This past Monday, October 16, a Belgian security researcher publicly announced that he had discovered a fault in the WPA2 protocol which secures nearly all Wi-Fi data transmissions. This security vulnerability has been nicknamed “KRACK” by the researchers and has been widely publicized by the press and the United States Homeland Security’s Computer Emergency Readiness Team (CERT) over the last couple of days as affecting nearly every Wi-Fi device in existence.
A detailed description of how the vulnerability was discovered and how it works was also made public on Monday, meaning that this information is now publicly-available to hackers.
Details of the vulnerability were made available to most Wi-Fi equipment manufacturers a couple of months ago to allow time for updates to be developed prior to publicizing the discovery. As of Monday, most manufacturers were still scrambling to determine which of their products are affected and how (or if) they will provide updates for those products.
What does KRACK do?
KRACK works by intercepting and manipulating the Wi-Fi Protected Access II (WPA2) protocol used when your Wi-Fi device detects the availability of a Wi-Fi router and attempts to connect to it. This “handshaking” happens before your device is prompted for a password or completes a connection to the router. The vulnerability is a fault in the protocol used to secure Wi-Fi communications, not in any particular product, so it will affect most Wi-Fi equipment that correctly implements the WPA2 protocol.
While Wi-Fi computers/devices from ALL manufacturers are affected, it is important to note that Android devices and computers/devices based on Linux are particularly susceptible to this attack due to the way they deal with WPA2 handshaking.
What this means to you:
If you are using ANY Wi-Fi device (and who isn’t these days?), the wireless data transmissions between your device and any Wi-Fi router you use are subject to eavesdropping and manipulation by any hacker taking advantage of the KRACK vulnerability.
This warning applies to all Wi-Fi users whether they are using their devices in a business, at home, or via a public Wi-Fi connection. This warning also includes ALL devices capable of Wi-Fi connection, including (but not limited to):
- routers,
- access points,
- repeaters,
- computers,
- smartphones,
- tablets,
- printers,
- smart TVs,
- security cameras,
- control systems,
- and other “smart” devices.
Please note: KRACK DOES NOT AFFECT CELLULAR USAGE of smartphones or mobile devices, only Wi-Fi usage.
What is at risk?
KRACK is effective only if an attacker is using a device within Wi-Fi range of your data transmissions, so typically, the attacker would need to be physically close to you (or remotely controlling a Wi-Fi-intercepting device physically close to you) to intercept your Wi-Fi traffic. You are NOT at risk via an Internet attack.
If an attacker uses KRACK to intercept your Wi-Fi traffic, some (or all) of the following could occur:
- Your Wi-Fi traffic (anything not encrypted beyond the WPA2 protocol) could be decrypted by the attacker, allowing for theft of passwords, account information, sensitive data, etc. as they are transmitted to/from your Wi-Fi device. Browsing to web sites/services secured with SSL encryption adds an additional layer of not-always-perfect security, but for most home or work LANs using Wi-Fi, data traveling between devices on the LAN (i.e.: from a local server or storage device to a Wi-Fi device) is not encrypted beyond the WPA2 protocol, and thus, is vulnerable to this threat.
- The attacker could, under certain circumstances, inject malware into valid data you receive from web sites/services, potentially causing your Wi-Fi device to become infected with additional threats and/or leaving your device subject to remote access by the attacker.
- The attacker could impersonate valid web sites/services, delaying and/or changing the information you send or receive.
How can you protect yourself?
While the KRACK vulnerability is still a newly-discovered threat (and it is unclear if it is being used in widespread attacks yet), it’s important to remember not to panic. However, by no means should you ignore this threat - as time passes and this threat becomes more widely exploited, your risk will increase!
- Identify ALL devices you own or use that are Wi-Fi capable. CERT has published a web page listing many known Wi-Fi device manufacturers, along with an indication if their products are affected and a link to each manufacturer’s support site.
