In our increasingly networked world, many of our IoT devices rely on WIFI security for safe communication. Now a group of security researchers are set to reveal that the most popular WIFI security protocol currently in use, WPA2, has an inherent flaw.
Called KRACK, short for Key Reinstallation Attacks, according to the United States Computer Emergency Readiness Team it poses a real risk to the safety of our data:
US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven, will be publicly disclosing these vulnerabilities on 16 October 2017.
According to Ars Technica, the hack works by exploiting a four-way handshake that’s used to establish a key for encrypting traffic. During the third step, the key can be resent multiple times. When it’s resent in certain ways, a cryptographic nonce can be reused in a way that completely undermines the encryption.
Fortunately, web traffic is increasingly protected by HTTPS due to pressure by Google on commercial websites, but with internal network traffic in companies and traffic between Internet Of Things devices, which are usually not further encrypted, would be very vulnerable and expose significant risks of information from both individuals and companies leaking.
Some companies such as Aruba and Ubiquiti, which sell wireless access points to large corporations and government organizations, are already ready to patch their access points, but it is likely the vast majority of access points will never be updated. When using unpatched WIFI access points using a reliable and trusted VPN service should provide some security.
The security researchers are set to release the details of the flaw in the protocol at 8AM Monday morning Eastern Time at krackattacks.com, before it is formally presented on November 1st in a talk titled Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 at a security conference in Dallas.