What You Need to Know About the KRACK Attack
A few days ago, security experts were shaken with a flaw in the security protocol of Wi-Fi devices which included everything from mobile phones to kitchen appliances that work on an IoT framework. For the uninitiated, KRACK stands for Key Reinstallation Attack and is a flaw that exposes the vulnerability of WPA2, a security protocol used in wireless networks. Hackers could use this flaw to decrypt network traffic and hijack connections or inject malware into the network stream. The only condition? This has to happen at close proximity which means the hijacker has to be near your Wi-Fi to be able to hack it.
The basics of the attack is that an attacker can cause a client (like your phone or computer) to reinstall a crypto key that the client and the access point (Wi-Fi router) agreed on. In doing so an attacker can decrypt and modify the traffic between devices. Android has some even more serious problems as it will cause a key of all 0’s to be used, which is very very bad. You can see the full write up on krackattacks.com.
The WPA 2 was created by the Wi-Fi Alliance and the Institute of Electrical and Electronics Engineers (IEEE) to replace WEP which was quickly found to be highly vulnerable within a few years of its development. Some blame can be placed on IEEE as they make it difficult to get your hands on the proper specs according to Mathew Green:
One of the problems with IEEE is that the standards are highly complex and get made via a closed-door process of private meetings. More importantly, even after the fact, they’re hard for ordinary security researchers to access. Go ahead and google for the IETF TLS or IPSec specifications — you’ll find detailed protocol documentation at the top of your Google results. Now go try to Google for the 802.11i standards. I wish you luck.
This whole process is dumb and — in this specific case — probably just cost industry tens of millions of dollars. It should stop.
If you are interested in more technical details I highly recommend you read his article it’s a good read.
This attack poses many problems for IoT devices as they do not receive updates regularly, and this attack can be foild by patching the client side even if the access point is not patched.
For everyone else you should not connect to Wi-Fi access points (like coffee shop Wi-Fi) without first updating your devices. At the time of writing, Microsoft has already rolled out a patch. All Apple OSs have received patches. Google says it will probably be a few weeks, and for some phones may never get patched as is the Android way. Patches for Linux and BSD have been released.