By now almost everyone will have heard the news that the WPA2 authentication scheme that secures a large percentage of WiFi connections has been hacked. WPA2 has been considered as the de facto option for securing your WiFi network both at home and in the corporate space.
I have been asked by a number of people to put into plain english what this means, so much so I thought I would put this into a blog post, so here goes:
What is the KRACK vulnerability?
This vulnerability takes advantage of the way that the WPA2 scheme requires a four way "handshake" between your device and the wireless access point (or router), this means it attacks the way the two devices exchange data between each other to verify your ability to access that network.
What does this mean?
The researchers who found this vulnerability have demonstrated the ability to retrieve login information and also any data that is communicated over the connection established.
Now before you think the world is about to end, I would just like to point out a few important factors for the real world application of this vulnerability:
- The attacker must be within range of your network to be able to use this weakness.
- If your end device is updated with the latest patches you are most probably already protected.
- If your data is encrypted prior to transmission over this link all the attack will see is an encrypted blog of data.
What should I do?
Ok this is both a simple and complicated question to answer, first of all you should ensure all of your devices are updated to the latest patches, this means your computers, mobile devices and also wireless access points should be update to the latest firmware that includes the patch for this vulnerability. Unfortunately this is where it gets a little tricky as both sides of the wireless communication need to be patched to ensure the wireless network is secure, why unfortunate you ask? Well some wireless devices are not actively patched, this applies to pretty much every single home wireless router that ISPs supply to their customers! Also some phones (namely Android devices) are not updated regularly (if at all) due to carriers blocking these updates. My recommendation is update everything, if you encounter a device that you are unsure about contact the manufacturer and get them to confirm that your device is patched, and in some instances you may have to look at if your device needs to be replaced.
I hope this little post helps explain the issue at hand. If your interested the microsite that the researchers setup to explain this vulnerability can be found at: https://www.krackattacks.com and before people start blaming these researchers for any possible attack please note they informed manufacturers in July that this vulnerability existed giving them plenty of time to develop patches for their devices, without researchers like the guys who brought KRACK to our attention our devices and networks would be less secure and more open to attack.