WPA2 protocol used by vast majority of wifi connections has been broken by Belgian researchers, highlighting potential for internet traffic to be exposed. “Krack Attack” allows hackers to steal credit cards, bank info and more.
The vulnerability affects a number of operating systems and devices, the report said, including Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys and others.
“If your device supports wifi, it is most likely affected,” Vanhoef wrote. “In general, any data or information that the victim transmits can be decrypted … Additionally, depending on the device being used and the network setup, it is also possible to decrypt data sent towards the victim (e.g. the content of a website).”
The flaws, dubbed “Key Reinstallation Attacks,” or “Krack Attacks,” are in the WiFi standard and not specific products. That means that just about every router, smartphone and PC out there could be impacted, though attacks against Linux and Android 6.0 or greater devices may be “particularly devastating,” according to KU Leuven University’s Mathy Vanhoef and Frank Piessens, who found the flaw.
KRACK Attacks Video
The flaw is not in the cryptography underlying WPA2 or its predecessor, WPA. Rather, it’s in the implementation.
When communicating with a client device to initiate a Wi-Fi connection, the router sends a one-time cryptographic key to the device. That key is unique to that connection, and that device. In that way, a second device on the same Wi-Fi network shouldn’t be able to intercept and read the traffic to and from the first device to the router, even though both devices are signed into the same Wi-Fi network.
The problem is that that one-time key can be transmitted more than one time. To minimize connection problems, the WPA and WPA2 standards let the router transmit the one-time key as many as three times if it does not receive an acknowledgement from the client device that the one-time key was received.
Because of that, an attacker within Wi-Fi range can capture the one-time key, and, in some instances, even force the client device to connect to the attacker’s bogus Wi-Fi network. The attacker can use the one-time key to decrypt much of the traffic passing between the client device and the router.
The attack will NOT affect traffic between client devices and websites that use proper implementations of HTTPS web encryption. Such traffic will be encrypted on its own, and cannot be read by the attacker.
What to do?
For that reason, users may want to be wary of using Wi-Fi at all until patches are widely rolled out. For now, it looks as if some manufacturers are pushing out updates, which should go some way to preventing attacks. The vulnerabilities have been given the identities of CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088, though there’s little detail available on each yet. Given the range of devices affected, it’s almost guaranteed patches won’t make it to everyone.
Is my WiFi network safe?
The short answer is no, probably not. In their blog post the researchers additionally point out that “any device that uses Wi-Fi is likely vulnerable,” as well.
Britain’s National Cyber Security Centre said in a statement: “We are examining the research and will be providing guidance if required. Internet security is a key NCSC priority and we continuously update our advice on issues such as Wi-Fi safety, device management and browser security.”
The United States Computer Emergency Readiness Team (Cert) issued a warning on Sunday in response to the vulnerability.
The Wi-Fi Alliance has issued a security advisory thanking Vanhoef for his work, stating that it is aware of the issue and that major platform providers have already started deploying patches. It says there is no evidence that the attack has been used in the wild, though the research paper notes that such attacks would be difficult to detect.
Until patches are available, Wi-Fi should be considered a no-go zone for anything mission critical, a feat almost impossible in today’s age of ubiquitous and blanket wireless network access.