WPA and WPA2 were supposed to solve all the issues with the notoriously easy to crack WEP based encryption. Well, it now appears that that WPA2 is not quite as secure as we had hoped.
Researchers have discovered a flaw in the security protocol which is being nicknamed “KRACK” or its Sunday name Key Reinstallation Attack.
The bug ultimately could allow hackers to eavesdrop on network traffic which is about as serious as security flaws get. Anything and everything you transmit over Wi-Fi that is sensitive could potentially be intercepted by another user.
To make matters worse, depending on the network configuration it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites. The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected.
What that means is the vulnerability potentially impacts a wide range of devices including those running operating systems from Android, Apple, Linux, OpenBSD and Windows.
While the situation is pretty dire there are some mitigating factors. The attack must be carried out in close proximity to the access point, as they need to be able to see the Wi-Fi signal, this means most home users are probably not at a huge risk of a data breach. Also, the attack won’t be able to read data encrypted over SSL. So, if you are doing your banking online you should be relatively safe. If you use a secure VPN then this should mitigate the risks even further.
The Wi-Fi Alliance has published the following statement:
There is no evidence that the vulnerability has been exploited maliciously, and Wi-Fi Alliance has taken immediate steps to ensure users can continue to count on Wi-Fi to deliver strong security protections
It will be up to hardware vendors to push security updates to their devices, and due to the number of routers that have been hacked recently, it would probably be wise to check if/when your router manufacturer has pushed this update.
The following companies have released updates for KRACK and this should include routers such as the excellent F-Secure SENSE as it is built on OpenWRT
- Arch Linux: WPA Supplicant patch, Hostapd patch
- Cisco Meraki
- Netgear: WAC120, WAC505/WAC510, WAC720/730, WN604, WNAP210v2, WNAP320, WNDAP350, WNDAP620, WNDAP660, WND930
- Watchguard Cloud