Details were released publicly on the morning of Monday 16th October 2017 of a newly-discovered and serious vulnerability in the WPA wireless network security protocol. This exploitable flaw has been dubbed the KRACK Attack (Key Reinstallation Attack).
Essentially, this attack targets the 4-way WPA “handshake”, which is a two-way communication process undertaken each time a Wi-Fi device such as a laptop or phone connects with a Wi-Fi Access Point (such as a Wi-Fi-enabled router). By disrupting this handshake, an attacker can cause the same cryptographic key to be reused repeatedly, allowing for the decryption of information travelling between the Access Point and a connected device.
The KRACK attack targets Wi-Fi clients connecting to Access Points rather than Access Points themselves. Thus, the attack does not retrieve the Access Point’s Wi-Fi password, unlike other Wi-Fi attacks. While periodically changing an Access Point’s password is general good practice, it unfortunately does not mitigate the KRACK Attack in any way. Additionally, updating Wi-Fi connected-device operating systems (such as Android and iOS) should take priority over updating router firmware.
Important Points to Know:
- The KRACK Attack flaw exists within the WPA protocol itself and not in particular hardware or software products
- The KRACK Attack exists in various forms which target different WPA handshakes occurring in different situations
- Android, Linux and OpenBSD devices are especially vulnerable to the KRACK Attack but all operating systems are vulnerable to one form or another of the attack
- Both WPA2 and the older WPA are vulnerable, including personal and enterprise (corporate) WPA/WPA2 networks
What To Do:
Check the websites of the vendors for all of your operating systems (including mobile devices) to determine if a patch to counter the KRACK has been released. If no such patch is currently available, keep a close eye on anything from the vendor which would indicate a timescale for such a patch and ensure that you revisit the website at that time.
Think about disabling WPA/WPA2 Wi-Fi networks if they are not absolutely necessary, until patches become widely-available.
Take the first step towards the next generation of cyber security, contact Hedgehog Cyber security.