Today, the internet is on fire. The media is publishing about KRACK, a new Wi-Fi security flaw that allows attackers to eavesdrop on traffic between computers and wireless access points. Headlines might make one think in an apocalypse, where anyone is able to get the password from our wireless network and read our data. Well, Krack is bad, but not that bad. Here is our analysis.
The problem lies in how a wifi client connects to a wifi access point. One of the steps of this connection is called “4-way handshake”, where encryption and authentication keys are negotiated to continue the connection. Without entering into deep technical details, Krack has found a way to fake messages sent from the Access Point to the Device, in such a way that the device reinstalls encryption keys and enables further messages to be decrypted from the encryption provided by the Wi-Fi protocol.
Krack affects WPA2 Wi-Fi networks, which were, unfortunately, the only ones considered safe up to now. Others, such as WEP, had been cracked in the past.
It can be executed over all WPA2 configurations (WPA-TKIP and AES-CCMP), however, as in the case of the TKIP and in addition to the security problem explained above, we would find that an attacker can not only decrypt packages but also could generate new ones and send them during the communication. This would lead to a multitude of possible attacks much greater than the previous one, for example it could force a client to become disassociated from the authentic Access Point to which it is connected to, and be associated to a false Access Point that could using other methods like ssltrip, be able to trick the user to share their data, as can be seen in the demo video.
In addition to the above, if the client is Android or Linux based, because of the way in which the keys are negotiated, the problem is even greater as it allows the modification of packages regardless of the Wi-Fi setup. In the case of Android, any version after 6.0 is vulnerable (41% in October 16th), in the case of Linux, any version of wpa_supplicant greater than 2.4.
The most important thing to mention is that the physical distance between the victim, the access point, and the attacker matters. The attacker should be closer to the victim than the access point so that its packages arrive before those sent by the real Access Point. So if you are one meter closer to the access point, it would be pretty complex for an attacker to get you.
The objectives of these attacks are the clients of the Wifi connection and not the Access Point, so the patches that solve this problem should come from the device manufacturers (cell phones, computers, etc).
Summarizing the bad news
- How bad is Krack? Pretty bad, it allows a number of attacks depending on the Access Point configuration and the client you are using to connect the Wi-Fi
- What can an attacker do? In the worst cases, pretty much everything from reading messages, connecting to roge Access Points, etc.
- How widespread is it? Pretty widespread, it affects all WPA2 configurations and the majority of the devices
And on the positive side
- Can this be patched? Yes, stay tuned to your device manufacturer updates and apply them as soon as they are released.
- What is the attack surface? Not so big as it needs the attacker to be physically close to you and the access point. Stay close to your Access Points until you get the patch 🙂
- Any additional recommendation that I can use to be safer?
- Ensure you configure WPA2-AES on your access point.
- Ensure HTTPS when browsing critical sites. HTTPS adds additional encryption over the network, and makes it [much] harder for an attacker using Krack to decrypt.
- If possible, use a VPN software when reading corporate or sensitive emails or cloud documents, same as HTTPS, it adds an extra layer of security.
- NEVER provide or read sensitive data when connected to a Wi-Fi network if you do not trust it (hotels, restaurants, etc.), even if they are apparently protected by a password. This is just a false sense of security, as they might have wrong configurations.
Article written by David Purón, Founder and Chief Executive Officer at Barbara IoT.