How the Krack Hack Breaks Wi-Fi Security
HTML-код
- Опубликовано: 26 окт 2017
- To support SciShow and learn more about Brilliant, go to
brilliant.org/Scishow.
After 14 years of going unnoticed, a vulnerability in Wi-Fi security was published last week. It's a serious problem, but it's already in the process of being fixed.
We're conducting a survey of our viewers! If you have time, please give us feedback: www.surveymonkey.com/r/SciSho...
Hosted by: Stefan Chin
----------
Support SciShow by becoming a patron on Patreon: / scishow
----------
Dooblydoo thanks go to the following Patreon supporters: Kevin Bealer, Mark Terrio-Cameron, KatieMarie Magnone, Inerri, D.A. Noe, Charles Southerland, Fatima Iqbal,
سلطان الخليفي, Nicholas Smith, Tim Curwick, Scott Satovsky Jr, Philippe von Bergen, Bella Nash, Chris Peters, Patrick D. Ashmore, Piya Shedden, Charles George
----------
Looking for SciShow elsewhere on the internet?
Facebook: / scishow
Twitter: / scishow
Tumblr: / scishow
Instagram: / thescishow
----------
Sources:
www.krackattacks.com/?_ga=2.1...
papers.mathyvanhoef.com/ccs20...
• The 4-Way Handshake (M...
www.wired.com/story/krack-wi-...
www.lifewire.com/what-is-wpa2...
www.techopedia.com/definition...
www.wired.com/story/krack-wi-...
smallbusiness.chron.com/s-http...
The first 200 to sign up at brilliant.org/scishow will get 20% off their annual subscription.
SciShow did RUclips demonetize this vid??
J Espinola lol that was a fast reply
Ya but I don't want one
Krack is whacked
SciShow I really like how you advertised it at the end
I miss the good ol' days when you only had to worry about krack-heads urinating behind your house. Now they are hacking our Wi-Fi. Krack is one hell of a drug.
Master Therion freaking krackheads man...
Master Therion comment winner!
Master Therion Dude. Honestly, how do you craft such clever comments? Every time I see your icon I know the funny is coming.
Master Therion WHY ARE YOU EVERYWHERE GATHERING LIKES?
Krack is bad, m'kay...
"Hide your kids. Hide your wi-fi." - honestly the ONLY time I have ever laughed at a joke on sci show.
Good job Stefan! .. and whoever wrote that joke.
Stefan wrote that joke. :)
and hide yo husband cause hes hackin everyone out here
its a reference to "The bed intruder song"
I seriously laughed out loud at that. Caught me completely off-guard.
Stefan did a bad job
My smart hairbrush was hacked and now I'm bald.
oh.. that's gonna hurt
don't worry they like the wet look & wearing a hat on the high seas.
That's hairrorism
"HIDE YOUR KIDS HIDE YOUR WI-FI!" XD
The Hole In Dan Miragliottas Sock xD
But should I hide my waifu?
Carlos And your husbando! XD
They can have my kids, just leave my wi fi alone.
I lost it hahahahahaha
They laughed at me when I used an ethernet cable. WHO'S LAUGHING NOW?
i still do whenever i can. it's simply superior.
Agreed. You can't hack hardwire.
How's that Ethernet cable working with your mobile phone?
+Mike Trieu
If they hack my mobile phone, all they will get is save data for mobile games. I hope they're happy with that ^.^
Seriously, don't do banking on your phone.
BeFoRe - Cinematic CS:GO - Trailer Online Uhhh no, SSL was cracked by KRACK! That's why it's scary. People have been stealing cookies before SSL existed, for years!
Spoiler: If you use the internet *at all* you are not 'safe'
Introducing Whole Disck Encryption!
"Krack is wack"
Cornnnnnyyyyyyyyyyyy
"okei we r gud 2 go"
Well, that's kinda far from stealing credit card info. I don't know of any site that asks for a credit card number via plain HTTP, and if there are, I'm gonna laugh in their faces.
depending on the situation there might be leaked root certificates installed on a system that would allow attackers to even mitm https connections which in itself is horrible but usually not a real danger. But now with a big security hole like that there are a lot of potential attack surfaces exposed.
alexander kerbers Modern browsers will says it’s a self signed certificate. Even if that were to happen, websites that use HSTS wouldn’t allow it.
Clayton Allen short version: A self signed certificate COULD be trusted for all network traffic.
