What flaw was found in the WPA2 wireless encryption protocol?
On Tuesday, October 16, 2017 Mathy Vanhoe, a postdoctoral researcher in computer security at KU Leuven, publicly announced a serious vulnerability in the WPA2 encryption protocol. The proof-of-concept exploit is called KRACK which is short for Key Reinstallation Attacks. This vulnerability allows an attacker to intercept and decrypt some traffic between your device (phone, laptop, computer, tablet, etc..) and your router.
What can an attacker do?
The Good news is a KRACK attack can’t get your wireless access key, the vulnerability is patchable, and an attacker needs to be within WiFi range of your device. Many vendors have already released patches. Check with your vendor for security updates. You can find a manually updated patch status list of popular vendors here. A more extensive list of vendors affected and their patch status can be found here.
If your following best practices you can avoid compromising sensitive data.
- Always visit websites securely whenever possible. Install a browser plugin such as HTTPS Everywhere to automatically be redirected to the secure version of a website when available.
- Tunnel all web traffic through a VPN connected to your office.
- Avoid WiFi whenever possible. Use ethernet whenever possible.
The Bad news is this KRACK attack vulnerability has been around for over 13 years in the wild. Although, there are no known cases of the vulnerability being used its possible organizations that could afford the hefty fees necessary to view the source code behind WPA2 have known and used the vulnerability for years. The NSA used the heartbleed SSL vulnerability for 2 years before someone else reported the bug.
The Ugly news isn’t really news at all. A lot of media hip but very few consequences. Any website resource worth stealing data from is encrypted such as financial, healthcare, email accounts, etc. Over 50% of the internet is encrypted and using a plugin such as HTTPS Everywhere will protect your most sensitive data.
At the very least install the HTTPS Everywhere plugin in all your browsers and don’t log into unencrypted websites while connected to WiFi. If you manage a website that collects sensitive information join the other 50% of the internet and encrypt your website.
Reference: M. Vanhoef and F. Piessens. Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2. In Proceedings of the 24th ACM Conference on Computer and Communication Security (CCS 2017), Dallas, USA, 30 October – 3 November 2017.