Wi-Fi Protected Access is a protocol which secures all modern WiFi networks. This month, Belgian researchers Mathy Vanhoef & Frank Piessens of the University of Leuven recently identified serious security flaws in the WiFi standard itself which are cause for concern. This attack, known as KRACK (Key Reinstallation Attack), allows an an attacker within range of your wireless network to read data from your network previously assumed to be encrypted with WPA2. An attacker can capture such sensitive information as credit card numbers, passwords, emails, and all manner of sensitive information thought encrypted via WPA2. With certain wireless configurations it may be possible to recover usernames and passwords, inject malware into wireless traffic and even infect a wireless user.
As I assume you are not a wireless engineer I’ll not go in to extreme detail on this attack. The United States Computer Emergency Readiness Team (US-CERT) describes KRACK best below. If you aren’t familiar – US-CERT is responsible for analyzing and reducing cyber threats, vulnerabilities, disseminating cyber threat warning information, and coordinating incident response activities.
“Wi-Fi Protected Access (WPA, more commonly WPA2) handshake traffic can be manipulated to induce nonce and session key reuse, resulting in key reinstallation by a wireless access point (AP) or client. An attacker within range of an affected AP and client may leverage these vulnerabilities to conduct attacks that are dependent on the data confidentiality protocols being used. Attacks may include arbitrary packet decryption and injection, TCP connection hijacking, HTTP content injection, or the replay of unicast and group-addressed frames. These vulnerabilities are referred to as Key Reinstallation Attacks or “KRACK” attacks. “
As KRACK is a weakness in the WiFi standard itself it effects a wide variety of platforms and devices. This includes but is not limited to ALL the computing devices you use on a daily basis such as computers, tablets, smartphones, IoT devices, wireless networking devices (wireless routers, wireless access points, etc. from:
Desktop Computing Devices – Microsoft Windows, MacOS, Linux, BSD, etc.
Mobile (Smartphone/Tablet): Android, IOS, Windows Phone, etc.
Wireless Networking/IoT Devices: Any and all manufacturers.
As this is a flaw in the WiFi standard itself all the vendors will be responsible for making patches available for their devices. Most have been forthcoming with a patch but other vendors are still working on a fix. To find out where your vendor stands you can review this list at US-CERT.
The solution to dealing with this attack is to patch ALL of your devices. As I detailed above many vendors have already issues patches so they should be applied immediately. Remember this patch should be applied to all computing devices, network devices which use the WPA2 protocol. Evolutionary IT customers are already patched for KRACK attack and don’t have to worry. If your vendor is not forthcoming with a patch I encourage you to call/email support and let them know you are expecting a fix for KRACK asap. Vendors in the SOHO networking, IoT and inexpensive mobile computing space are especially slow to patch issues such as this. If you find your vendor is not forthcoming with a patch, consider finding a new manufacturer to do business with.
As always, patch all the things! Stay safe and secure out there!