So the internet has been buzzing today with the release of the new WPA2 Key Reinstallation Attack (or KRACK as it’s known in the community). And I understand why; this may be one of the worst vulnerabilities I’ve seen this year. I’ve spent most of today looking at this vulnerability and I’m amazed at how simple it is to completely bypass the encryption we have all come to trust in Wi-Fi.
What is KRACK?
At its core, KRACK is a vulnerability in the implementation of WPA2, which is the Wi-Fi encryption algorithm that almost everyone uses nowadays to protect the confidentiality of their wireless network.
KRACK exploits the WPA2 4-way handshake, which is the method that a host and router use to securely share a secret encryption key. Each time the host connects to a network, a fresh key is shared and installed for that session. By sending a victim host specially crafted Wi-Fi packets, the attacker can get the host to reuse a previously used key. This is possible because there is currently no method to guarantee that a key cannot be used more than once.
What does this mean for the security of our Wi-Fi?
Well, essentially this means that if an attacker is within Wi-Fi range of your host, they could potentially decrypt the packets on your network. In some instances, the researchers were able to even manipulate the data on the network using a man-in-the-middle attack. However, this attack does not reveal your Wi-Fi password, so there is no need to change your network’s Wi-Fi password.
It’s important to note that if an adversary were able to conduct this attack against you, they would not be able to see any data that is encrypted by HTTPS or a VPN. This is why I recommend that everyone use a privacy encrypting VPN (such as PIA; this is not an affiliate link). Along with that, I suggest using the EFF’s HTTPS Everywhere plugin to ensure that you are using HTTPS in every instance.
On a final note, make sure that you are watching for updates to any devices that use Wi-Fi; a lot of the manufacturers will be issuing patches to fix this vulnerability in the coming weeks. Ensure that you are logging in to your router to check if there are any updates and that you are installing updates on your laptops, desktops, phones, and tablets.
The researchers that found this vulnerability haven’t released the exploit code yet to give device manufacturers time to patch the vulnerability. However, that won’t stop someone else from trying to recreate the code themselves. I plan on downloading the code once they release it to play with the vulnerability. If you’d like to read more you can visit the vulnerabilities website at https://krackattacks.com or you can download their white paper here.
They have also released a YouTube video displaying how easy it is to exploit the vulnerability and the impact of the exploit. I highly recommend watching it, as they do a pretty good job explaining how the exploit works.