking for an upgrade for Linux and your Android phone, the WPA underscore supplicant 2.4 or greater is affected. So you need to upgrade whatever you had to something they're coming out with to fix it. And that sounds so weird. Such a weird word, supplicant. We should probably explain that. In the terms of WPA in this four-way handshake, supplicant is what the wireless device is called when it's contacting the access point, setting up the encryption and setting up the network. The other party in the handshake. Yeah. It's not a Game of Thrones thing. It's the supplicant and the authenticator. Right. The access point is the authenticator and the wireless device is the supplicant. So we got to talk about how to protect ourselves now. And VPN is a big topic that everyone's going on right now. The good news is that if you're using some additional type of encryption, if you're not just relying on the wireless networks encryption, then you would certainly be much, much better off. You'd be fairly safe. So as long as you make sure that the websites that you're connecting to use strong SSL based encryption, then you should be okay. So for people out there listening, that means you're looking for HTTPS in the URL and your browser. HTTPS as opposed to HTTP. Right. And they use secure sockets layer or SSL. And they also add a kind of an addition to that TLS or Transport Layer Security 1.2, which is the latest. And that adds even more security like new algorithms like AES and stuff like that. So you can do that and encrypt the data going back and forth. So even if they break this and reset your key, the data that's between the two people, you and that, is still encrypted. This encryption, the SSL encryption is at a whole different layer. It's at a much higher layer. The encryption that's being broken is at the network level. It's at a very low level. The SSL encryption is at a much higher layer. So it will still offer you some protection even if the network level encryption turns out to be broken. And usually, if you're using an HTTPS site, there's some kind of a lock or some kind of icon that will appear in the browser to tell you that yes, this is a secure connection as opposed to just being a wide open plain. And there's one in the middle too. You can get the green lock or whatever the indicator. There's different ones. And the red one says no, the security's invalid. But there's an in between, which you can get a lot of times. A yellow one. The one with the little yellow triangle, which usually indicates something really simple like the pictures are coming from another folder on the website. It's not in the secured zone of the website, but they're putting it on your web page. But those pictures are not actually encrypted. Everything else, the packets you're getting are encrypted. So it's better than nothing. You're not going to kill yourself with it. It helps. Even better than that would be to use a virtual private network. If you're using a virtual private network, then you've got complete end-to-end encryption of your data. And again, this is at a much higher level. So even if the network level encryption is vulnerable, you'll still have a layer of protection if you're using a VPN. Tell me if you agree with me on this one. I need to use a VPN. I need to know who I can trust. Because if I'm going to that VPN, and from then I go to all my other sites, everything I do is going through that VPN provider. And that VPN theoretically could see everything I'm doing. Just like an attacker. It's the trust model. Every trust model, you have to trust the highest authority. It's like the certificate authorities. If you don't trust them, then none of the certificates they issue can be trusted. At some point, you have to just trust whoever's at the top of that chain. So what I would recommend is do some research, do some googling. There are, I found a lot of sites out there that will rate different VPN providers. And list the advantages, disadvantages of each one. Look for one that gets really good reviews that people have been using for a long time and trust and are happy with. And you may have to pay a little bit of a subscription fee to get into a good one. But you usually get what you pay for. And if it saves you having identity theft in your bank account, it's well worth a small subscription fee. Yeah, really, five bucks a month or whatever they charge, whatever. I think Norden has one. The ones that I wouldn't trust anything by Equifax, if they came out with a VPN, I think I might rethink that. Unfortunately, some of the organizations in my federal government, I think it's just a virtual network. There's no privacy. And by the way, folks, if you haven't already got there and locked, freeze your credit records in all of the three major credit organizations, go through that process. It might cost you a couple of dollars. However, it's going to be tremendously beneficial in the long run, not to have your identity stolen. You just want to keep yourself safe. So go freeze your credit records. And then when you go to websites, look for the HTTPS. Is that lock? When you see that green lock or whatever your browser says that's a good certificate, you can use that site. If you don't see that lock, by no means put anything valuable information-wise in a browser at that point. You don't want in your records, you don't want a username and password. And I've seen this on a lot of websites. Unfortunately, there's a lag in knowledge about this stuff with web developers. So that when they make login pages, I've actually seen the login pages to a website, HTTP. You're entering your username and password. And when you click submit, then you go to the secure site. But in the meantime, anybody using Wireshark, sitting at Starbucks with you, they're going to know you're using username and password because you just put that in the open. And that's a poor implementation. So when you go to log into whatever site you're going to log into, like Amazon or maybe your bank, make sure your credentials, when you're entering them, at that time, before you click submit, you should have HTTPS at the top. Look for that first. Look for that green lock before you even put in your username and password. Really good advice. I write the emails, then I put who I'm going to send it to, so I don't click send before it's... Accidentally. Accidentally, because I've done that. Oh, I shouldn't have done that. Oh, that's bad. I've actually CC'd some people that I shouldn't have CC'd as. It's pretty bad. By the way, email also not encrypted. Yes, email is not a secure... Wide open. So be careful what you put in. There's an organization here in the islands that encrypts emails. Powbox, P-A-U, Box. And it's going national. They're a really great provider. And I think I'm going to be signing up with them pretty soon. And it's relatively inexpensive. And it's one of those things like a VPN. It's well worth it. Now you and I, we work for UH University of Hawaii, so we get the VPN for free. There's some benefits to being a teacher. It's kind of cool. But other people have to pay for this stuff. And you just got to make your own decision. Like you said, it's a trust model. Who do you trust? And speaking of trust, let's take a quick tour into the Netherlands really quick. You just came up with a story that they took a very close look at Windows 10. And we knew this was happening over here, but they're really mad about it. The Dutch Protection Authority, the DPA, the DPA actually exists. And they took a look at Windows and they found that they were, of course, collecting data and shipping it off to Windows. And Windows, I think, uses this to make itself better. That's what they say. We're making this a better system. But the laws in the Netherlands say you have to tell the user what their data is being used for and you have to give them an option not to send that data. And they're doing neither one of those. And so the Dutch Protection Authority is saying either you change or you're not going to do business in this country. And the new rules throughout Europe are coming out very soon to be strictly enforced and include provisions that are very much like this one. But we in this country signed on to the Patriot Act in 2002. And I advise everyone, go read that. I know it's legislation. It's hard to read. But if you read that, you would not have been surprised by what Verizon was doing that Snowden told us they were doing. You would have just said, yeah, I know that was law. Most of those provisions, by the way, expired. We were talking about that. But some of them didn't. So they're still out there. So our data can be collected without our consent in this country, which is kind of a scary thing. And in some cases, it has to be. It's not just that it can be. Those telecom companies are required to collect that information. And then it could be gone through at any time. Your tax dollars at work, ladies and gentlemen. And more good news from the Cyber Underground. Thanks for tuning in. See you next week. Until then, stay safe.