KRACK: Your Wi-Fi is no longer secure

Every Wi-Fi network using WPA or WPA2 encryption is vulnerable to a key reinstallation attack. Here are some more details and means of protection.

Most vulnerabilities go unnoticed by the majority of the world’s population even if they affect several million people. But this news, published today, is probably even bigger than the recently disclosed Yahoo breach and affects several billion people all over the world: Researchers have found a bunch of vulnerabilities that make all Wi-Fi networks insecure.

A paper published today describes how virtually any Wi-Fi network that relies on WPA or WPA2 encryption can be compromised. And with WPA being the standard for modern Wi-Fi, that means pretty much every Wi-Fi network in the world is vulnerable.

The research is quite complicated, so we won’t go through it in detail and will just briefly highlight the main findings.

How KRACK works

Researchers have found out that devices based on Android, iOS, Linux, macOS, Windows, and some other operating systems are vulnerable to some variation of this attack, and that means almost any device can be compromised. They called this type of attack a key reinstallation attack, or KRACK for short.

In particular, they describe how an attack on Android 6 devices works. To execute it, the attacker has to set up a Wi-Fi network with the same name (SSID) as that of an existing network and target a specific user. When the attacker detects that the user is about to connect to the original network, they can send special packets that make the device switch to another channel and connect to the fake network with the same name.

After that, using a flaw in the implementation of the encryption protocols they can change the encryption key the user was using to a string of zeroes and thus access all of the information that the user uploads or downloads.

One may argue that there’s another layer of security — the encrypted connection to a site, e.g., SSL or HTTPS. However, a simple utility called SSLstrip set up on the fake access point is enough to force the browser to communicate with unencrypted, HTTP versions of websites instead of encrypted, HTTPS versions, in cases where encryption is not correctly implemented on a site (and that is true for quite a lot of websites, including some very big ones).

So, by using this utility in their fake network, the attacker can access the users’ logins and passwords in plain text, which basically means stealing them.

What can you do to secure your data?

The fact that almost every device in almost every Wi-Fi network is vulnerable to KRACK sounds quite scary, but — like pretty much any other type of attack — this one is not the end of the world. Here are a couple of tips on how to stay safe from KRACK attacks in case anyone decides to use them against you.

  • Always check to make sure there’s a green lock icon in the address bar of your browser. That lock indicates that an HTTPS (encrypted and therefore secure) connection to this particular website is being used. If someone attempts to use SSLstrip against you, the browser will be forced to use HTTP versions of websites, and the lock will disappear. If the lock is in place, your connection is still secure.
  • The researchers warned some network appliance manufacturers (including the Wi-Fi Alliance, which is responsible for standardizing the protocols) in advance of releasing their paper, so most of them have to be in the process of issuing firmware updates that can fix the issue with key reinstallation. So check if there are fresh firmware updates for your devices and install them as soon as possible.
  • You can secure your connection using a VPN, which adds another layer of encryption to the data transferred from your device. You can read more on what a VPN is and how to choose one, or grab Kaspersky Secure Connection right away.
Tips