Everything with WI-FI Has a Newly Discovered Security Flaw
Update your network equipment, including all appliances, such as wireless routers.
A recently discovered vulnerability could allow attackers to intercept sensitive data being transmitted between a Wi-Fi access point and a computer or mobile device, even if that data is encrypted. The flaw, known as KRACK, affects WPA2, a security protocol widely used in most modern Wi-Fi devices.
In some cases, a hacker could exploit KRACK to inject malware such as ransomware into websites, according to KU Leuven’s Mathy Vanhoef, the researcher who discovered the vulnerability. Vanhoef’s findings were reported by tech site Ars Technica early Monday morning.
Here’s an overview of what to know about the vulnerability, and how you can protect your devices.
What is KRACK?
KRACK is an acronym for Key Reinstallation Attack. It involves an attacker reusing a one-time key that’s provided when a client device attempts to join a Wi-Fi network. Doing so could enable the hacker to decrypt information being exchanged between the access point and the client device, which could leave personal details like credit card numbers, messages and passwords exposed, as Vanhoef notes.
Here’s how and why the process and hack can happen, as described on Vanhoef’s website: When a device joins a protected Wi-Fi network, a process known as a four-way handshake takes place. This handshake ensures that the client and access point both have the correct login credentials for the network, and generates a new encryption key for protecting web traffic. That encryption key is installed during step three of the four-way handshake, but the access point will sometimes resend the same key if it believes that message may have been lost or dropped. Vanhoef’s research finds that attackers can essentially force the access point to install the same encryption key, which the intruder can then use to attack the encryption protocol and decrypt data.
Vanhoef warns that any device that supports Wi-Fi is likely affected by KRACK, but that Linux-based devices as well as Android devices running version 6.0 or higher of the Android operating system are especially at risk. At the moment that includes more than 40% of Android devices.
Vanoef demonstrated a proof of concept illustrating how exploitations using the KRACK technique are possible. But on his website, he cautions that he’s “not in a position” to determine whether such attacks are actively being used.
What should I do about it?
To protect yourself from falling victim to a KRACK attack, you should update Wi-Fi devices like smartphones, tablets and laptops as soon as updates become available, Vanhoef says. If possible, users are also advised to update their router’s firmware. Microsoft has already released a security update to address the issue, reports The Verge. The Wi-Fi Alliance, a network of companies that make Wi-Fi devices and define Wi-Fi standards and programs, has said that platform providers have already started deploying patches to address the issue.
Do we now need WPA3?
No, luckily implementations can be patched in a backwards-compatible manner. This means a patched client can still communicate with an unpatched access point (AP), and vice versa. In other words, a patched client or access point sends exactly the same handshake messages as before, and at exactly the same moment in time. However, the security updates will assure a key is only installed once, preventing our attack. So again, update all your devices once security updates are available. Finally, although an unpatched client can still connect to a patched AP, and vice versa, both the client and AP must be patched to defend against all attacks.
Should I change my Wi-Fi password?
Changing the password of your Wi-Fi network does not prevent (or mitigate) the attack. So you do not have to update the password of your Wi-Fi network. Instead, you should make sure all your devices are updated, and you should also update the firmware of your router. Nevertheless, after updating both your client devices and your router, it’s never a bad idea to change the Wi-Fi password.
I’m using WPA2 with only AES. That’s also vulnerable?
Yes, that network configuration is also vulnerable. The attack works against both WPA1 and WPA2, against personal and enterprise networks, and against any cipher suite being used (WPA-TKIP, AES-CCMP, and GCMP). So everyone should update their devices to prevent the attack.
Is my device vulnerable?
Probably. Any device that uses Wi-Fi is likely vulnerable. Contact your vendor for more information.
What if there are no security updates for my router?
The main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates. We strongly advise you to contact your vendor for more details. In general though, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming). For ordinary home users, your priority should be updating clients such as laptops and smartphones.
Should I temporarily use WEP until my devices are patched?
NO! Keep using WPA2.
Will the Wi-Fi standard be updated to address this?
There seems to be an agreement that the Wi-Fi standard should be updated to explicitly prevent attacks. These updates likely will be backwards-compatible with older implementations of WPA2. Time will tell whether and how the standard will be updated.
Is the Wi-Fi Alliance also addressing these vulnerabilities?
For those unfamiliar with Wi-Fi, the Wi-Fi Alliance is an organization which certifies that Wi-Fi devices conform to certain standards of interoperability. Among other things, this assures that Wi-Fi products from different vendors work well together.
The Wi-Fi Alliance has a plan to help remedy the discovered vulnerabilities in WPA2. Summarized, they will:
- Require testing for this vulnerability within their global certification lab network.
- Provide a vulnerability detection tool for use by any Wi-Fi Alliance member (this tool is based on my own detection tool that determines if a device is vulnerable to some of the discovered key reinstallation attacks).
- Broadly communicate details on this vulnerability, including remedies, to device vendors. Additionally, vendors are encouraged to work with their solution providers to rapidly integrate any necessary patches.
- Communicate the importance for users to ensure they have installed the latest recommended security updates from device manufacturers.