Monday morning brought the startling discovery that Wi-Fi Protected Access 2 (WPA2), a common protocol for securing wireless networks, suffers from a number of vulnerabilities that may expose sensitive information to attackers.
Make no mistake, the threat posed by the exploits—dubbed as KRACK, short for Key Reinstallation Attacks, by the researchers who discovered the vulnerabilities—are serious. Just about every device capable of connecting to a wireless network is at risk. But the attacks have limitations and users are not without options to protect themselves.
First, it’s important to understand how an attack using KRACK could work. Were an attacker to utilize the KRACK vulnerabilities, they would take advantage of a flaw in a four-way handshake performed by the WPA2 protocol.
The so-called handshake takes place when a device wants to join a protected Wi-Fi network. The handshake confirms the device is authorized to join the access point through a credentialing process, like when a user enters the Wi-Fi password to connect to the network. At the same time, the network creates a fresh encryption key to encrypt all traffic from the newly connected device.
In order to exploit the process, the attacker has to trick the victim into re-installing an encryption key that is already in use. Encryption keys are only supposed to be installed and used once. When an attacker gets a victim to reuse the key, they gain access to all activity transmitted between a device and access point or could inject malicious data into the connection.
For the time being, these exploits are possible but primarily theoretical, as it does not appear that an attack exploiting the recently disclosed vulnerabilities has been executed in the wild—though researchers were able to successfully carry out a proof of concept attack. Kevin Beaumont, a security architect, wrote that there is currently no publicly available code to carry out the attack and noted it would require “incredibly high skill set” to execute.
Kevin Robinson, the vice president of marketing at the Wi-Fi Alliance —an organization that certifies Wi-Fi devices to ensure they conform to certain standards—confirmed to International Business Times that there is “no evidence that the vulnerability has been exploited maliciously.”
The attack is also not without its shortcomings according to Candid Wueest, a threat researcher at security firm Symantec. He told IBT the attack requires a threat actor to be in close proximity of a potential victim in order to exploit the vulnerability.
“As an attacker, you have to create your own spoofed or fake access point and the client has to connect to it,” he said. You have to be in range of the Wi-Fi, let's say about 30 feet. It's not something someone from Europe can do to someone in the U.S," Wueest said.
He also said that there is no code execution in the vulnerability, meaning an attacker wouldn’t be able to create an attack that spreads from network to network. "There is no chance someone will create a virus that spreads from your Wi-Fi to the neighbor's Wi-Fi and so on,” he said. “The risk is about modifying or reading the data that it transmits.”
Because of that, Wueest said KRACK is, for the most part, less worrying than an attack like the WannaCry ransomware attack that spread itself to more than one million machines worldwide earlier this year by exploiting a vulnerability first discovered by the United States National Security Agency.
Wueest also said the issue wasn’t as bad as the Heartbleed exploit disclosed in 2014. Heartbleed was a vulnerability in an encryption software known as OpenSSL, which was used by hundreds of thousands of websites that handled secure information. The exploit allowed an attacker to send malicious code to a server and make it return sensitive information that would otherwise be encrypted.
It’s also important to not dismiss KRACK simply because it’s not as severe as other attacks, as it is a fundamentally different exploit.
“The KRACK vulnerability is different than past disclosures because the exploit doesn’t target your connected devices,” Gary Davis, chief consumer security evangelist at McAfee told IBT. “Instead, it targets the way your devices handle information and data, making any device that utilizes Wi-Fi vulnerable.”
Users should note that while WPA2 is affected by the KRACK, users should not move away from the protocol. The research does not present a fundamental threat to the infrastructure on which wireless networks are built—the flaws can be fixed and likely will be addressed for many devices.
According to Mathy Vanhoef, the security researcher who discovered the KRACK, WPA2 is already being reviewed for a possible update that will address the most serious of the security vulnerabilities.
