KRACK (Key Re-installation Attack) WPA2 security flaw now being patched in the latest Android Security Update 2017-11-06

logo-small Last month it was announced that someone had found a severe security flaw in the way WPA2 works which meant an attacker could intercept your passwords and Internet traffic whilst you were blissfully unaware. Perhaps your obsession with cat memes isn’t anything you’re too worried about people knowing, but when passwords can be seen IN PLAIN TEXT even over an SSL (HTTPS) connection – that’s when you start to worry. All the details on the hack were listed here: https://www.krackattacks.com/ and it’s worth a look through the video to see how simple it really is. It’s normal for Google to release security patches on a monthly basis but this month we’re getting 3. The one to note is the 2017-11-06 patch which details of are listed here:
  • Security patches for the KRACK vulnerabilities are provided under the 2017-11-06 security patch level.
The full details of the update are here:

2017-11-06 security patch level—Vulnerability details

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2017-11-06 patch level. Vulnerabilities are grouped under the component that they affect and include details such as the CVE, associated references, type of vulnerabilityseverity, component (where applicable), and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

System

The most severe vulnerability in this section could enable a proximate attacker to bypass user interaction requirements before joining an unsecured Wi-Fi network.
CVE References Type Severity Updated AOSP versions
CVE-2017-13077 A-67737262 EoP High 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0
CVE-2017-13078 A-67737262 EoP High 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0
CVE-2017-13079 A-67737262 EoP High 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0
CVE-2017-13080 A-67737262 EoP High 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0
CVE-2017-13081 A-67737262 EoP High 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0
CVE-2017-13082 A-67737262 EoP High 7.0, 7.1.1, 7.1.2, 8.0
CVE-2017-13086 A-67737262 EoP High 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0
CVE-2017-13087 A-67737262 EoP High 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0
CVE-2017-13088 A-67737262 EoP High 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0
Note: Android partners may also need to obtain fixes from chipset manufacturers where applicable.
I have checked my Galaxy S8 running Oreo beta this morning as as of yet there is no security update available. I will reach out to Samsung for further help. I will update here if I hear back…