A huge flaw in Wi-Fi devices using WPA and WPA2 security encryption was exposed by Mathy Vanhoef, working out of KU Leuven, yesterday. Attackers can use this flaw to steal sensitive data – passwords, credit card numbers, emails – or inject malicious software into websites. If you’re using an Android device, an attack could be “exceptionally devastating”.
Here’s what you need to know.
What Is KRACK?
KRACK stands for Key Reinstallation Attack. In short, it is an exploit that takes advantage of the WPA2 protocol - the protocol most internet users are currently utilising to encrypt the information they send when online. It is directed at a process known as a 4-way handshake that all protected WPA2 Wi-Fi networks use.
This 'handshake' acts like a secret greeting between a client (such as your smartphone, laptop etc) and an access point (such as a modem/router): If both client and access point know the secret greeting (the password), then you can connect to the internet. This process also generates an encryption key.
This particular point in the process is vulnerable to being tricked to reinstall that 'key' that is already in use, thus the name KRACK.
Attackers can clone a protected Wi-Fi network while forwarding the internet connection - essentially meaning the user can still access the internet - and then using KRACK can manipulate this 'handshake' process. Thus, the attacker, in Vahoef's words, "obtains a man-in-the-middle (MitM) position between the victim and the real Wi-Fi network." This doesn't give the attacker access to your WPA2 Wi-Fi password, but it does allow them to 'listen in' on the information that a client is sending between an access point.
Confusing? Definitely - the take home message is that this exploit can affect any device that uses WPA2 protection to encrypt data over a wireless network. That means pretty much every device you use in your daily life.
Fortunately, for it to be taken advantage of, an attacker would need to be in the physical vicinity of the Wi-Fi device.
Why Is Android Vulnerable To This Exploit?
Android 6.0 and above is particularly susceptible to attack via KRACK because of the way devices running this system deal with WPA2 protection.
The exploit was unearthed by Mathy Vanhoef who specifically notes that "due to an implementation bug, Android and Linux ... will reinstall an all-zero encryption key [which] makes it trivial to intercept and manipulate all data that is transmitted by these devices."
You can see his explanation, in full, below:
As you can see in the video, Vanhoef also explains that simply visiting secure sites - sites that are HTTPS-protected - does not necessarily prevent an attack, because some of these HTTPS-protected sites are also easy to manipulate. In the video, this results in the attacker, using KRACK, being able to see the username and password combination that the user has entered on a website.
How Can I Ensure My Android Device Is Secure?
At the moment, there’s not a lot you can do short of not using your Android device to access the internet via Wi-Fi, or more accurately, being conscious of your internet usage. Ensure that you update your devices with the latest patches as they become available. Importantly, Google have stated they will implement a fix for Pixel devices in their security update on November 6, 2017 but other, older devices don't have as solid a date, with Google stating they'll be patched 'in the coming weeks.'
If you're running an Android device with an Ethernet port, then you can use an Ethernet cable to connect to the internet instead of Wi-Fi. The exploit can only be used when a device has been connected to the internet via Wi-Fi. We recently posted a guide to the different types of ethernet cables, if you need help deciding which one is right for you.
Public Wi-Fi can also be dangerous, so it would be best to avoid it until a fix is released. Without any clear idea of who is on the network or how they're using it, you open yourself up to attack.
It's a pain, but during this time of uncertainty I would also ensure that you are connecting to secure services and webpages that include HTTPS in their address. Though this doesn't guarantee you'll be safe, it's another layer of protection that you should always be aware of (and not just in the face of a WPA2 exploit). You can also find extensions such as HTTPS Everywhere, for Chrome, which ensure you are connecting to secure websites when browsing the internet.
Lastly, you can use a VPN service and connect to that when using Wi-Fi on your smartphone or connected devices. This will ensure you data is encrypted end-to-end. If you need help choosing a VPN, consult this guide.
One of the big issues will be for Wi-Fi connected devices around the house. Anthony discussed this issue earlier this morning.
Are iOS Users Vulnerable To KRACK?
Apple users can rest slightly more easily as the exploit doesn't work quite as simply on these platforms as it does on Android (and Linux).
At this point, it seems that Apple have developed patches for iOS, macOS, watchOS and tvOS which are currently in beta and these will be rolled out in software updates in the coming weeks.
Similarly, Microsoft rolled out a security patch on October 10th, ahead of the announcement.
Do I Need To Buy A New Router?
Simply put, no. However, these devices and other devices that connect to the internet via Wi-Fi are potentially open to attack until manufacturers and suppliers roll out patches for them. Several have released statements regarding the exploit, which I have included below:
Belkin, Linksys, Wemo
“Belkin, Linksys, and Wemo are aware of the WPA vulnerability. Our security teams are verifying details and we will advise accordingly. Also know that we are committed to putting the customer first and are planning to post instructions on our security advisory page on what customers can do to update their products, if and when required.”
"We are in the process of reviewing which of our devices may contain this vulnerability and will be issuing patches where needed."
"NETGEAR is aware of the recently publicized security exploit KRACK, which takes advantage of security vulnerabilities in WPA2 (WiFi Protected Access II). NETGEAR has published fixes for multiple products and is working on fixes for others. Please follow the security advisory for updates.
"NETGEAR appreciates having security concerns brought to our attention and are constantly monitoring our products to get in front of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at NETGEAR.
"To protect users, NETGEAR does not publicly announce security vulnerabilities until fixes are publicly available, nor are the exact details of such vulnerabilities released. Once fixes are available, NETGEAR will announce the vulnerabilities from NETGEAR Product Security web page."
A spokesperson for Belong suggested that modems and routers will be "automatically updated once [a patch] is available."
"We are aware of the issue and will be rolling out patches to Nest products over the next couple weeks."
No matter your device, because of the ubiquity of WPA2, pretty much anyone who connects to the internet is able to be targeted with this exploit. Ensure your devices are as up-to-date as possible and that you keep an eye out for available patches as soon as they become available.