You probably know about WPA2 encryption standard; the thing that you are used to checking whenever you access a wireless network. Till yesterday, this encryption standard was known to be more or less bug free and was the de-facto industry standard to encrypt your wireless communication.
Today, a major flaw in the WPA2 encryption standard for WiFi networks was made public that enables an attacker to eavesdrop on your conversation and steal your information. This security researcher who found this issue, Mathy Vanhoef, demonstrated this flaw by making use of the “KRACK” (Key Reinstallation Attacks) exploit. This is another major news in the past couple of months after the shocking Equifax leaks that resulted in confidential information being stolen from about half the US population.
How serious is it?
Very! An attacker, who is within range of a WiFi network, can interfere with the four-way handshake between the wireless router and the victim’s device. During the third step, the key could be resent multiple times. When it is resent in certain ways, a cryptographic nonce can be reused in a way that completely undermines the encryption. WPA2 encryption standard is implemented in a majority of the wireless networks around the world. So, if you have a device that has WiFi capability and is connected to the wireless network, you are at risk!
How was it found?
In this proof-of-concept demonstration, Mathy Vanhoerf connected his device to the WPA2 protected network. He finds out the channel on which the wireless network is working and creates a clone network of his own on a different channel. Next, he sends some malicious frames to make the victim device switch to the clone network. He then carries out the key reinstallation attack to hijack the session between the victim device and the website that user is accessing. Finally, he shows that he was able to find out the username and password that user entered on his/her device.
Who all are affected?
This issue is especially ‘devastating’ on Android 6.0 because they do not have capability to change session keys once a session is active. Other operating systems such as Mac, OpenBSD and Windows are affected to a lesser extent. Major companies that make these wireless routers, access points and modems are working on a patch currently. There are possibilities that the vulnerabilities will not be fixed for all the access points in the world. It is currently not known when the fix would be released to the devices. Users should make sure they have the latest version of all their Operating system. Individual home users should also make sure their router firmware is updated.
The security researchers who discovered it say, “implementations can be patched in a backwards-compatible manner”. That means if you patch your Android device and not your router, you can still communicate and be safe. Nevertheless, they also advise to patch all your devices as soon as security updates are available. Aruba networks already have an update for this issue. Detailed information about the attack is mentioned in their FAQs section.
You should make sure that you share confidential information only on websites that are HTTPS encrypted (the little green lock sign on the left of the URL). Also, for now, you can continue using WPA2 encryption scheme and keep updating your devices whenever the patches are made available.