The vulnerability, known as KRACK, for ‘Key Reinstallation Attacks’, was discovered by Mathy Vanhoef of imec-DistriNet, KU Leuven, and puts doubt on the ‘four way handshake’, a method of securing Wi-Fi which has previously been mathematically proven as secure.
If a Wi-Fi network is protected, the four way handshake is used to generate a new session key. However, as Vanhoef argues, the ‘formal proof does not assure a key is installed once. Instead, it only assures the negotiated key remains secret, and that handshake messages cannot be forged.’ Vanhoef experimented in processing the third message in the four way handshake, and found that when the function was called twice it reset.
In other words, if exploited, attackers can get in, access any WPA2 network without a password, and then unleash whatever they please into the network traffic.
Vanhoef added that the attack developed was ‘especially catastrophic’ against version 2.4 and above of wpa_supplicant, a Wi-Fi client commonly used on Linux, as well as version 6.0 and above of Android. “Any device that uses Wi-Fi is likely vulnerable,” he added.
A statement from the Wi-Fi Alliance said it was aware of the vulnerability and the industry was already deploying patches to Wi-Fi users, adding users should expect all of their Wi-Fi devices, patched or unpatched, to ‘continue working well together.’
“There is no evidence that the vulnerability has been exploited maliciously, and Wi-Fi Alliance has taken immediate steps to ensure users can continue to count on Wi-Fi to deliver strong security protections,” the statement read. “Wi-Fi Alliance now requires testing for this vulnerability within our global certification lab network and has provided a vulnerability detection tool for use by any Wi-Fi Alliance member.
“Wi-Fi Alliance is also broadly communicating details on this vulnerability and remedies to device vendors and encouraging them to work with their solution providers to rapidly integrate any necessary patches,” the statement added. “As always, Wi-Fi users should ensure they have installed the latest recommended updates from device manufacturers.”
While leading tech companies are all saying they are working on the problem, there are things users can do in the meantime. The first is not to underestimate the severity of the risk. Brian Knopf, senior director of security research and IoT architect at Neustar, called it a ‘significant exploit’ while Rodney Joffe, senior VP and senior technologist called it a ‘big deal’.
Aside from taking precautions such as updating client devices and routers and changing Wi-Fi passwords – Vanhoef said the latter would not mitigate an attack but is nevertheless good practice – the next step is using a VPN.
“ISPs can take years to switch to routers with a safer protocol,” said Marty Kamden, CMO of NordVPN. “That’s another situation where users should take their Internet security into their own hands. Everyone should assume that their network is now vulnerable, and take precautions. VPNs remain the strongest defence from these types of vulnerabilities.”
Knopf added that while VPN ‘may help in some cases’, it was not beyond the realms of possibility that exploits for VPN could be chained together with KRACK.