Release the KRACKen: flaw in Wi-Fi security leaves users vulnerable

Release the KRACKen: flaw in Wi-Fi security leaves users vulnerable

A serious flaw in the wireless protocol that secures all modern protected Wi-Fi networks has been discovered.

How serious? If your device supports Wi-Fi, it is most likely affected. This feasible attack, dubbed KRACK, could abuse design or implementation flaws in the Wi-Fi standard, not some specific hardware. The KRACK attack, short for Key Reinstallation Attack, would allow a malicious actor within Wi-Fi range to insert himself into the network and intercept traffic between the device and the router.

This means everyone using WPA2 (the protocol known as Wireless Protection Access 2) could be impacted to some degree.

How impacted depends on multiple factors, but it ranges from traffic interception and decryption of encrypted data to injection of malicious traffic.

Android and Linux are especially vulnerable to this attack, as they can be tricked into re-installing an all-zero encryption key allowing full visibility into the traffic.

The good

  • Attacks can be somewhat mitigated if the traffic is HTTPS.
  • Apple has already patched iOS, macOS, tvOS, and watchOS. Great if your device is current; not so great if it isn’t.
  • Maybe this will finally get outdated routers retired and current ones patched?
  • Attacks are stymied by VPN usage.
  • If you have automatic updates on Windows, a patch has already been pushed, with a caveat. Microsoft still recommends contacting your hardware vendor to see if updated drivers for your wireless adapter are available.
  • Mathy Vanhoef did responsible disclosure and withheld public disclosure until major players could create patches.

The bad

  • Android users, with their fractured landscape and poor patching availability, are at risk, some with no possible solution.
  • Some routers will never receive an updated firmware making them vulnerable forever. Updating the firmware on a router is beyond what the average user feels comfortable doing.
  • While HTTPS can mitigate some attacks, improper implementations on websites are common, and once your traffic is routing through a maliciously controlled “man-in-the-middle” router, you’re vulnerable to other traffic manipulation.
  • Expect KRACK to go from POC to practical deployment at the coffee shop very quickly. Remember Firesheep? WEP wardriving? Someone is bound to make an app that will dramatically lower the difficulty to exploit this.
  • This won’t be fixed fully until the Wi-Fi standard is changed.

What to do about it

  • Run updates on all your devices, systems, and software. If you don’t have automatic updates on your windows machine, look out for the Microsoft patch, which they issued on October 10.
  • Android users: Keep your eyes peeled for updates from Google, which they said would be available in the coming weeks.
  • If you’ve got Apple products, sit tight for the next software update, which should include patches that the company has created for its beta versions of iOS, watchOS, tvOS, and macOS.
  • See if your router manufacturers have issued updated firmware that addresses this vulnerability and update as soon as possible. If not, you might consider replacing the router.
  • It is important to keep in mind that it’s not only individuals who are impacted by this vulnerability, but also businesses. Any Wi-Fi deployment that uses WPA2 can be exploited. This means organizations should also push updates and be sure remote workers are securing their devices and systems as well.

ABOUT THE AUTHOR

Jean Taggart

Senior Security Researcher

Incorrigible technophile who loves to break stuff and habitually voids warranties.