WPA2 is the security protocol that protects almost all modern WiFi connections. And it’s broken.
This is particularly worrying because WPA2 is the most secure WiFi security protocol currently available in general use. Unlike in the past, when older WiFi security protocols have been compromised, there is nothing to replace WPA2.
The flaw was publicly announced today following a short period of private briefings designed to give key players in the WiFi technology sector time to respond to the news.
“An attacker within range of a victim can exploit these weaknesses using key reinstallation attacks (KRACKs). Concretely, attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted. This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on… Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.”
This is not good.
Your WPA2 Devices Are Vulnerable
The KRACK attack was discovered by security researcher Mathy Vanhoef of imec-DistriNet, KU Leuven. Today’s announcement builds on work Vanhoef first presented (.pdf) to the Blackhat hacker conference in August this year.
Vanhoef is keen to stress that almost all modern WiFi connections are affected, regardless of platform or device:
“The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected. … Note that if your device supports Wi-Fi, it is most likely affected. During our initial research, we discovered ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attacks.”
Kenn White is co-director of the Open Crypto Audit Project (OCAP):
flaw in the 4-way handshake. As I understand it, in many cases, this will be: “Throw your router away and buy a new one.”
— Kenn White (@kennwhite) October 15, 2017
What Is KRACK?
The United States Computer Emergency Readiness Team (US-CERT) is a government agency responsible for analyzing and reducing cyberthreats and vulnerabilities. It has contacted around a hundred concerned organizations in order to issue a warning about the threat. It describes KRACK in the following way:
“US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected.”
A white paper (.pdf) describes the full technical details of this attack. Unlike other past attacks on WiFi security protocols, KRACK doesn’t target your WiFi passwords. It instead decrypts your actual WiFi data.
This means that just changing your WiFi password is no defense against a KRACK attack.
Is It Time to Panic?
Yes and no. This is a very serious vulnerability, which affects almost every WiFi user. It makes all our data insecure and could be used by malicious actors to launch wide-scale disruptive attacks on online communities.
On the other hand, there are some silver linings:
- Attacks can be carried out only in close proximity to a WiFi network. The fact that remote attacks are not possible will necessarily limit the amount of damage that a malicious entity can do.
- Connections to HTTPS websites remain secure. This almost certainly means sensitive data such your bank details, online shopping details, and emails are secure.
- Connections protected by a Virtual Private Network (VPN) are secure.
It should also be noted that some devices are affected worse than others:
- Android 6.0 (Marshmallow) and Linux devices are particularly badly affected, as they’re also vulnerable to an additional bug. This results in the encryption key being rewritten to all-zeros, which makes it trivial to hack.
- Windows and iOS devices are the least badly affected because they implement WPA2 in a non-standard way (that, incidentally, violates the 802.11 standard).
- All WPA2 devices are nevertheless vulnerable to some extent. In tests, the researchers didn’t find a single device or software that was entirely immune to KRACK.
- Attention has focused on WPA2 because it has, until now, been considered secure. It is by far the most widely used protocol to secure WiFi connections. It should be noted, however, that the older WPA1 protocol is also vulnerable.
What Should I Do?
Ideally, all manufacturers and developers will patch their products to fix this issue. Given how woeful lifetime support for many products is, however, this scenario is likely a pipe dream. This is especially true of routers and smartphones. It means that the problem is unlikely to be fixed in the near future.
In fact, even if your device has been patched, if it connects to a router that hasn’t also been patched, you remain vulnerable! Fortunately, there are some steps you can take to mitigate the problem.
- Turn off your phone’s WiFi – especially if it is an Android 6.0 device! Use your mobile data allowance instead.
- When entering sensitive information on a website, ensure that a padlock icon is displayed in your URL bar. Please see HTTPS Explained for more details.
- Use a good VPN service, as a VPN protects all data traveling between your device and the VPN server. Please see VPNs for Beginners for a more detailed look at how a VPN protects your data.
- It may sound a little extreme, but if your devices aren’t patched within a reasonable timeframe then you really should consider replacing them with ones that are. This is especially true of your router, as an unpatched router is a threat to the security of all WiFi attached devices.
KRACK is a major security flaw that affects pretty much every internet user. If you only divulge sensitive information over a secure connection, however, then you should be ok. Even better, secure all your data with a good VPN service…
Image credit:By Profit_Image/Shutterstock.com