- Update each Wi-Fi device as patches are made available. Most reputable manufacturers are aware of the KRACK vulnerability, but they are addressing it with varying degrees of response. A few manufacturers have already published patches to fix the KRACK vulnerabilities in their devices; many others are working on patches which will be published over the coming weeks. However, be aware that most manufacturers will patch their currently-available products first. Patches for older devices may be made available on a delayed basis. Some devices (especially older devices for which technical support is no longer offered) may never be patched and will need to be replaced with newer technology to be considered secure.
- Patches already exist for current versions of Microsoft Windows - make sure your Wi-Fi-capable computers are up-to-date. This underscores the point that it is critical that you keep your computer systems fully-patched in today’s computing environment. Also note, patches are NOT available for no-longer-supported versions of Microsoft Windows such as XP and Vista.
- Patches exist for the current versions of several other operating systems (including those for some mobile devices). However, depending on your cellular carrier, device version, operating system version, and/or computing environment, your ability to receive those patches on your mobile device may be limited or out of your direct control. In such cases, you should check with your device manufacturer’s, your cellular carrier’s technical support, or your IT department to determine if/when your affected device will be updated.
- Be aware that public Wi-Fi services (such as those found in airports, hospitals, hotels, restaurants, concert venues, shopping areas, some municipalities, etc.) may be susceptible to the KRACK vulnerability if the provider of those services has not patched their Wi-Fi equipment. Public Wi-Fi services are always HIGHLY likely to be targeted by attackers due to ease of access and the higher probability of success in encountering a vulnerable mobile device. Our advice is to AVOID using public Wi-Fi if you have an unpatched Wi-Fi device, and to use public Wi-Fi only when absolutely necessary even if your device is patched.
- If you must use an unpatched Wi-Fi service (or if your Wi-Fi device has not yet been patched), consider using a paid VPN service to access information over the Wi-Fi connection. VPNs encrypt all data passed between your device and the VPN server, so even if your data is intercepted, it will be encrypted and unreadable to an attacker.
- DO NOT perform sensitive transactions (financial, healthcare, etc.) on Wi-Fi connections unless you are dealing with a known (to you) web site/service that is protected by SSL encryption (the URLs of these sites will usually start with “https:” and your browser will typically display a lock to indicate that the site is secure). Information exchanged with such sites is encrypted between your device and the associated web server, so if intercepted, it generally cannot be read by an attacker.
- Consider discontinuing Wi-Fi usage of unpatched devices until you can patch/replace them. (Obviously, this will be your individual choice based upon the necessity of use, the sensitivity of information being transmitted, the Wi-Fi environment used, and your acceptance of the associated risk.)
- NOTE: Both your mobile device AND the Wi-Fi router to which you are connected must be patched for your Wi-Fi connection to be considered completely secure from the KRACK vulnerability. If you are unsure about the patch status of the Wi-Fi router to which you are connecting, you should strongly reconsider its use.
- NOTE: DO NOT change your Wi-Fi router to use a lower level of security in an attempt to avoid the WPA2 vulnerabilities of KRACK. WPA (version 1) is also affected by KRACK and is additionally subject to other well-known security vulnerabilities. WEP security has been considered easily-hackable for years and is insecure. WPA2 is (unfortunately) the strongest Wi-Fi security protocol implemented by most Wi-Fi routers on the market today.
- NOTE: Changing your Wi-Fi password or other router settings will not help to secure the device from this threat. KRACK works by breaking security BEFORE your Wi-Fi device is prompted for a password to join the Wi-Fi network.
For More Information:
CERT has published a web page which serves as a central hub for the latest information on the KRACK vulnerability (officially designated as: “Vulnerability Note VU#228519 - Wi-Fi Protected Access II (WPA2) handshake traffic can be manipulated to induce nonce and session key reuse”). There you’ll find the latest technical descriptions and details of the vulnerability, a link to the web site created by the researcher who discovered the vulnerability, a Wi-Fi device manufacturers list with links to the support sites for affected Wi-Fi devices, and other related information.
For help securing your business network:
We offer a wide range of network security and network management services for businesses, organizations, and government agencies. If you need assistance ensuring that your computer network is secure and working correctly, please contact Logical Operators today.