If you think the KRAK attack on Android, or any device, isn’t a big deal you’re full of crap

Unfortunately there’s a lot of android devices out there that won’t be getting the update for the WPA2 vulnerability labeled KRAK. This…

Unfortunately there’s a lot of android devices out there that won’t be getting the update for the WPA2 vulnerability labeled KRAK. This vulnerability is accomplished by forcing reuse of nonce, you should read up on it because it’s really simple XORing. Unfortunately, I’ve been seeing a lot of Android users, journalists, and devs saying this isn’t a big deal… they’re full of crap. They’re either miss understanding what the problem is or they have no experience in security and is spreading dangerous statements.

These people that don’t think this is a big deal seem to be saying it’s not a big deal because an attacker can’t see your WiFi password, there’s HTTPS everywhere, and you’re not a target…

First, they can’t see your WiFi password… that’s nice, but they can see and alter network traffic. They can also see traffic on your local network and they’re almost as dangerous as if they were plugged into our network. They bypassed the password… still sounds pretty bad.

Second, what?? Yes, there’s lots of sites that offer HTTPS, but there’s something called HTTPS stripping. There’s still a lot of servers out there that offers HTTP access to their site and lots that don’t do HSTS. Not convinced? Well, what if they just did what a smart attacker would do and just spoof DNS and point you to a fake site. There, now you just login to the fake site and they check the real site to see if it’s valid credentials… boom, they got you. They could focus on banking sites and use scripts in the background to test if the login information works.

Lastly, they seem to be saying you don’t have to worry because no one is targeting you… that’s such bull. This attack isn’t a targeted attack, they can be sitting in an apartment complex and attack who ever they want. They could drive by your neighborhoods looking for people… why wouldn’t they when they can spoof bank sites and make out with lots of money, they attack looks that easy. Seems some people don’t know what counts as targeted attacks… it’s when the nature of the exploit isn’t this easy… FYI.