Long version: A certificate not signed by a CA (ie, “self”-signed) can still be trusted by the computer if the signers certificate is installed on the computer (in the root certificate store). Many antivirus programs do this in order to intentionally MITM the traffic from the internet before it reaches the browser, in order to search for malware. If the certificate used for this gets leaked then the computer would trust anyone who has that certificate. (With very few exceptions, due to certificate fingerprinting).
Patrik Kron Yes, except for websites that use HSTS. You’d have to have a certificate with the same fingerprint as the website you are trying to access in order to access it.
if they inject some malware into your computer the most common and easiest way to get your credit card info is installing a keylogger. Once they got that in, it doesn´t matter how safe your webpage is. They´ll get everything you ever typed anywhere.
Why would you ever need a toaster with wifi?!
Cubinator73 to have a better connection with your toast.
Mine has ethernet
If your devices are more than a couple of years old than chances are no updates are forthcoming.
@BeFoRe - Cinematics CS:GO - Trailer Online i mean, you can allways (well, most of the time) install a custom rom thats still being updated
cool, if you do it, get lineage. i have a 4 yr old phone and i got lineage 14.1 on it (which is based off of android
7.1)
backup? :P (so you can restore it with twrp
BeFoRe - Cinematic CS:GO - Trailer Online, id rather not have an old phone with new software. Old iPhones run like absolute garbage, worse actually than androud, on newer iOS versions.
I like it when Stefan gets to show his personality on these videos, it's always hilarious
Hide your kids, Hide your WIFI
and hide yo husband cause hes hackin everyone out here
These ads are really good! Nice job sci show!
Great Video, great work. Keep it up!
The supplicant (client) actually installs the key after receiving Message3 of the 4-way handshake, this is why the key-reinstallation attack is possible. The AP installs key after M4
Recipes
That was a smooth transition from video content to the sponsored ad, I wouldn't have noticed it were it not for the rest of the ad.
Really enjoyed the 4-way handshake visualization haha!
im actually loving these brilliant ads.
this one and the one with Caitlin were pretty fun
Really like how you blend in the sponsor
I'd love an update on this!!!
Stefan was the perfect person to do this episode. I love it
Really like the way you ad the brilliant.org! I'm interested, thanks!
This is by far the funniest episode of sci show I've ever seen!
*_...mid Dec 2017 my Tablet was 'hacked" in old ITS Building #37 during a workshop on parallel processing-the attack caused several apps to be uninstalled, clearing their data too (backups of class notes were not weekly, but they were distributed and not all lost)... So either this, hack, was rampant, or, there were others..._*
Nice video!
I love every scishow and scishow space videos. They are always fun to watch and interesting!
But is the 4 way handshake done every time or only when you are only initially connecting? How does one hack wifi network without having someone else who knows the key already trying to get in?
I should not have been drinking as you were mentioning the WiFi-enabled toaster at 4:10 :P
this guy is really funny! love the video.
I love the fact that this was a non-existent hack until some smart ass came along. Now he's written a paper on it, every hacker's going to be using it. Thanks a lot.
*Eleventh commandment:* Thou shalt not covet thy neighbor's WiFi.
J.J. Shank even better Thou Shall Publicly Execute Hackers
Finally a popular channel is spreading the word. I was worried.
I’ll give it up, that hide your kids joke got me rollin.
And sadly, waiting for companies like Linksys (Cisco) to fix these security issues with firmware updates can take months, if at all.
For this particular problem there is no need for a router (actually a access point) to be updated if it’s used as a router only. If it’s instead used as a repeater (extends WiFi range) it should be updated. “Krack” is only an issue in client devices (those who connect to WiFi) not in server devices (who transmits WiFi networks).
Bed Intruder reference... Hilarious! :D
"Don't worry companies are working on patches for your device...", yeah right! A significant number of older devices out there will never get a patch and many that do will never have it applied. This problem is not going away soon.
This has been known for years, when I was learning a bit of basic hacking I came across this exploit like 4 years ago.
that moment an assistant in your university gets mentioned :o
So that Brilliant course is like the scene with the door guards in the Labyrinth?
This hack doesn't let you steal credit card numbers (those are always sent over HTTPS). KRACK doesn't even let you do *anything you couldn't already do* on public WiFi networks. It's completely irrelevant to anyone who just uses WiFi to get on the Internet, because public WiFi networks are already insecure anyway (you can perform much more powerful attacks on any open network or any network you know the password to), and we rely on HTTPS for end-to-end security over the internet. HTTPS doesn't add "some" security, it secures communications to a much greater extent than WPA does.
