I’ve got some bad news. Pretty much every device and wireless router has a critical weakness that can allow an attacker to intercept the traffic. Security researcher Mathy Vanhoef disclosed a serious vulnerability in WPA2—the main encryption protocol used to secure wireless communications.
What Is KRACK?
The vulnerability has been dubbed “KRACK”, which is a shortened mashup of Key Reinstallation Attacks.
In a nutshell, everyone who uses WPA2 is at risk. The WPA encryption algorithm itself has not been compromised, but the key exchange part has.
Using this flaw, attackers can perform a man-in-the-middle attack and insert themselves between the wireless access point and the wireless client—whether that is a laptop, smartphone, tablet, gaming console, or IoT device.
This is a client-side vulnerability, so there is nothing to fix on the wireless router or access point. There are some wireless equipment makers issuing updates, though, so check with your vendor to see if there is a patch available. However, it’s urgent that you patch Android, iOS, MacOS, Linux and Windows implementations of WPA2 as soon as possible.
Alert Logic researchers stress that KRACK technically breaks every instance of PCI DSS compliance that uses wireless technologies, unless there is an additional layer of encryption—such as HTTPS or VPN—employed to safeguard the traffic.
Defending Yourself Against KRACK
The sky is not falling…yet. There are a few caveats to KRACK that provide a bit of a silver lining. First, the attacker needs to be within the range of your Wi-Fi network. This isn’t something a remote attacker in another country can exploit to intercept your data.
It’s also important to note that attackers cannot obtain your actual WPA2 password using KRACK—or even view encrypted traffic in many cases. The flaw simply allows a successful attacker to view unencrypted traffic traversing your wireless network on Windows, MacOS, and iOS devices.
For Android (version 6 and up) and Linux, on the other hand, KRACK is a much bigger threat. Because of the way these platforms handle encryption keys for WPA2, the system defaults to an all-zero encryption key, which enables the attacker to decrypt encrypted traffic as well.
Makers of affected devices and platforms are scrambling to develop patches to address the flaw. OpenBSD was first out of the gate, and Debian and Windows already have patches available as well.
Alert Logic will provide detection soon for the KRACK flaw via Authenticated Scanning for Windows. Detection for Linux will be added as soon as relevant patch information is available.
Due to the nature of the flaw, it’s impossible to detect via IDS (intrusion detection system), log analysis or WAF (web application firewall).
To mitigate your risk, Alert Logic experts recommend you monitor vendor sites for patch availability and patch immediately once an update is available. You should also use encrypted HTTPS traffic and / or implement a VPN layer on all of your wireless communications.
We will update this post as new information emerges. Comment below if you have any questions or information to share.