27.10.2017

Hackers can exploit the KRACK attack to intercept encrypted wireless traffic and thereby steal your sensitive information, such as passwords, credit card numbers, personal information, and professional secrets, if those travel through the wireless network unencrypted. Due to the vulnerability, IT Infrastructure and devices must be updated, but the risk can be significantly reduced using consistent traffic encryption via the VPN, HTTPS, or similar methods.

On October 16, 2017, a research paper "Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2" was made publicly available. It identified 10 critical vulnerabilities in wireless security protocols WPA and WPA2. Attackers can use the KRACK (Key Reinstallation Attack) attack to exploit these flaws and thereby eavesdrop on your wireless communication and information transfer.

KRACK attack in practice

The KRACK attack may only be performed within the range of a vulnerable wireless network – the attack cannot be carried out remotely. By intercepting and analysing network traffic, the attacker can use this information to dupe new wireless network users into connecting using known encryption keys. This allows the attacker to read users’ network data as if it were unencrypted. Customers cannot detect an abuse while joining the network. However, the abuse can be detected on the network infrastructure, if the latter allows this type of detection.

 
KRACK attack demo (source: https://www.krackattacks.com)

We normally protect against similar attacks using network encryption keys, but in case of a KRACK attack, an attacker can decrypt traffic without knowing your encryption key. An attacker can therefore read your sensitive information, such as passwords, credit card numbers, personal information, professional secrets, etc., if those travel through a wireless network unencrypted. We particularly emphasise that changing only the Wi-Fi password does not eliminate this vulnerability.

The KRACK attack mostly affects Linux and Android system users

Scientists from Belgian university KU Leuven discovered the flaws a while ago, but they first disclosed vulnerabilities to the device and software manufacturers, so that they could prepare updates. We should emphasise that it is a protocol, not a device flaw that we are talking about. As part of the responsible disclosure policy, we should note that security fixes for Windows and iOS Beta operating systems are already available, while Android and Linux are mostly still vulnerable to the KRACK attack. Users, who do not encrypt their traffic with VPN or other encryption protocols (SSL, TLS, SSH) are particularly affected.

How to fix the KRACK vulnerability?

The vulnerability must be fixed on the customer’s device and wireless infrastructure. Windows and iOS vendors have already issued the required security patches (currently only present in the Beta version of iOS). Some Linux distributions already have software fixes, and Debian builds and OpenBSD can already be updated, while the Android platform largely depends on device manufacturers to fix the flaw. Network equipment manufacturers have already begun issuing security patches that are partly available, and US-CERT has a list of vulnerable products and manufacturers.

We encourage wireless network users to install their personal devices’ security patches as soon as possible, and to strictly encrypt their network traffic, especially when transferring sensitive data. Due to the characteristics of the disclosed vulnerabilities, we assume that the latter will never be fully eliminated on all the Wi-Fi access points.

Managers of the Wi-Fi infrastructure and endpoints should follow public announcements of the network equipment manufacturers and endpoint operating system vendors, and regularly install security patches, which eliminate these vulnerabilities. We also recommend introducing mechanisms that ensure a consistent encryption of the customer’s network traffic within and outside their organisation’s network.

A list of the vulnerable devices plus software fixes for affected products by our partner Cisco is available on the website. NIL will assist all affected customers in eliminating this problem, and at the same time offer a wider set of information security consultation services for complex information systems if needed.

Author: Stojan Rančić, Urban Jurca