This is a core protocol-level flaw in WPA2 wi-fi and it looks bad. Possible impact: wi-fi decrypt, connection hijacking, content injection.https://twitter.com/vanhoefm/status/919517772123721728 …
I said assuming they are on the network/do know the password. This is the norm. It's certainly true for public networks (eg cafes)...
-
-
...but it's likely for any psk network since *every* device has the pw saved in clear & will reveal it if compromised.
-
Keeping passwords in the clear is a much bigger flaw. What did they think hashes are for?
-
You can't use a password that's hashed (without cracking it) hashing is for pws you need to verify, not ones you need to submit.
-
The right way is pubkey but wpa enterprise with pubkey is too much of a pain for users to setup, for too little benefit.
End of conversation
New conversation -
-
-
Not sure how that is relevant to this research, though? This is about gaining access without knowing the psk.
-
Right. I'm saying that, for most ordinary real world users, the research does not introduce a threat they didn't already face.
-
It's interesting research but threat is mostly to enterprise users (secret psk or non-psk) mistakenly trusting the network layer.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.