FotolEdhar - Fotolia
KRACK WPA2 flaw might be more hype than risk
Researchers discover a WPA2 vulnerability and brand it KRACK, but some experts say the early reports overstate the risk of the flaw and downplay the difficulty of an exploit.
Researchers found a vulnerability in the WPA2 protocol that could affect many Wi-Fi devices in the wild, but some experts said early reports overstated the danger the flaw.
The KRACK WPA2 vulnerability was discovered and named by Mathy Vanhoef, a network security and applied cryptography post-doctoral candidate, and Frank Piessens, a computer science professor at the University of Leuven in Flanders, Belgium. According to Vanhoef, the WPA2 vulnerability is "in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected."
"An attacker within range of a victim can exploit these weaknesses using key reinstallation attacks (KRACKs). Concretely, attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted," Vanhoef wrote in his report detailing the flaw. "This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data."
Rob Graham, owner of Errata Security, described the issue as "reliable enough that people should be afraid."
"When a client connects to the network, the access-point will at some point send random key data to use for encryption. Because this packet may be lost in transmission, it can be repeated many times. What the hacker does is just repeatedly sends this packet, potentially hours later. Each time it does so, it resets the keystream back to the starting conditions," Graham wrote in a blog post. "At this point, the protocol bug becomes a crypto bug. We know how to break crypto when we have two keystreams from the same starting position."
Vanhoef and Piessens said that the biggest potential risk with the KRACK WPA2 vulnerability would be in Linux and Android devices where it could be more easily exploited. On Android, Graham said attackers could even create "a fake WiFi access-point and man-in-the-middle all traffic."
Questions surrounding the KRACK WPA2 vulnerability risk
Other experts were not as convinced that KRACK was as big a danger because of the difficulty in successfully exploiting the flaw.
Martijn Grooten, security researcher at Virus Bulletin, was impressed with the research but not sold on the impact.
TL;DR on #KRACK: great work, important find, do patch when you can, but don't panic, it's unlikely going to have a big impact for you.
— Martijn Grooten (@martijn_grooten) October 16, 2017
Kevin Beaumont, security architect based in the U.K., said on Twitter that the KRACK WPA2 vulnerability was "very difficult to exploit."
"The attack realistically doesn't work against Windows or iOS devices. The Group vulnerability is there, but it's not near enough to actually do anything of interest," Beaumont added in a blog post detailing the flaw. "There is currently no publicly available code out there to attack this in the real world -- you would need an incredibly high skill set and to be at the Wi-Fi base station to attack this."
Remediating the KRACK WPA2 vulnerability
While some experts said traffic running over HTTPS could help to mitigate the risks of data interception by an attacker exploiting KRACK, most said patching was the best option and praised Vanhoef and Piessens for their responsible disclosure and waiting for major manufacturers to create patches.
Vanhoef and Piessens said patching either the client or access point can mitigate the risk of the KRACK WPA2 vulnerability.
"Implementations can be patched in a backwards-compatible manner. This means a patched client can still communicate with an unpatched access point, and vice versa. In other words, a patched client or access point sends exactly the same handshake messages as before, and at exactly the same moment in time," Vanhoef wrote. "However, the security updates will assure a key is only installed once, preventing our attack."
Kevin Beaumontsecurity architect
Experts said that although patches may be available, another trouble with the KRACK WPA2 vulnerability is scale. Currently, Android versions 6.0 and higher are affected -- approximately 41% of devices, according to Google's stats -- but as more devices are updated to newer Android versions or users buy new smartphones, that number could rise.
Apple added patches for the WPA2 vulnerability in the latest beta version of iOS, but it has not been pushed to most users as of this post. Beaumont said patches were already available for Linux, but he admitted that Android could be a problem because security patches often don't get to users or get patched when they are pushed out.
Paul Martini, CEO and co-founder of Iboss, said the most concerning part of this exploit "is that it affects every device that connects to a Wi-Fi network."
"This is another reminder that even if your security team does everything in its power to keep your devices and network secure, there will always be incidents like this that put your information at risk," Martini told SearchSecurity. "This vulnerability is particularly worrisome for distributed organizations that often have mobile and remote employees connecting via Wi-Fi. Even secure Wi-Fi networks are now at risk and require additional protection at the web gateway level to help prevent data loss."