As you can read on basically any news website right now, a Belgian researcher named Mathy Vanhoef led a team which discovered a critical flaw in WPA2 (Wireless Access Protocol 2) - the wireless security protocol used by all modern WiFi networks. The Key Reinstallation AttaCKs (KRACK) are possible due to a vulnerability in the handshake process between clients and the Wireless Access Points (WAPs) that occurs when a client wants to connect.
KRACK allows an attacker to make a client reuse an encryption key which allows the attacker to replay, decrypt and/or forge network packets. Yeah, that may all sound like complicated tech speak but if you understand none of it then I'll put it this way, it's bad.
The United States Computer Emergency Readiness Team posted the following warning:
US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the WiFi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven, will be publicly disclosing these vulnerabilities on 16 October 2017.
So yes, KRACK definitely deserves the response and panic it's receiving as after all, that's probably the best way to get anything done. But I want to take a step back and talk about the real-world impact of it. First of all, we have no way to know if this has or is being used in the wild nor do we know if anyone had discovered it previously. There are however some upsides, for better or for worse, WiFi has a limited range meaning that an attacking device would need to be very close by. This is great because it means that someone (or something) in another part of the world can't go breaking into every WiFi network out there. Also, protocols which are themselves encrypted such as HTTPS, SMTP, IMAP, POP3  and so on are still effectively secure as their encryption isn't affected by this attack.
Basically, there is effectively the same amount of risk as if you were to use a public WiFi network such as one in a coffee shop. Other clients can intercept the packets between you and the WAP and it's trivial to maliciously interfere with them. I don't want to make this sound like a "Oh there's no need to worry" type situation, this vulnerability is serious. Not worrying about this would be like saying "Someone posted a guide online showing how to make a key that can open any lock but I don't need to worry because who cares about me?"
So, what do we do?
It's important to note that not all devices are vulnerable to KRACK though the vast majority are (Android and Linux are affected the most as it's difficult to do anything of interest with KRACK and Windows or iOS devices. This is ironically down to the fact that they don't completely follow the 802.11 standards). Fortunately, this vulnerability doesn't mean that we need to scrap WPA(2) and develop something new. All devices will need an update but there is no need to replace them PROVIDING they get an update. It's worth noting that it's likely insufficient to (only) patch APs as the vulnerability exploits clients.
Now, this is a good time to say something like "uh-oh" because it's likely that a lot of devices won't receive updates (especially older ones or access points in things like cars. Oh! and let's not forget Android stares angrily and phone/tablet manufacturers). One of the biggest reasons devices might not get updated is support. IOT (Internet of Things) devices and ISP supplied routers sadly usually prioritise functionality over security. They often use lenient security configurations to minimize support calls and spend little time and/or effort on security. This all adds up to become quite the problem for users of these devices.
This is a great opportunity to mention Ubiquiti, a company who manufacture amazing SND (Software Defined Networking) products. Their main UniFi line is aimed primarily at business use but they also have the AmpliFi line for home use. Ubiquiti have already released a patch for their products which I installed this morning shortly after the details of KRACK were made public.
- WPA isn't irreversibly broken as some sites are making it appear.
- WiFi is a security headache, it's been breached before and it would make a lot of IT professionals happier if we could do without it but unfortunately you have to sacrifice security for functionality and usability. Lookup WEP and WPS if you want two good examples.
- This vulnerability can be easily mitigated with an update and does not require replacing equipment if an update is released and installed for the device.
- Users of ISP supplied, IOT devices and others may well face difficulties updating as updates may not be released or the devices can't be updated by the user or at all.
- www.krackattacks.com is the official website for this vulnerability.
- Here's a link to the paper which details the vulnerability.
Basically, update but there's no need to stop using WiFi or line your building with foil - well, at least not if you are only considering KRACK...
Short link: on-te.ch/krack
SMTP, IMAP and POP3 don't necessarily use encryption. It depends on how they've been configured though they should and commonly do. ↩︎