On top of this, no, not all devices are affected. This isn't a core vulnerability in WPA2, but rather a class of bugs affecting parts of WPA2 in different ways across many devices. Some devices are only affected in ways that are even more inconsequential. For example, the vast majority of home access points are not themselves affected, because the problem only affects APs that have a roaming function, which only really exists on large scale WiFi deployments, not standalone APs. iOS devices as of the time the attack was discovered are only affected to a subset of the attack that is quite inconsequential. Recent Android versions are also only affected by a variant of the attack which, although the researchers said was more powerful, in practical situations isn't so at all (the authors of the software involved did a better job of measuring the true impact).
All in all, this bug was blown wildly out of proportion. Yes, we should fix it, but the vast majority of typical users are not affected to any significant extent. If you're a home user, you should only worry if you have network servers on your home network (such as a NAS or similar). If all you do is use the Internet, there's nothing to worry about (that you didn't already have to worry about anyway). And then only slightly, because realistically it's unlikely someone is going to camp out of your home to try to get access to your NAS (and it's not an easy attack to carry out; there are lots of limitations, it's not fire-and-forget-and-get-connected).
Hosted by: ...
OH MY GOD, the host is a GHOST!!!
Moritz Gaßan out of interest how do you do the "ss"(goes to that if capital) sign on android
ß
Qwertyduck hold down the s button should work ß
my boi thanks you
Qwertyduck did it work for you and you're welcome :)
Wait, so how do I patch my toaster? How do I know if my toaster has enough space for the patch? Does a standard USB 2.0 work or do I have to buy a Micro SD card? Help me!
LOL great episode and some good jokes in this one.
3:17-3:23 is like Red Dwarf "they're all dead Dave" mixed with "want some toast?!"
Correction: No! Your credit card data should still be safe even if your wifi is compromised. That is what HTTPS and the hopefully green padlock in the addressbar tells you. Your information is safe there.
Don't panic people just update your devices . Windows and iOS owners can relax they are not affected, Linux, OSX and Android owners... install updates. Done. over.
Couldn't they send you to a fake website that mimicked the site you were entering this information on and obtain it that way?
Incorrect. IOS is affected. Patches are in the beta of the next release.
Old Android devices that are not getting manufacturer updates are a problem. An even bigger problem are all those “smart” devices. When are your fridge, your cordless phone base station, your camera, your printer getting an update?
Boredness
Wouldn't the address bar say something different? I always see something like, "Make sure the url says www.webbysite.com before entering your password!" On websites that you type sensitive data in.
Android users - install updates.... Hahahahahahahaha. Not funny -_-
Boredness - no, they couldn't. Part of HTTPS (the green padlock) are something called certificates. Along with the page that the website sends you, they send a certificate that says "This page is from google.com". We use cryptographic methods to ensure that ONLY google.com can generate the certificate. So if anybody tries to send you a fake page, they won't be able to send you that certificate, and the green padlock wont appear.
I hope no one hacks my smart toaster and burns my toast...
This is why the Internet of Things is so terrible; there's a good chance that neither your smart toaster nor your smart fridge will ever be updated, meaning that you will have to use less secure wifi at least for their network
had to like for thatt "hide ya kids" joke lol
3:26 I love this guy
This is a great video with a fantastic explanation on what Krack is. It lacks that most routers and IoT devices won't get patches and the vulnerability can and likely will be patched by the OS providers. Microsoft has already patched it. Luck they aren't releasing the vurln until they feel it is mostly nullified.
I like the example for Brilliant!
Band names:
0:18 Giant Flaming Hole
1:04 The Four-Way Handshake
The Sci-show team should think about doing a channel just for computer.
In order for the router to need patching, it would have to be a client as well. The bug in the code lies with the client's side. So if you are like the rest of home users using a normal router you don't need to patch it since it is not the one receiving the 3d message, it's the one who sends it.
“If you feel like finally splurging on that new video game”
*Battlefront 2*
Megaman Battle Network. Appears to be our destined future. I just hope I am around to have my own Navi, or build my own. Just have to keep an eye out for WWW.
Can't decide if I like meme-joke spouting Stefan or the regular Stefan better...
That's been a standard tool of decryption for probably at least two thousand years. ie. getting multiple messages using the same encryption to discover the encryption method.