The Wi-Fi Alliance announced a plan to help mitigate the threat of the discovery. The organization intends to test for the vulnerability during its certification process, provide a detection tool to identify the vulnerability for Alliance members and help Wi-Fi device vendors remedy potential security holes that could be exploited.
That said, KRACK is unquestionably presents a significant security risk. If exploited, it could be used to steal sensitive information that an individual willingly shares online, such as credit card numbers, passwords, chat messages, emails, photos and more—and simply changing the Wi-Fi password on a router will do nothing to protect against it.
KRACK WPA2 Vulnerability Protection: Keep An Eye Out For Patches
The first thing any user should do is keep an eye out for patches. KRACK was first disclosed by researchers to vendors in July and disclosed to the Community Emergency Response Team (CERT) Communication Center—a partnership between Carnegie Mellon University’s Software Engineering Institute (SEI) and the U.S. Department of Homeland Security—in August. Broad disclosure of KRACK was delivered to vendors by CERT on Aug. 28, giving them plenty of time to prepare patches before public disclosure.
As a result, many companies have already prepared and released patches that protect users against the attack. Microsoft already issued a patch and published a security advisory about the vulnerability. Many versions of Linux have a patch available as well.
Google is also working on a patch for Android devices—which have been reported as potentially the most at risk—and will reportedly make a fix available in the next few weeks. Users may want to turn off Wi-Fi on their devices when possible until the patch is officially available.
Apple has thus far been silent on the issue—a troubling fact given the researchers single out MacOS as being easy to attack. The company’s mobile operating system, iOS, is generally considered safe.
Device manufacturers have also started to address the issue at their own pace, with some rushing out updates and others essentially dismissing the threat. Consumers are advised to keep an eye out for updates from router manufacturers, as those access points are just as at risk as devices.
The wait time for a fix will likely vary based on company. For example, Latvian networking device manufacturer MicroTik has already issued a fix while German router maker AVM has said they will only release an update “if necessary.”
Kevin Robinson of the Wi-Fi Alliance said that it’s important to note “many consumer routers are not affected by this vulnerability, so consumers may not see an update available for their particular router.” He said devices that have been affected, “many vendors have already issued patches or will issue them shortly. Wi-Fi Alliance recommends checking the vendor’s website for information on specific vendor updates.”
Hemant Chaskar, the chief information security officer and vice president of technology cloud-based Wi-Fi firm Mojo Networks, told IBT “consumer equipment may take time to update” as manufacturers learn about and address the exploits. He noted that a wireless intrusion prevention system (WIPS) can help to block these vulnerabilities until patching takes place.
While waiting for the fix, users can ensure their information is not compromised by practicing the safe browsing habits that they likely should be performing anyway. Symantec’s Wueest said users should make sure they are only sharing sensitive information on websites that use Secure Sockets Layer (SSL), a secure web protocol that encrypts information sent between a user and the site.
A person can check the SSL certificate of a website in their browser. Most browsers will display the connection status between a user and a website in the browser bar. A secure connection will usually display a green lock or a similar icon to signify the secure status of the site. Many modern browsers also warn a user if a connection in unsecure.
Wueest also recommended using a virtual private network or VPN.
A VPN is a privacy tool that enables a device to send and receive information across a public network as if it was connected directly to a private network. In essence, it obscures the true location of the device and makes it appear as though its activity it coming from another network. Think of it as a sort of firewall for your online activities.
When a user connects to a VPN, it creates an encrypted and secure connection between the user’s device and a remote server. Any information—from web activity to user information to passwords—is sent first through that encrypted connection.
Send a request for information (i.e., type in a web address in your browser) and that is forwarded through the VPN. The response it receives is sent back through the same, secure connection. By filtering information through the remote server, a VPN shields that data from anyone on the public network, including an attacker who may be exploiting KRACK.
"A VPN is the best practice anyway,” Wueest said. “If you're on vacation or at a Starbucks or any other open Wi-Fi, then you should use a VPN to protect yourself."