Earlier today the information security community was in a tizzy because WPA2 had supposedly been cracked open like a coconut on a tropical island.
A few moments ago Mathy Vanhoef of imec-DistriNet published research which reveals a very scary vulnerability now know as a key reinstallation attack or KRACK.
The vulnerability is in the WPA2 (wifi protected access 2) protocol which prevents an attacker from seeing all of your data in plain text.
The vulnerability has to do with the four-way handshake between a client and an access point – your smartphone and your router for instance. During this handshake the client and the access point determine that both are using the correct credentials (i.e. your WiFi password) and a new encryption key is issued.
While this encryption key is meant to be unique the WPA2 protocol allows an attacker to manipulate the handshake and reuse a key as Vanhoef discovered.
The reach of this vulnerability is immense because it’s not limited to a specific device.
“If your device supports Wi-Fi, it is most likely affected,” writes Vanhoef.
What can be done?
Usually we would recommend changing your password but that won’t really help in this instance as the attacker doesn’t even need to know your Wifi password to execute the attack.
Instead users will be at the behest of hardware manufacturers who will now need to patch software that you as a user will likely need to install.
The good news is that information about this vulnerability has been with hardware vendors since at least 14th July according to Vanhoef. The organisation CERT/CC also disseminated news of the vulnerability to vendors on 28th August so at this stage its unlikely your router manufacturer has not received the news.
For users you can visit this website to see if your router/device is affected. Many vendors have already issued patches for the vulnerability and we highly recommend you download and install those updates.
If you need more than an urge take a gander at the video below where Vanhoef shows how an attacker can grab your username and password in plain text using Krack.
Stay safe our there folks.
[Image – CC BY 0 Pixabay]