A computer security researcher from Belguim's KU Leuven has inadvertently discovered a major security flaw in the WPA2 protocol that protects the majority of Wi-Fi networks. This revelation means that every device using WPA2 Wi-Fi security is vulnerable to being spied on, and simply changing your password won't prevent an attack.
Mathy Vanhoef stumbled across the security vulnerability while working on a completely different project. In analyzing the way the WPA2 protocol generates an encryption key when a new client joins a network, Vanhoef discovered this process can be hijacked using a technique he dubbed a key reinstallation attack (KRACK).
Vanhoef explains the vulnerability, writing:
"In a key reinstallation attack, the adversary tricks a victim into reinstalling an already-in-use key. This is achieved by manipulating and replaying cryptographic handshake messages. When the victim reinstalls the key, associated parameters such as the incremental transmit packet number (i.e. nonce) and receive packet number (i.e. replay counter) are reset to their initial value. Essentially, to guarantee security, a key should only be installed and used once. Unfortunately, we found this is not guaranteed by the WPA2 protocol. By manipulating cryptographic handshakes, we can abuse this weakness in practice."
Vanhoef adds that the vulnerability is also present in WPA1 protocol and many Android smartphones are especially vulnerable to the security flaw. As a proof-of-concept a key reinstallation attack was deployed against an Android smartphone. As seen in the video below, all the data transmitted to and from the victim's device can be effectively decrypted and viewed.
So what does this mean in reality for a regular layperson?
Not a great deal, thankfully.
The vulnerability is not especially easy to exploit and requires an attacker to be in the range of a specific Wi-Fi signal. While a targeted system can be effectively spied on if compromised, this vulnerability does not circumvent other forms of security encryption such as HTTPS. A virtual private network (VPN) also adds extra protection and would circumvent this vulnerability.
So if you use a VPN and force HTTPS connections you are still safe from this vulnerability, but some reports are raising the prospect of Internet-of-Things devices being particularly susceptible, as they transmit data over Wi-Fi networks without those protections.
"Your home network is vulnerable," writes security specialist Robert Graham. "Many devices will be using SSL/TLS, so are fine, like your Amazon echo, which you can continue to use without worrying about this attack. Other devices, like your Phillips lightbulbs, may not be so protected."
The Wi-Fi Alliance has put out a security update suggesting this vulnerability can be resolved through "straightforward software updates" and patches are already reportedly being deployed. All devices produced from this point forward will now also be required to be tested for this particular vulnerability.
Microsoft has already released a patch for the vulnerability and Google says an Android patch will be deployed in the coming weeks. Of course fixing the problem is only half the battle as there are countless systems our there that inevitably won't be updated, meaning the fallout from this discovery will be felt for some time to come.
As we saw earlier this year with the WannaCry ransomware outbreak, the big problem faced in battling cyberattacks is the sheer volume of computer systems running on outdated Windows XP platforms. The exploit behind WannaCry was discovered and patched by most current systems, but hundreds of thousands of computers around the world were running on old operating systems and never updated. This new Krack vulnerability is yet another security hole that will take years to fully resolve.
Source: Krack Attacks