Wi-Fi KRACK Attack: What to know about the WPA2 vulnerability
Last month, researchers discovered a dangerous WPA2 vulnerability that can compromise nearly all modern protected Wi-Fi networks.
You don’t have to be an IT guru to know that WPA2 is the industry standard Wi-Fi security protocol. It’s what most of us use to encrypt data transmissions while we’re connected to a wireless network, thus protecting the data from being seen by eavesdroppers. WPA2 has been the trusted standard since 2004.
But as it turns out, it’s not as secure we all thought.
We now know that WPA2 has a fatal flaw. A weakness in the Wi-Fi standard allows attackers to read your data in transmission, including:
- Login information and passwords
- Credit card numbers
- Any information submitted via an online form
- Email messages
- File submissions / attachments (spreadsheets, photos, Word docs, etc.)
- Chat messages
- App data
- Smart device data (cameras, Wi-Fi thermostats, bulbs, home security products, etc.)
- Streaming device data (Roku, Apple TV, etc.)
- Audio speaker data (Amazon Echo, Google Home, Sonos, etc.)
Here’s where it gets even uglier.
Beyond simply reading your data, attackers can exploit the weakness to manipulate it. So for example, depending on your network configurations, an attacker could inject ransomware or other malware into a website you visit.
Let’s be very clear…
The WPA2 vulnerability isn’t due to user error, such as a misconfiguration in a device’s Wi-Fi settings or in the setup of a wireless network. The weakness is in the Wi-Fi standard itself, which means that any correct implementation of WPA2 is likely affected. In other words, your Wi-Fi device network is almost certainly at risk.
Let’s look at how exactly the weakness can be exploited and what you can do to stay protected.
What is the WPA2 vulnerability?
The WPA2 vulnerability was discovered by security researcher Mathy Vanhoef of KU Leuven in Belgium. First reported by Ars Technica, news of the vulnerability quickly set off alarm bells at technology companies, who have been scrambling over the last few weeks to release updates that fix the flaw.
So, how does it work exactly?
For starters, an attacker must be in range of the Wi-Fi network to exploit the vulnerability. For consumers, this could be somebody sitting in a Wi-Fi coffee shop, capturing your Internet activity. For businesses, it could be somebody on another floor of your building or outside the office, stealing sensitive company data (as long as they’re within range of your wireless network).
Here’s how an attack can occur:
- The vulnerability is found in the WPA2 authentication process known as the “four-way handshake.” In short, this is a 4-step process that ensures the user has the right Wi-Fi password—or more technically, that the user and Wi-Fi access point have matching credentials.
- In the third part of this four-step process, a new encryption key is generated to protect the user’s session. But the vulnerability allows a hacker to use a Key Reinstallation Attack (or KRACK) to tamper with and copy this key, thus allowing them to reinstall a key that’s already been used.
- As the key is reused, it resets the tallies for how many bits of data have been sent and received and in the process an attacker is able to replay, decrypt and, in some cases, even forge these packets. In other words, all your data can be captured by the attacker.
Vanhoef says the attack is “exceptionally devastating” against Linux and Android 6.0 and higher (“because Android and Linux can be tricked into (re)installing an all-zero encryption key”).
But numerous other operating systems and products using WPA2 are equally vulnerable: Apple, Windows, OpenBSD, MediaTek and Linksys, just to name the few that Vanhoef tested.
Are you vulnerable?
Short answer: yes, most likely.
But not necessarily every device.
As Wired explains, “Most current versions of iOS and Windows aren’t vulnerable, or are only vulnerable in one niche circumstance, because of the way Apple and Microsoft implemented the WPA2 standard to prevent resends of the third handshake message.”
It’s important to remember that WPA2 is used across a wide range of devices, both in the workplace and on home networks. Aside from mobile devices (which millions of workers use alongside their desktops to perform business-critical tasks), the vulnerability impacts millions of other Wi-Fi-connected devices, from conference-room projectors to the access points and routers themselves.
