News

KRACK Vulnerability Threats Millions of Amazon Echo and Kindle Devices

Millions of 1st generation Amazon Echo smartphones and 8th generation Amazon Kindle e-books have been affected by two dangerous vulnerabilities (CVE-2017-13077 and CVE-2017-13078) that allow for attacks with key reinstallation (Key Reinstallation Attack, KRACK).

KRACK is a replay attack on any Wi-Fi network with WPA2 encryption. All secure Wi-Fi networks use a 4-step “handshake” scheme to generate a cryptographic key.

The attacker forces the victim to reinstall the already used cryptographic key in the third stage of the 4-stage “handshake”. By using the AES-CCMP stream cipher in WPA2, reinstalling the key greatly weakens encryption.

“An adversary could trick a victim device into reinitializing the pair-wise key used in the current session (this is not the Wi-Fi password) by crafting and replaying cryptographic handshake messages. By exploiting this flaw, an attacker is able to gradually reconstruct the encryption XOR stream and then sniff the victim’s network traffic”, — describe attack in ESET company.

Exploiting vulnerabilities allows an attacker to carry out DoS attacks, decrypt any data transmitted by the victim, fake data packets, forcing the device to reject packets or even introduce new ones, as well as intercept confidential information such as passwords or temporary cookies.

“1st Generation and 8th Generation Kindle devices were vulnerable to two KRACK vulnerabilities. We were able to repeat reinstalling the pair encryption key (PTK-TK) with a four-way handshake (CVE-2017-13077) and reinstalling the group key (GTK) with a four-way handshake (CVE-2017-13078)”,- said the ESET researchers.

It should be noted that KRACK attacks, like any other attack on a Wi-Fi network, require close proximity in order to be effective. This means that the devices of the attacker and the victim must be in the coverage area of one Wi-Fi radio network in order for the compromise to take place.

Attacks on Amazon devices and, presumably, on other devices are also unlikely to significantly affect the security of information transmitted over the network. This is due to the fact that most of the confidential data is protected by additional security measures that exceed standard WPA/WPA2 encryption.

Read also: Attackers exploited a 0-day iTunes vulnerability to spread ransomware

ESET researchers reported Amazon vulnerabilities back on October 23, 2018. On January 8, 2019, Amazon confirmed the vulnerabilities and prepared the necessary patches. To fix the problem, the company introduced a new version of wpa_supplicant – a small program that manages the wireless protocols on the device.

Most users today have most likely already installed this patch, however, researchers recommend that device owners check to see if they are using the latest firmware.

Polina Lisovskaya

I works as a marketing manager for years now and loves searching for interesting topics for you

Recent Posts

Remove Tutselrapt.com Pop-up Ads

About Tutselrapt.com Tutselrapt.com pop-ups can not open out of nowhere. If you have clicked some…

18 hours ago

Remove Ovliveme.com Pop-up Ads

About Ovliveme.com Ovliveme.com pop-ups can not introduce out of nowhere. If you have actually clicked…

18 hours ago

Remove Yourbrolink3d.com Pop-up Ads

About Yourbrolink3d.com Yourbrolink3d.com pop-ups can not open out of the blue. If you have actually…

6 days ago

Remove News-xyeneho.live Pop-up Ads

About News-xyeneho.live News-xyeneho.live pop-ups can not open out of the blue. If you have actually…

6 days ago

Remove Simplejscdn.com Pop-up Ads

About Simplejscdn.com Simplejscdn.com pop-ups can not open out of the blue. If you have clicked…

6 days ago

Remove Yourbrolink4d.com Pop-up Ads

About Yourbrolink4d.com Yourbrolink4d.com pop-ups can not launch out of nowhere. If you have clicked some…

6 days ago