It may feel like the internet is hyperventilating over the newly revealed WPA2 security flaw, but as more stories and analysis surface, we’re learning that not only is the hysteria warranted but something we all should understand going forward.
I’ll try and best translate what’s going per Mathy Vanhoef who discovered the vulnerability and Zak Whittaker who writes for Zero Day over at ZDNet.
As plainly put, a bug affectionately called KRACK (Key Reinstallation Attack) has put almost every modern Wi-Fi enabled device and content at risk of being decrypted by hackers.
What KRACK does is highlights a flaw in the widely used wireless security protocol called WPA2. Specifically, KRACK attacks WPA2’s four-way security handoff of encrypted traffic over Wi-Fi and allows hackers a chance to inject their own content in the previously secured traffic stream.
The flaw is so widespread that confirmation from US Homeland Security’s Cyber Emergency Unit US-CERT already began warning businesses that the bug existed two months ago was revealed by ZDNet.
As Vanhoef demonstrates, KRACK seems particularly troublesome for Android and Linux OS’s but he also clearly states in his discovery on his website, “if your device supports Wi-Fi, it is most likely affected.”
For the specifics of the attack, the WPA2 flaw is located in the cryptographic nonce and when KRACK is applied, it tricks the device into reinstalling an authentication key that’s already in use. When a nonce is reused, hackers can then freely target the encryption level by “replaying, decrypting, or forging packets.”
Despite being a wireless-based attack, the injection process needs to be relatively close proximity to the attacker. However, Vanhoef also states that businesses using HTTPS to transmit traffic are still relatively safe from KRACK as the protocol still encrypts data from a browser to a server. Those potentially most affected by this vulnerability will be businesses using cash registers that had Wi-Fi connectivity to its local network.
Many businesses have already been briefed on the matter and we should expect to see a slew of patches being released all week to address this issue. Quick on the uptake is Microsoft who has been reported to have already patched supported versions of Windows for devices who have automatic updates enabled. For users who do not have automatic updates enabled, we suggest you update your Wi-Fi Windows devices immediately.
Updated with a statement from Microsoft spokesperson to Neowin: “Microsoft released security updates on October 10th and customers who have Windows Update enabled and applied the security updates, are protected automatically. We updated to protect customers as soon as possible, but as a responsible industry partner, we withheld disclosure until other vendors could develop and release updates.”