What Do We Need to Know About the KRACK Vulnerability in Wi-Fi Networks?
Security and IT teams began their week scrambling to ensure their organizations’ Wi-Fi networks are safe, secured and updated, following the public disclosure of a major vulnerability in the WPA2 protocol that secures all protected Wi-Fi networks.
Early Monday morning, security researchers at KU Leuven Research Group publicly announced that they discovered major vulnerabilities in WPA2.
Wi-Fi Protected Access 2, better known as WPA2 – is a protocol that secures all modern protected Wi-Fi networks by encrypting the traffic on them, to protect the information sent across networks. WPA2 has been the world’s most popular Wi-Fi encryption, and the industry’s “secure” password standard since 2004.
KRACK Attacks – The New Security Risk on the Block
Mathy Vanhoef and Frank Piessens discovered a security vulnerability in WPA2 that allows a type of attack called KRACK (short for key reinstallation attacks) that enables attackers within range of a vulnerable device to access information that was believed to be safely encrypted, private and secured.
Vanhoef states that this attack can be used to steal sensitive information like credit card numbers, passwords, chat messages, emails, photos, and more personal data. Vanhoef added that on some network configurations, it’s also possible to inject and manipulate data like ransomware or other malware into websites.
The researchers explained that whenever someone joins a Wi-Fi network, a 4-way handshake is executed to produce a fresh encryption key for all subsequent traffic. To guarantee security, a key should be installed and used only once. However, with KRACK, an attacker can trick a victim into reinstalling an already-in-use key.
Researchers stressed that the vulnerabilities were found in the Wi-Fi standard itself, and not in individual products or implementations, meaning that any correct implementation of WPA2 is likely affected. In other words: if your device supports Wi-Fi, it is most likely affected.
The researchers also said that variants of the WPA standard problem was found to work in Android, Linux, Apple, Windows, OpenBSD, MediaTek, and Linksys systems they tested.
Does This Mean All Wi-Fi is Broken?
Following responsible vulnerability disclosure policies, the security researchers who discovered the vulnerability notified specific vendors in July, and a broad notification was distributed in late August. This means that vendors have been working on updates since then, and many have already published them.
Microsoft said in a statement Monday that it has fixed the problem on all supported Windows versions: “Customers who apply the update, or have automatic updates enabled, will be protected. We continue to encourage customers to turn on automatic updates to help ensure they are protected.” Microsoft said the Windows updates released on October 10th protect customers.
Apple also confirmed that the KRACK vulnerabilities were patched in most iOS devices, Cisco and Intel have both issued security updates detailing which of their products are affected, and CERT has created a page detailing all affected vendors and the status of their software updates.
Meanwhile, No KRACKS Found in the Wild
Now for some good news: so far everyone is safe, and the vulnerabilities are considered easy to patch.
According to a statement from the Wi-Fi Alliance, there’s no evidence that KRACK has been used maliciously. The researchers stated that the problem can be fixed: “Implementations can be patched in a backward-compatible manner”: Meaning WPA doesn’t need to be replaced, and Wi-Fi is not broken forever – devices simply need to be updated.
Everyone agrees that once patches are released, users should make sure they update their systems and firmware.
Open Protocols Mean More Eyeballs – and More Security
Some experts have been quick to point out the glass-half-full aspect of this serious bug.
Like open source software, open standards can be used across multiple devices and anyone can inspect the code. Hamilton joined Beaumont in commending the research and said: “In the past, we would have just had black boxes,” Hamilton says. “It would all have been down to a very small number of people working in a dev team for a vendor to get to the bottom of it. With many eyes, bugs often become much smaller or can be mitigated against much more easily.”