Published: 18/10/17 by Matthew Bowers
Details of a newly-discovered and serious vulnerability in the WPA wireless network security protocol was first released on Monday 16th October, with the exploitable flaw dubbed the KRACK Attack (Key Reinstallation Attack).
Since the vulnerability disclosure, our researchers, Matthew Bowers and Peter Bassill have been researching how the vulnerability manifests itself and how it could be taken advantage of.
As of the 18th of October, our researchers have a proven validated attack against previously secured WPA and WPA2 networks.
While we have not and will not be releasing the exploit code publicly, it will not be long before someone does.
How does it work?
Essentially, this attack targets the 4-way WPA “handshake”, which is a two-way communication process undertaken each time a Wi-Fi device such as a laptop or phone connects (or reconnects) with a Wi-Fi Access Point (such as a Wi-Fi-enabled router).
By disrupting this handshake, an attacker can cause the same cryptographic key to be reused repeatedly, allowing for the decryption of information travelling between the Access Point and a connected device.
The KRACK attack targets Wi-Fi clients connecting to Access Points rather than Access Points themselves. Thus, the attack does not retrieve the Access Point’s Wi-Fi password, unlike other Wi-Fi attacks.
While periodically changing an Access Point’s password is generally good practice, it, unfortunately, does not mitigate the KRACK Attack in any way.
What should be done?
It is important to ensure that all your wireless devices are updated as soon as firmware updates are available. This means updating your wireless access points as well as your phones, tablets, laptops and anything else that uses wireless technology to connect.
Updating Wi-Fi connected-device operating systems (such as Android and iOS) should take priority over updating router firmware. For companies and Governments, wireless should be assumed to no longer be a secure mechanism of network connection and any wireless networks carrying sensitive information should be disabled immediately.
Important Points to Know:
– The KRACK Attack flaw exists within the WPA protocol itself and not in particular hardware or software products
– The KRACK Attack exists in various forms which target different WPA handshakes occurring in different situations
– Android, Linux and OpenBSD devices are especially vulnerable to the KRACK Attack but all operating systems are vulnerable to one form or another of the attack
– Both WPA2 and the older WPA are vulnerable
– Both personal and enterprise (corporate) WPA/WPA2 networks are vulnerable
– We are aware of actual real-life attack code being available at the time of writing
– While the KRACK Attack breaks WPA/WPA2 Wi-Fi encryption, websites transmitting data using SSL/TLS (i.e. those which begin with ‘in the URL bar) use a separate and additional form of encryption which is not affected by the KRACK Attack.
However, due to a flaw in the Android 6.0 (and higher) operating system code, some websites’ additional encryption could be downgraded using a special hacking tool called sslstrip if an attacker were to use the KRACK Attack to perform a Man-In-The-Middle attack on an Android 6.0 or higher phone
10th Floor, 3 Hardman Street
1st Floor, 138a Main Street