And this is why you should always have an encrypted VPN connection between your computer and a reputable VPN service when connected to any WiFi, whether the WiFi is secured or not. Even if someone manages to intercept and decrypt your WiFi data, they would still have to decrypt the VPN tunnel in order to actually see anything useful. And with a VPN, even traffic to HTTP sites is encrypted across your connection. (However, this doesn't avoid the fact that an HTTP site does not encrypt its data, so your data could still be at risk if someone specifically targets that site for data theft).
cant believe I'm saying this, but I loved the advertisement at the end
I'm just fine with my old-school non-wifi-connected toaster. All I need from it is to toast my toast in accordance with my preferences. I don't need it to be connected to the wifi in order to adequately, and reliably, perform that function.
Is this the guy that you see when you look up the word *"NERD"* in the encyclopedia? That is him in the picture, isn't it?
I'm teasing of course......great video......than you for the information.
I suspect the NSA has known about this for a long time, and are pissed to the news got out.
Great video! One correction though: not all hackers are bad. Good guy hacker here.
Whoever narrated the sponsor in the beginning really sounded like JonTron
Would this affect the wired devices on a network as well?
I wore that shirt back in 1965 when I was 12 years old!
The most disturbing thing in this whole video is the existence of wifi toasters
What if you only allow trusted mac addresses on your network? Or can mac addresses be spoofed?
"hide your kids, hide your wifi" is so funny to me just because its such an antiquated joke and on top of that its a pun
That's the coolest guitar pedal I've ever seen.
As far as I remember from Computerphile's video, it affects only Linux-based devices (mostly Android devices), which is still a huge deal - as above 85% of the global market share of smartphones is taken by Android.
I'm glad I run a wired connection.
It is worth noting due to the proximity required - you would need to be sitting right next to your Wi-Fi device - to launch a successful attack. It is an issue and patch it when you can. If you are an business you have more important issues to worry about in your environment.
So that's why my toaster has been asking for my credit card number and mother's maiden name.
Can you do a video about the condition involving sweating blood?
Hey could you guys do one about the ayahuasca plant??!!! Please!!!
My toaster isn't that smart, it burns my toast every time
Is my waifu affected?
FeroxCious unfortunately yes. Please patch her.
Always keep your underage waifu up to date or the fbi will find you
To the van in front of your house comment... I have setup a 35 mile point to point wireless connection. The world record is currently many time more than this. With a cheap $20 yagi and a good hill or lack of obstruction someone could pickup your wireless connection from close to a mile away.
Kracks could also be used for downloaded pc games that require the disk to be inserted in order to play. That was my experience with it as a kid in the early 2000's lol..
They can also strip off the SSL. The krackattack website demo shows as much.
How do companies prevent Krack when the vulnerability is in the WPA2 its self?
They already know about Krack
-SciShow 2017
I make sure to know how all major hacks work so if I ever get sent back in time I can get paid to fix them.
I like this guy. He is a good presenter
"using HTTPS" that's why I press mod+enter in my nice i3wm and type sslstrip and press enter while wireshark is to its left
Who noticed the sketchy van image is mirror tiled?
Smart shoes smart hairbrush smart refrigerator smart toaster... what next, smart oxygen container?
So, how long does it take to break WPA2?
It's been on here less than a minute, how could it possibly already have 2,000 views???
This man is a meme machine
Okay, since when was I living a plot arc from the Battle Network games? Hackers can now take over toasters and BURN YOUR TOAST.
Where'd I put that EnergyChange program...?
I really like this guy.
I hate hackers who try to ruin peoples life by stealing private information. They are despicable people.
Dr. Gearswell and this is why the laws need to be stricter. Maybe we can throw hackers out of copters?
I kind of dislike how they state something like "WPA2 was mathematically proven to be secure" and then something like "But it is not secure now", which makes it sound like a mathematic proof, in general, is not reliable. The mathematically proven part is still secure, the attack is about abusing a fail-safe (the retransmission of packet 3) that is not part of the mathematical description.
Remember kiddos, that Minecraft skin pack isn't worth the chance of getting arrested for stealing credit card info.
Wireless is convenient I used it for about a year but it always made me nervous due to security concerns. I much prefer wired. With mobility devices of course you have no choice but for computers connected to the internet I use wired. I doubt I would ever use a mobility device to do an online purchase.
The segue could have used some additional work though...