KRACK, WPA2 & Unforeseen Behavior
Earlier this week Mathy Vanhoef, a security researcher at the Belgian KU Leuven University, released details on an attack which can compromise the security of Wifi networks secured with WPA and WPA2. These attacks - which were named KRACK - caused a significant stir in both the information security community and the general news media.
Unfortunately, much of the reporting on this issue has been sensationalized and oversimplified to a point where even basics are misstated. In this briefing, we will have a look at KRACK and attempt to clarify the impact it is likely to have.
WPA2 is an authentication and encryption algorithm used to secure 802.11 compliant wireless transmissions (“Wifi”). It replaced WPA (which has several theoretical vulnerabilities) and WEP (which is completely broken). If you have a phone, tablet, computer, coffee maker, car or any other kind of device with Wifi functionality built after 2004, it is almost certainly guaranteed to support WPA2.
KRACK can be use to decrypt - and on some devices also to manipulate - data sent over a WPA and WPA2 protected wifi network.
How does it work?
The exact technique behind KRACK is too complex to adequately explain in this briefing. If you are interested, we encourage you to read the original paper. A highly compressed summary is that the WPA2 standard never explicitly specified that a certain encryption key must not be used more than once. WPA2 uses many changing encryption keys to operate and the same key will never be used during regular interactions between legitimate access points and clients. However Mr. Vanhoef discovered that attackers can trick wireless clients into re-using old keys repeatedly or even using very weak encryption keys. This in turn makes it trivial to decrypt the transmitted data.
This is a great example of a well designed and well tested security mechanism that fails because attackers use it in ways that its creators didn’t anticipate.
What KRACK is not
Despite of what has been reported by various news outlets, KRACK is not the end of WPA2. It is possible to fix the vulnerability without breaking compatibility with unpatched devices and all major vendors are currently working on patches.
KRACK also does not reveal the PSK (“wifi password”) used by the network. An attacker can thus not use the attack to authenticate with a WPA2 protected network. Merely traffic sent between a legitimate client and the access point can be decrypted and potentially manipulated.
Lastly, KRACK can not be used to decrypt WPA2 protected traffic that was previously captured. The attack needs to constantly trick clients into reusing old encryption keys to work. This is also why - while definitions vary - many security researchers do not consider WPA2 itself to be broken.
How can I protect myself?
The risk a private user faces from KRACK has been overblown by media reports. The attacker needs to be in constant close proximity of the victim for the attack to succeed. Unless you present a highly valuable target to attackers, it is very unlikely that you will be targeted. Updating all of your devices as soon as patches become available should be adequate protection.
The risk for corporate networks is significantly larger. Decrypting large amounts of corporate data traffic in hopes of stealing confidential information or access credentials appears to be a viable use for this attack vector. The attackers will still need to be in close physical proximity to the target company, thus significantly increasing the risk of detection and arrest compared to a remote cyber attack. Companies are encouraged to ensure all devices are updated in a timely manner.
Lastly, using protocol level encryption for all communications will completely mitigate KRACK. This means for example ensuring you are using HTTPS when loading websites or SMTPS, IMAPS or POPS when using email clients. Unfortunately, while these practices are used by most users when dealing with servers on the internet, many home or office servers do not use proper encryption and rely only on security provided by the closed Intranet. If your home or corporate network should have such services, we highly recommend that you upgrade or reconfigure them to use encryption for all communications.