Is the Wi-Fi Sky Falling or Not?
It’s official. Wi-Fi security has been cracked. More specifically, its security protocol has been compromised by a bug known as KRACK (Key Reinstallation Attack). Leveraging a weakness in the WPA2 protocol, which secures most wireless networks, KRACK can virtually create a skeleton key for a network using the protocol’s “four-way handshake” method of authentication for new devices joining a network. To accomplish this, “the attacker tricks the connected party into reinstalling an already-in-use key,” says Alan Woodward, a professor at the University of Surrey. Every time you connect to a wireless network, a random number known as a cryptographic nonce is generated, intended to prevent a hacker from impersonating an already-connected user.
Reinstalling the key, as in KRACK’s case, resets the nonce, allowing the data-confidentiality protocol to be attacked.
While Windows and Apple’s iOS devices appear to be immune from these vulnerabilities, “it is not a trivial attack,” says Woodward, warning that the scope of this attack should not be shortchanged. This may be true, but, as Kevin Beaumont writes over at Double Pulsar, the fact that these major players are not affected suggests that it’s not quite time to “burn the house down.” The issue is largely centered on Android devices, and Linux patches are already available. Furthermore, this attack doesn’t appear to exist out in the wild at this time, and at any rate, an attacker would need to be close to a vulnerable device to strike at WPA2.
The most significant danger of this threat seems to be what Matthew Green, a cryptography teacher at Johns Hopkins, refers to as “a slew of TJ Maxxes” in a tweet. This refers to the breach of the department store, which used cash registers as a vulnerable access point to hop on the network.
Another concern is emphasized by Will Strafach: those who have home security systems provided by their ISP could also be affected. This is because most of these systems do utilize WPA2, which theoretically could allow someone to, say, tap the video feed of an indoor camera. Indeed, it could be connected IoT devices at the greatest risk. In this still young Wild West, strong security standards and updates can often go ignored on the vendor side. Some never receive patches.
Fortunately, this is not the end of Wi-Fi, or even WPA2. Organizations should absolutely request patches from their providers, and in the meantime, if possible, try to avoid going wireless for business critical operations.