How the KRACK attack destroys almost all Wi-Fi security

Share

In practical terms it could allow an attacker to decrypt data sent across a supposedly secure network.

The open, shared by Ars Technica, takes advantage of vulnerabilities in WPA2 security protocol. The Consumerist, which notes that "basically every device on earth" is affected, says users should also install security updates on any connected devices as soon as prompted.

A video showing a technical explanation of the attack on YouTube explains how it is "exceptionally devastating" against Android phones, which can be "tricked" into installing an empty encryption key.

They advised users to patch all Wi-Fi access points and clients when the fixes are available for the devices.

Vanhoef said his proof-of-concept attacks do not recover the password of the Wi-Fi network, nor do they recover any parts of the fresh encryption key that is negotiated during the 4-way handshake.

The researcher goes on to say that WPA2 implementations can be patched in a backwards-compatible manner, meaning that a patched client can communicate with an unpatched access point, and vice versa.

"It is likely that some products, particularly Android smartphones, and Wi-Fi routers, will never be fixed".

Usually we would recommend changing your password but that won't really help in this instance as the attacker doesn't even need to know your Wifi password to execute the attack. A flavor of Linux and devices using Android 6.0 and up are especially vulnerable.

Meanwhile, Microsoft said customers who have the latest Windows Update, launched last week, and applied the security updates, are automatically protected.

While there's no indication yet that the vulnerability has been exploited in the wild, the Wi-Fi Alliance said it is urging device vendors to integrate patches quickly. That means that if your device uses Wi-Fi, KRACK likely impacts it.

The vulnerability can be exploited by hackers to steal personal information such as your credit card numbers, passwords, emails, photos, and more.

As I've previously written, the padlock indicates that traffic to and from a site is encrypted - via the HTTPS protocol- which basically means no one but that site can read any sensitive information you share.

Notably, the site in the demonstration doesn't use the secure HTTPS protocol, which adds another level of encryption.

ZDNet reports that "News of the vulnerability was later confirmed on Monday by US Homeland Security's cyber-emergency unit US-CERT, which about two months ago had confidentially warned vendors and experts of the bug".

So, in a way, thanks to this flaw, hackers are now able to manipulate those key in such a way that they gain access to a person's private information.

The flaw, and hence the opening for the attack, is in the "cryptographic nonce, a randomly generated number that's used only once to prevent replay attacks, in which a hacker impersonates a user who was legitimately authenticated".

"Instead, you should make sure all your devices are updated, and you should also update the firmware of your router". Google has already confirmed that it is aware of the issue and is working on a patch, and Apple and Microsoft will presumably do the same, as well as Linux purveyors.

Share