Password potentially compromised if changed using web interface before patch about krackattacks HOT 4 CLOSED

In the PoC the MITM attack is performed using a rogue AP which uses ip forwarding to use the rogue AP as an internet proxy.

I may be wrong, but seeing it like this means that the internal network (and intranet resources) isn't available to the attacker (because he cannot access the original AP, he still can blindly provide a fake router login page): therefore the password change cannot be sniffed but rather phished.

I'm happy to be proven wrong though

from krackattacks.

Most Wi-Fi routers allow plain HTTP connections to the administrative page.
Since it is possible with krackattacks to decrypt the wireless traffic, then it is possible that an attacker captured your access (i.e. username/password) to the admin page of the router.

Therefore, in terms of information security, all network traffic is considered potentially compromised until the patch is applied.

from krackattacks.

It's also possible that, with a MITM, the client is then compromised as an attack vector against the network segment(s) and/or router default password.

BTW, [router] devices should ship with randomized default (post-flash) passwords

from krackattacks.

It's possible that the user is being attacked while changing the password. Then the attacker might be able to decrypt the HTTP request configuring the new password. While possible, likely rare in practice. What I wanted to highlight is that updating passwords is not the solution. Instead people should update devices. Though to be really sure (i.e. to defend against the above situation) you can change your password after updating devices.

Interestingly, updating the Wi-Fi password with a vulnerable device actually increases risks! It means the attacker has a new opportunity to try to decrypt the password.

I solved this issue by rewording the last sentence of the answer.

from krackattacks.