KRACK is a vulnerability in the WPA2 protocol that was discovered earlier this week. This could lead an attacker to read encrypted information. This attack affects all WPAWPA2 protected Wi-Fi Networks as the vulnerability is with the Wi-Fi WPA/WPA2 standard and not any individual products or implementations. Data-Tech is aware of this exploit and our Managed Services Team has updated our clients’ windows workstations and is closely monitoring new updates and changes.
KRACK is short for Key Reinstallation Attack, which is a curious name that probably leaves you as confused as we felt when we heard about it, so here’s our extremely simplified explanation of what happens (please note this explanation covers just one of numerous flavours of similar attack).
At various times during an encrypted wireless connection, you (the client) and the access point (the AP) need to agree on security keys.
To do so, a protocol known as the “four-way handshake” is used, which goes something like this:
At this point, both sides can mix together the Wi-Fi network password (the so-called Pre-Shared Key or PSK) and the two random blobs of data to generate a one-time key for this session.
This avoids using the PSK directly in encrypting wireless data, and ensures a unique key for each session.
The KRACK Attacks (with numerous variations) use the fact that although this four-way protocol was shown to be mathematically sound, it could be – and in many cases, was – implemented insecurely.
In particular, an attacker with a rogue access point that pretends to have the same network number (MAC address) as the real one can divert message 4 and prevent it reaching the real AP.
Changing your Wi-Fi password won’t help: this attack doesn’t recover the password (PSK) itself, but instead allows an attacker to decrypt some of the content of some sessions.
Changing routers probably won’t help either, because there are numerous variants of the KRACK Attacks that affect most Wi-Fi software implementations in most operating systems.
Here’s what you can do:
Author: Paul Ducklin