News broke earlier this week about a new form of attack that can break most modern Wi-Fi encryption. The new exploit was discovered by Mathy Vanhoef of imec-DistriNet. The exploit, named the Key Regeneration Attack (KRACK), works against “all modern protected Wi-Fi networks”. The attack is particularly devastating because it does not exploit a flaw in certain devices. Instead, the KRACK attack exploits a flaw in the Wi-Fi Standard, specifically the WPA2 implementation. This means that any device using the proper standards is affected by this exploit. Linux-based devices, to include Android are especially vulnerable to this attack.
A very simple explanation of the KRACK attack.
The way this attack works is not by brute force like many others, but by tricking the device to reset the encryption key. It works by interrupting the WPA2 4-way handshake. The Access Point and the client synchronize so they are using the same key by this process. Without this process, encryption would not work. With the Key Reinsertion Attack, an attacker collects and retransmits the third of the four messages. This will cause the client to reset the counters associated with the encryption, known as the nonce. When these counters are reset, the encryption protocol will use keystream that has been used in the past. An attacker could use packets with known content, to determine the keystream. As a result, they could then decrypt any packets utilizing the same nonce. Vanhoef goes into much more detail in his paper and on the website he set up. He also included a demo video, which I have embedded for your convenience.
What to do now
Well, the good news is that Mr. Vanhoef did the right thing and notified vendors and CERT before going public. This means that most vendors have had ample time to issue patches. Sadly, not everyone has gotten a patch out, and that is unfortunate. However, many vendors have issued patches and updates. The best thing you can do is check with your hardware manufacturer or OS vendor to see if updates are available. If there are updates, install them immediately.
In the meantime, here are some things you can do (and shouldn’t do) to make yourself safer. Honestly, some of these are good ideas to implement anyway.
- If you are using WPA2 with TKIP, switch it over to AES.
- Make sure you browse through HTTPS
- Ensure your email and other special purpose clients use secure connections,
- Use a VPN to create a secure tunnel for your connection.
- Do not go back to WEP, that could be worse, WEP is notoriously insecure.
- Don’t bother hiding your SSID, it won’t help, just about any hacker, or even general computer technician can still find your network and it’s SSID with minimal effort.
I also would caution against being too worried about this, especially for home use. This attack can only affect you if the attacker is within range of your Wi-Fi. I am not saying that you should not take this issue seriously. If there are patches available for your hardware, install them immediately. Oh, while we are on the subject, that free, open Wi-Fi you use everywhere carries the same risk as this hack. You are putting any unencrypted data out there to be scooped up by anybody who is lurking around. Just putting that out there if you didn’t know.