KRACK – or the Key Reinstallation AttaCK – looks like the new infosec word we all need to know. According to the authors of a paper that will be presented at conference in a couple of weeks, Mathy Vanhoef of KU Leuven and Frank Piessens say they have found a way to circumvent WPA2 security – one of the key tools used for protecting wireless networks. If KRACk proves to be true, all bets are off when it comes to stopping eavesdroppers from listening in to your wireless network.
The conference agenda doesn’t hold many clues but a report at The Register points to an empty GitHub repository, a BlackHat presentation and a landing page on a website, suggesting the researchers will be dropping something of note.
It seems that the researchers have been looking at ways to break through the handshaking protocol that’s used when devices connect over WPA2 and exchange keys.
So, it this a big deal? Let’s break things down a little.
This does not suddenly mean all your internet activity is instantly available to every bad guy on the planet. So, it’s not likely a hacker in the depths of Eastern Europe will be hitting your WiFi to knock off your personal files. This is all about connectivity and communications within your WiFi network (assuming you’re using WPA2 and not a certificate-based authentication system or some other mechanism).
But, if the vulnerability is made fully public with an exploit kit, and a motivated bad person is so inclined, they could park themselves within wireless range of your network and start picking off data.
Assuming you have a layered approach to your security then one of the layers has, potentially, been compromised.
Until November 1, we really have no way of knowing if Vanhoef and Piessens are really going to bust WPA2 wide open or if it’s all a clever ruse to drive up conference registrations. If it is, enterprises relying on WPA2 might want to start planning for a new approach. For small business and home users, make sure all your end-point security is up to date, your systems are patched and that all your apps have the latest fixes, especially security fixes, applied.
Basic security hygiene is still your most important weapon against threat actors.
And, if you have the tools, consider some other approach, such as certificates, for securely connecting devices to your wireless network.
However, how that might work with IoT devices is a complete unknown.