A security flaw in the WPA2 protocol was found and published by Belgian researchers on the morning of October 16th 2017. The protocol – normally used for securing modern Wi-Fi networks – has been broken to expose wireless internet traffic to potential eavesdropping and attacks. This vulnerability puts million of devices connected to Wi-Fi at risk for attacks.
What has happened
In short, a combination of vulnerabilities in the WPA2 specification and its implementation was published. This combination allows an attacker to listen in on the data transmitted through Wi-Fi connections and potentially even inject data packets into them. This affects everything from Linux, Windows, iOS, Android, BSD and most likely some other platforms. Some sources claim that iOS and Windows are not affected, but according to the report written by the researcher behind these vulnerabilities, this is not true. It is possible to attack the access point directly which indirectly affects any device connected to it.
The vulnerability opens up for three attacks. The first attacks broadcast messages. While this is bad in itself, it’s not as devastating as the other two that have the potential to attack any message. The second attack targets an issue in the client. This affects Linux and Android according to the research paper, but could affect other systems as well. The third attack targets the access points. This means that any client connected could be attacked indirectly. Both of the latter attacks mean that an attacker can listen in on the traffic and could potentially even inject malicious content.
How do I know if I am affected?
If you are using Wi-Fi and have not received a security patch for this vulnerability, then you are most likely vulnerable. Unfortunately, the attack can be performed by just simulating background noise so there is not any reliable way to know if you are affected.
What to do?
- Look for updates for your OS. Most vendors should already be releasing security patches for these vulnerabilities (when reading the patch notes, keep an eye out for “KRACK attack” or “WPA2 nonce reuse”).
- If possible, use a cabled connection instead of Wi-Fi for your computer until a patch is out.
- Turn off Wi-Fi on your phone until you’ve patched your device.
- If possible, turn off the 802.11r feature in your router or device. Contact your access point vendor for information on how to disable this for your particular access point. In Linux you can remove this support in wpa_supplicant by removing FT-PSK and FT-EAP from your accepted protocols in wpa_supplicant.conf. (Note that Linux, Android and possibly other systems can be attacked through other means than the 802.11r feature.)
- Use application-level security like HTTPS, SSL, VPN etc.
- Be extra vigilant for anything that implies a broken trust chain, for example broken certificate warnings on websites or a missing lock in the address bar of your browser.
If you have any tips on how to mitigate the flaw in other operating systems, we’d love to add them to this article. Please let us know at hello[at]detectify.com!
How do you patch your software?
- Your first priority should be to patch your clients (your phone and computer).
- Check with your router/access point vendor for patches to your router/APs firmware. Make sure to download them over a secure connection if you’re still on Wi-Fi.
Worth knowing for companies out there
- The attack requires the attacker to be in proximity to the Wi-Fi they are attacking. This means some locations will be reasonably safe.
- Mobile devices will be most vulnerable since they move from Wi-Fi to Wi-Fi automatically. Make sure these are patched or have their Wi-Fi turned off until that is possible.
How can this vulnerability be used by a hacker?
This vulnerability can let an attacker listen in on your network traffic and in some cases send fake network traffic. This opens up a very wide attack surface. An attacker could steal sensitive information or inject malicious data to infect the device it is attacking.
For more information about the WPA2 security flaw including a detailed demo, visit: https://www.krackattacks.com/