Got Krack?

How often do you use WiFi?  For anyone with a smartphone, it’s far simpler to count the time you’re not on WiFi…  Even when not actively surfing the web, your wireless devices are typically still connected to a Wifi access point or router.  The vast majority of us are virtually “plugged in” all the time.

Judging by the title of this article, one may have surmised we’ll be discussing societal addiction to the wireless Internet.  As opposed to relating connectivity with illegal substances, this page highlights a severe vulnerability in the most widely used wireless security protocol; Wi-Fi Protected Access 2 (WPA2).  Security researcher Mathy Vanhoef discovered severe weaknesses in WPA2 using an exploit called key reinstallation attacks, or KRACK for short.

Vanhoef explained on his krackattacks.com website, “The attack works against all modern protected Wi-Fi networks.”  A wireless device connecting to an access point with WPA2 performs a virtual four-way handshake to create a secure channel to the Internet.  The KRACK vulnerability permits a third device to intrude on your private connection in what’s known as a man-in-the-middle attack.  Once positioned between your device and the access point, the hacker may passively eavesdrop or actively send malicious data to vulnerable devices.

Communications protected with its own encryption, including properly configured SSL websites (HTTPS://), cannot be observed.  However, connections to unencrypted websites (HTTP://) are completely vulnerable.  Additionally, improperly configured SSL websites may be vulnerable if an attacker successfully exploits other vulnerabilities in addition to KRACK.  In these circumstances, an attacker is able to see usernames and passwords, entered on a website, in plain text.

By now you must be wondering how to stop the KRACK?  An important caveat for this attack to be successful is that both the device and the wireless access point must be vulnerable.  As the saying goes, “It takes two to tango.”  Only one of the partners, in this case, need be patched against the exploit to stop the hacker’s dance.  Unfortunately, wireless access points and routers are unlikely to be patched even if a patch is available.  Thus, it’s up to WiFi device owners to ensure patches are applied to their devices.

The most susceptible devices use Android operating systems.  Vanhoef shockingly reported, “On phones running Android 6.0 Marshmallow and newer, the KRACK vulnerability can force the Wi-Fi connection to create an absurdly easy-to-crack encryption key of 00:00:00:00:00. With something so simple, it’s easy for an outsider to read all of the traffic coming to and from a client, like a smartphone or a laptop.”  It’s challenging to determine which Android devices have patches available as they are released by the phone vendor (i.e., Samsung) vice Google.  Older Androids will likely never receive a patch, so it’s time to start thinking about buying a replacement.

On a brighter note, Windows and Linux patches were made available in October.  Apple released patches for macOS and iPhone 7 in November with older iPhones reportedly not vulnerable as Apple misimplemented the WPA2 standard.  Sometimes an unplanned error works to your benefit and that was certainly the case in older Apple iPhones.

Moral of this story: Patch today to keep the nasty KRACK away!

Comments

comments