On Monday, reports emerged about the encryption of WiFi networks being susceptible to attacks. A design flaw in the WPA2 encryption allows the reuse of certain cryptographic keys instead of blocking it. The Belgian research team dubbed the attack “KRACK”.
Who is affected?
The security flaw affects all devices which connect to WiFi networks using WPA2 encryption. The flaw puts an attacker in a position where he can gain access to a WiFi network and, in a worst case scenario, manipulate transmitted data. One example would be to replace a legitimate download with malware. The attack cannot be used to retrieve the WiFi password. According to current information, any data which is sent from a browser via an SSL-encrypted connection is far less susceptible to attacks.
However, since an attacker needs to be in physical proximity to the targeted network, we do not expect any attacks against WiFi networks on a broad scale any time soon. What was demonstrated by the researchers so far is a Proof of Concept (PoC) which is not synonymous with the development of a ready-to-use tool. It might well be a while before we see those applied in practice.
Mitigation
There are two ways to mitigate the issue:
Disabling WiFi on affected devices will make sure that the security flaw cannot be abused. However, in practice this might now always be feasible or practical. Alternatively, a VPN client can be used to secure all traffic using SSL. This will protect any transmitted data against eavesdropping or tampering.
What will happen next
By now the first manufacturers have started deploying a fix to address the security problem. The first beta versions of Apple's iOS already have the fix - other vendors will follow suit. Some Linux distributions have received a patch as early as October 2017 so the security flaw is not exploitable on those platforms anymore.
Remediating the flaw does not require purchasing new hardware. It can be fixed by the manufacturer in a device's software and is also backwards compatible so devices which have received the fix can still communicate with devices which have not (yet) received it and vice versa.
Looking back
The fact that the security of WiFi networks can be attacked successfully is hardly a surprise. The 802.11 WiFi standard has often faced security flaws which were mitigated in subsequent iterations. Obsolete encryption models such as WEP or WPA were gradually replaced with more secure ones. Therefore the current reports, spectacular as they may seem, are a somewhat logical step in a series of events. So this is not the first report of this kind make the news and it certainly will not be the last.
As soon as a patch is available from a vendor, it can be obtained either via the browser-based configuration dialog or via the vendor's website. Some devices also download and install updates automatically. Users of mobile devices should also check whether any updates are available for their device.
We strongly recommend installing any available update to fix the flaw on each device.