Wi-Fi encryption security took a major hit on Monday with the disclosure of a flaw that affects virtually every device that wirelessly connects to the Internet.
KRACK, short for Key Reinstallation AttaCK, is a weakness that was discovered in the WPA2 encryption protocol by security researcher Mathy Vanhoef. As outlined in a profile of the weakness, the main attack is against the four-way handshake of the WPA2 protocol that takes place when a client wants to join a protected Wi-Fi network. In short, it works by tricking the victim device into reinstalling a key that is already in use, thus allowing packets to be replayed, decrypted and/or forged.
According to Vanhoef, nefarious types can use the attack technique to steal sensitive information like credit card numbers and passwords as well as access e-mails, photos and chat messages. What’s more, depending on the network configuration, it may even be possible for an attacker to inject ransomware or other malware into a website or otherwise manipulate data.
Because the weakness is in the Wi-Fi standard itself and not an individual product or implementation, it’s likely that any correct implementation of WPA2 is affected. This encompasses devices associated with Apple, Android, Linux, Windows, OpenBSD, MediaTek, Linksys and others although Vanhoef says the attack is especially devastating against Linux and Android 6.0 or higher.
Before going into full-on panic mode, it’s worth nothing that an attacker needs to be within physical range of a network to carry out an attack. The bad news, of course, is that Wi-Fi is all around us so finding a network to attack could be done in seconds.
Although information on the attack is just now going public, details of it were first submitted for review in mid-May. This has given vendors time to investigate the matter and, in some instances, already have patches available.
- Apple: Cupertino tells CNET that fixes for iOS, macOS, watchOS and tvOS are in beta and will be rolling out to all in a few weeks.
- Cisco: The company notes that multiple products are affected by the vulnerability. Some patches are already available and some are still pending.
- Google: The search giant said on Monday that it is aware of the issue and will be rolling out patches for affected devices in the coming weeks.
- Intel: Chipmaker Intel has a security advisory with updated Wi-Fi drivers and patches for various chipsets.
- Microsoft: Redmond has a security fix out that's available through Windows' automatic updates.
- Wi-Fi Alliance: The Wi-Fi Alliance has a fix up for vendors but not yet for end-users.
ZDNet has a running list of who’s on top of their game in this respect.