Security Blog

KRACK: What you need to know about WPA2 vulnerability

Recently, two researchers at the Belgian University KU Leuven announced to the world the discovery of a vulnerability in the WPA2 security protocol. The protocol represents the de facto standard of secure communications between mobile devices we use today, as well as the access points to which smartphones, tablets and laptops connect to access the Internet or services provided by local servers.

The WEP solution for the protection of wireless channels has been abandoned for some time because of its weakness. Now we discover that the much stronger WPA2 is not free from weaknesses and can be targeted by KRACK attacks in particular. The acronym stands for Key Reinstallation AttaCKs and is a new technique of cyber-attack aimed at stealing sensitive information (credit card numbers, passwords, emails, chat, photos, and so on) transmitted via Wi-Fi. If the wireless network isn’t configured properly, the risk perimeter is widened and the likelihood of fraudulent insertion (false data, malicious programs installation, manipulation of existing information, etc.) can become alarming.

The research explaining the vulnerability will be presented at two important occasions, the International Conference on Computer and Communications Security (CCS) and the Black Hat Europe meeting.

How should IT Security Managers respond to this new concern?

The simplest and drastic answer is: to switch off WPA2 connections, to give up the convenience of wireless until clarification and assurance of that a solution is in place.

There is no doubt that the findings have scared a large number of IT people and, at the same time, embarrassed the scientists of the Institute of Electrical and Electronic Engineers who have the 802.11i protocol paternity, the base of modern wireless communications. However, it is equally true that the situation lets us to see some remedies and hope.

The problem really deserves to be resized. First, those who want to exploit this technique must be close to the network that they are attacking. Second, they must personally be in possession of valuable technical skills, they must have the necessary software to exploit the vulnerability and – above all – they must have a lot of time to spare. In fact, there is not yet a pre-packaged exploit that allows them to “jump-in” in a quick and effective way, and the attacks must be performed against Linux and Android operating systems only to easily succeed. If network traffic is encrypted using HTTPS, VPN, SSH, TLS, or the like, the KRACK system will not be able to break the connection: those who have improperly gained access to the Wi-Fi network and decrypt the communication packets will be in front of a sort of Matryoshka doll. They will find that what they just opened is actually boxed in another layer of protection. The attacker who makes use of the Key Reinstallation technique will be in the same condition as any other malicious intruder trying to intercept online communication between the user and a website.

KRACK is not born to steal the passwords needed to access a system, but, if the base station uses WPA-TKIP or GCMP cryptographic mode, it can inject bugs (from malicious JavaScripts to all kinds of malware) into non-encrypted traffic. For example, an attacker can abuse this to inject ransomware or malware into websites that the victim is visiting.

Companies are working to patch their products and overcome the unpleasant impasse. Microsoft has patched Windows wireless code in the October update. Apple is about to release a fix for iOS and macOS. Google is working on the solution for Android and ChromeOS. Similar initiatives are in the pipeline between network hardware manufacturers committed to solving the question.

The recommendation – and not just this time – is to not delay updating the operating system of the devices in use. Security update processes should be a priority among the day-to-day tasks and not only an annoying urgency when the usual problem occurs.

  • 24 Solutions AB
  • Smedjegatan 2C
  • SE-13154 Nacka, Sweden
  • +46 (0)8 535 24 100
  • info@24solutions.com