The KRACK exploit could affect any Wi-Fi device.
This morning (16 October), researchers reported details of a new threat known as KRACK (key reinstallation attack).
Ars Technica reported that researcher Mathy Vanhoef released information on the attack. Vanhoef described it in stark terms: “This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos and so on.
“The attack works against all modern, protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.”
Leaving devices open to eavesdropping
KRACK works by affecting Wi-Fi Protected Access 2 (WPA2), which is used by people to keep their web use hidden from others.
KRACK sees attackers con a victim into reinstalling a key that is already in use. Each key should be unique but a problem with WPA2 means that a hacker can manipulate steps or ‘handshakes’ between routers and connected devices to make it possible for these messages to be intercepted without detection.
According to the researchers, Android and Linux users are more vulnerable, as seen this demo video.
Vanhoef said knowledge of the weakness was disseminated to vendors that the researchers had tested in July of this year, while the US Computer Emergency Readiness Team (US-CERT) sent out a broad notification to vendors on 28 August.
Weakness in the Wi-Fi standard itself
It appears at this point that any device that uses Wi-Fi could be affected, said Vanhoef. “The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected.
“To prevent the attack, users must update affected products as soon as security updates become available. Note that if your device supports Wi-Fi, it is most likely affected. During our initial research, we discovered ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys and others are all affected by some variant of the attacks.”
A Google spokesperson said to Forbes: “We’re aware of the issue, and we will be patching any affected devices in the coming weeks.”
US-CERT has also issued a warning on the flaw: “US-CERT has become aware of several key management vulnerabilities in the four-way handshake of WPA2 security protocol.”
Update and patch where possible
Devices such as laptops and smartphones will need to be updated as well as routers, and Vanhoef recommends users get in touch with the relevant companies to keep an eye on delivery of patches.
On a positive note, remote attacks using this exploit alone are impossible as the hacker would need to be in physical proximity to the router. Alan Woodward, encryption expert from the University of Surrey, explained that the attack is not scalable. “It’s a very targeted attack – not like we’re all going to be hit as attackers can only be in so many Wi-Fi zones at once.”
It is unclear if the vulnerability has been used on a real network as of yet. “We are not in a position to determine if this vulnerability has been (or is being) actively exploited in the wild,” said Vanhoef.
This vulnerability poses particular problems for ISPs in terms of ensuring every device is patched against this vulnerability.