First published in Computing – Wireless encryption showing signs of KRACKing?
This morning at 8am Eastern Standard Time the cybersecurity industry received its latest shot of adrenaline as researchers revealed high-severity vulnerabilities in the Wi-Fi Protected Access II protocol. Vulnerabilities so severe that attackers can eavesdrop on Wi-Fi traffic passing between computers and access points. This is not the first time Wi-Fi connections have been found wanting and it will not be the last.
History repeating itself?
In 2001, two researchers published a cryptanalysis of Wireless Equivalent Privacy (WEP) – the protocol that until then kept your Wi-Fi connections secure. This publication was refined over the following years with additional vulnerabilities exploited to decrypt WEP keys within minutes. By 2008, WEP had been banned by the Payments Card Industry (PCI) as an encryption standard.
Wi-Fi Protected Access II (WPA2) has become the de-facto standard for wireless encryption for home and business networks. This protocol has been relatively difficult to decrypt, with attacks requiring a large amount of computing power or prior knowledge of the WPA Pre- Shared Key structure – but attacks have happened.
A vulnerability which cuts deep
Today, researchers from Belgium released an attack that will change the prevailing dynamic. Rather than using mathematically difficult attacks that rely on guessing passwords, their research presents ‘KRACK’ short for Key Reinstallation AttaCK.
By exploiting vulnerabilities in the design or implementation flaws, attackers can reinstall an already in-use key. This allows decryption of communications that were previously assumed to be secure: communications such as passwords and cookies. Furthermore, attackers can now add additional data, such as a ransomware payload, to HTTP requests.
There are limitations in the scope of the vulnerability, but the research has already been proven to affect most clients tested, including iOS, Android and Windows. It also affects other variations of WPA such as GCMP which is expected to be widely adopted in the coming years.
The seriousness of this bug is demonstrated by the United States Computer Emergency Readiness Team (CERT) issuing a warning last night in response to the vulnerability. The danger is compounded by the fact that vendors are slow to patch, and the user community is unwilling to patch or change. There are still 10% of WEP networks across the world, despite the insecure issues.
What can I do?
Now, not a lot, but here are a few mitigations.
- Are you a target? Unlikely if you are using a home network since corporate and high-value networks present a much better target. The attacks at present are difficult and no tools have been released to allow widespread adoption – yet. These will come quickly.
- Use TLS. Most of your connections will rely on WPA to secure the network, but websites and transactions will be secured using additional protocols such as HTTPS/TLS. While additional attacks exist against these protocols they offer a relatively reliable level of security.
- Use a virtual private network (VPN). If you are in real doubt, a VPN will essentially wrap your traffic inside another secured network allowing you to break out in a separate location.
- Patch when possible. This is a client-level issue so ensure that your clients are updated as soon as possible. Vendors have been aware of this issue for a few weeks so should be pushing updates shortly.
While this continues an alarming trend in the security issues related to Wi-Fi, it could be used as a catalyst for rapid adoption of a more secure protocol. The Wi-Fi Alliance has already summarised a plan of action and vendors are working hard to address the issue as soon as possible.