The KRACK Attack
Researchers out of KU Leuven recently disclosed a major vulnerability in the WPA2 protocol. The attack, known as KRACK, works by forcing the victim to reinstall an already-used key. By replaying message 3 in the WPA2 four-way handshake, the attacker can make the victim reuse nonces and receive replay counters. With this known key, and if the attacker knows the plaintext being sent, it becomes trivial to decrypt WPA2 traffic. Mathy Vanhoef, the lead researcher on this project, has confirmed that this flaw exists in the WPA2 protocol itself; this means that all vendors, all implementations, and all operating systems are affected by this attack. Vanhoef goes into much more detail on the theory and potential impact on his site, KRACK Attacks.
As a POC, Vanhoef released a video executing the attack on an Android phone.
What You Can Do
Since Vanhoef released this flaw so recently, vendors are rushing to push out implementation-specific patches for their equipment. Aruba, Ubiquiti, and Eero confirmed they already released patches, and Apple, Samsung, Amazon, and Google, among others, have patches in the works. In the meantime, what can you do to protect yourself?
- Don’t use Wifi for critical communications – While difficult in practice, with an attack like this, don’t take any risks. We can guarantee that hackers are already attempting to exploit this, so if you’re a target, don’t give them an opportunity to steal any valuable information. If you can, connect to a network physically via Ethernet until you can apply vendor fixes.
- Apply vendor patches immediately – If your vendor reports that the attack affects their equipment – or even if they don’t – apply patches as soon as possible. Make sure they’re official fixes from the vendor; we wouldn’t be surprised to see hackers release fake patches that don’t fix the flaw of install something nasty on your system. Test the patches to ensure they don’t break anything else or make a problem worse. Check, double check, then install.
- Remain calm – Media outlets have continuously posted on this attack, whipping their readerships into a panic. Don’t join them. Vanhoef confirmed that the attack doesn’t disclose any passwords, but you may want to change them, just in case. You should already be using SSL if possible, but attacks for that have existed for years, so make sure all is in order there. Keep following your organization’s security policies (you have them, right?), follow security industry best practices, and don’t make panic-based decisions. Your processes exist for these situations, don’t give up on them right when they most have value.
- KRACK Attacks – the initial disclosure site by Mathy Vanhoef
- ZDNet’s listing of known vendor patches
- Ars Technica coverage
Secure Compliance Solutions LLC (SCS) provides a wide range of CISO advisory consulting and managed security services to small- and medium-sized businesses. We help our clients navigate the increasingly complex world of cybersecurity, from advising executives on long-term cybersecurity objectives to training analysts and engineers on emerging trends and threats. With industry experts in cybersecurity policy and regulations, compliance, and system hardening and monitoring, SCS can help businesses address any cyber threats out there today, whether small or large, internal or external. We champion a strategy of readiness and resilience. No matter the threat, SCS can and will protect against it. Contact us today.