Written by: Daniel Haurey on 10/16/17

Yesterday, researchers identified a security flaw in the wireless standard (WPA2 or “Wifi Protected Access v2”) used by all hardware and software vendors worldwide. The flaw is known as “KRACK” after the methodology used to gain access to secure wireless networks (key reinstallation attacks).

WPA2 is the wireless standard that defines how devices and wireless networks exchange data securely with one another. A vulnerability has been found that allows a hacker to bypass this security, inserting their own device in the middle of the connection, thereby allowing them to see the data contained therein.  Since this standard is used by all manufactures and software vendors, nearly all devices are susceptible to this attack. Once the hacker has visibility to this traffic, they utilize other tools in an attempt to gather private (normally secured) data from your wireless connection.  No vendors have yet released a patch for this vulnerability, but once released we will begin patching devices under our control. Security updates recommended by your wireless provider should be viewed as critical and should be applied as soon as they’re available.

Technical Details
The researchers determined that certain operating systems (currently more significant for Android and Linux, although variants exist for all major operating environments) can be tricked into connecting to a rouge access point during the wireless handshake process using a simple method of redirection and leveraging the fact that the operating system can be coaxed into using an encryption key of all zeros. This “key reinstallation” allows a hacker to perform a man-in-the-middle attack, capturing all data between the client and the sites being accessed.

When combined with some other simple hacking techniques, raw data can be read using common network troubleshooting tools, providing complete visibility into the data you think is still encrypted. Usernames, confidential client/customer data and other information is clearly visible when under attack.

Why is this different than other threats?
This flaw is unique in that it’s part of the industry specification followed by vendors. Since all vendors follow this standard, the threat is common across all platforms. Linux and Android are slightly more vulnerable in that they are less stringent in their allowance for key reuse (using the same encryption key more than once). The wireless specification allows for reuse (does not explicitly recommend against it), resulting in an impact across all implementations of Wi-Fi regardless of the types of authentication in use (password-only versus enterprise credentials).

What can I do to protect myself?
We are awaiting the release of patches from all vendors to help prevent this attack. Until that occurs, all types of devices are susceptible.  Please note, this is not a wireless access-point issue, it’s a client-side issue related to redirection of the client and the injection of a known encryption key into the handshake between the client and wireless network. This essentially removes the encryption layer from wireless communications allowing other methods of attack to be used to gain deeper visibility into your data.

For example, a common tool can be used during this attack to redirect you to the “unsecured” version of a website, enabling you to enter credentials and other private information “in the clear”. Please closely monitor the “lock” icon in your web-browser to ensure that your connection has not been manipulated in this fashion.  If you connect to a site you expect to be secure, but you do not see this lock – don’t go any further.

The removal of encryption of the wireless communications, combined with the removal of encryption at the application level (as described in the web browser example), leaves your data easily readable to a hacker leveraging this vulnerability.

Next Steps
Exigent is closely monitoring the patches being made available by software and operating system vendors and we will begin patching as soon as fixes are available. Many of the devices affected are going to be patched by manufacturers (mobile devices, tablets, etc.) as they get updates from their software/vendor sources. If you typically hold off on patching your home or personal devices, please take a more aggressive stance on this issue and immediately apply updates as suggested by your device manufacturer or wireless provider.

For more detailed information on this vulnerability, along with a short video that describes the attack, please refer to the following link:  https://www.krackattacks.com/