This creates a complicated problem to fix, precisely because different manufacturers use different approaches to implementing the WPA2 protocol in their products. In other words, even if the WPA2 standard itself can be fixed for new devices going forward, the vulnerability needs to be patched on virtually all existing products on the market. And depending on the device and the manufacturer’s update process, users in many cases will have to be proactive about installing those patches on their devices. It won’t always happen automatically.
That’s a serious problem, because your average user likely doesn’t even know about the WPA2 exploit, even though it’s been widely reported in the news.
What about HTTPS?
The WPA2 vulnerability allows an attacker to decipher any data transmitted through a website, such as information entered into a form. But what if the site uses HTTPS as an added layer of protection for encrypting data? Do HTTPS-protected pages keep a user’s data safe?
No, not necessarily.
Many HTTPS-protected sites are configured in a way that allows them to drop back to HTTP, thus leaving data transmissions unencrypted. In a video, researcher Mathy Vanhoef demonstrated this at Match.com. He used a script known as SSLstrip, which forced the site to use an HTTP connection instead of the default HTTPS. He then demonstrated how he could capture a user’s login name and password (and any other information submitted to/from the site) by exploiting the Wi-Fi vulnerability on the user’s Android device.
How to protect yourself
Update your devices, ASAP.
Patches that resolve the KRACK exploit are already available from many technology companies. As long as the devices on your infrastructure are still supported (and they should be!), then chances are a patch is being developed right now, if it hasn’t been already.
In a way, this process should be easier for businesses. You or your MSP should have a list of active Wi-Fi-enabled devices at your location(s). This makes it easier to know what needs to be patched and where to get those patches.
It’s also a good idea to implement other network safeguards, as you should already be doing. Cybersecurity analysts always recommend “segmenting” your networks, so that a single compromised component doesn’t allow attackers to access everything. Isolating devices from each other is another preventative step: if you allow all Wi-Fi clients to talk each other, you could be putting your network at risk.
For consumers who have a hodgepodge of random Wi-Fi devices in their homes, the process of identifying a fix may take a little more time. It’s not simply a matter of changing your Wi-Fi password or buying a new router (neither of those will fix the vulnerability). You need to make sure every device you have is patched, and you’re at the mercy of manufacturers to develop and release them.
Where to get patches
ZDNet posted a handy “list of every patch for KRACK Wi-Fi vulnerability available right now,” sorted alphabetically by manufacturer. The list is a few weeks old, and it’s directed more toward consumers, but it’s a nice reference guide if you prefer to have an overview of known patches in one place.
Either way, you should be checking with manufacturers directly, if you haven’t already.
Just this week, Google released a patch for Android devices as part of its November security update. If your employees use their mobile devices for work, at home or at the office, it’s a good idea to remind them to check for updates. Even if your Wi-Fi access points and other network devices have been patched, your employees’ devices could still be vulnerable if they’re not updated.
How concerned should you be?
On one hand, the WPA2 risk is limited to the range of your wireless network. So, that greatly reduces the chances of a threat vs. other cyberattacks that can come from virtually anywhere in the world.
Take Google, for example, which said in its November security release that it had received no reports of the Wi-Fi vulnerability being exploited. Granted, a user probably wouldn’t yet know someone had eavesdropped on their Internet activity. But still, based on Google’s statement, we can assume the threat level is not yet severe, even though the vulnerability itself is quite serious.
On the other hand, no business should take the risk of leaving any data exposed. There is no infrastructure upgrade or costly investment required to remove the vulnerability. You simply need to make sure all devices are patched.
Yes, we will likely hear about the fallout from KRACK for years to come. Due to the nature of the vulnerability and the fact the many older routers and IoT devices may never get an update, some analysts predict the mess still won’t be completely cleaned up even 20 years from now.
But for most businesses, updating network devices shouldn’t take more than a few hours, if that. Best to do it now.
Plan for the unexpected
For more information on how to protect your organization with dependable business continuity solutions, contact our experts at Invenio IT. Call (646) 395-1170, email us at [email protected], or request a free BDR demo today.