When you set up a new Wi-Fi network, you're probably conditioned by now to check the "WPA2" box. You may not specifically know when or why someone advised you to do this, but it was solid advice. Wi-Fi Protected Access 2 is the current industry standard that encrypts traffic on Wi-Fi networks to thwart eavesdroppers. And since it's been the secure option since 2004, WPA2 networks are absolutely everywhere. They're also, it turns out, vulnerable to cryptographic attack.
A flaw in WPA2's cryptographic protocols could be exploited to read and steal data that would otherwise be protected, according to new research from security researcher Mathy Vanhoef of KU Leuven in Belgium. In some situations, the vulnerability even leaves room for an attacker to manipulate data on a Wi-Fi network, or inject new data in. In practice, that means hackers could steal your passwords, intercept your financial data, or even manipulate commands to, say, send your money to themselves.
An attacker needs to be physically in range of a particular Wi-Fi network to carry out the assaults, an important limitation. But given the ubiquitous use of WPA2 on tens of millions of Wi-Fi enabled devices around the world, the problem has enormous scope.
"Any correct implementation of WPA2 is likely affected. To prevent the attack, users must update affected products as soon as security updates become available," Vanhoef urges. "If your device supports Wi-Fi, it is most likely affected."
The weakness Vanhoef identified is in the WPA2 protocol's so-called "four-way handshake." That procedure determines whether a user attempting to join a network and the access point offering the network have matching credentials. It's essentially an exchange that ensures the user knows the network password. The four-way handshake also generates a new encryption key—the third communication in the four-step process—to protect the user's session. The newly discovered vulnerability, which Vanhoef calls a Key Reinstallation Attack, allows a hacker to tamper with or record and replay this third message, enabling them to reinstall a cryptographic key that's already been used. That key reuse also resets the counters for how many packets, or bits of data, have been sent and received for a particular key. When these tallies are reset, an attacker can replay and decrypt packets, and even forge packets in some cases.
'If your device supports Wi-Fi, it is most likely affected.'
Security Researcher Mathy Vanhoef
All of this manipulates contingency steps in the WPA2 protocol that keep a four-way handshake from totally failing even if the third communication gets lost or dropped (something that can naturally happen at times). As part of developing WPA2—a standard known as IEEE 802.11i—the Wi-Fi Alliance industry working group published a mathematical proof analyzing the security of the four-way handshake implementation. But Vanhoef notes that Krack attacks are not in conflict with that proof. For example, the attacks don't leak any encryption keys. It keeps them "private," and they allow the other steps in the handshake to play out to verify the identity of the user and the access point. In other words, the proof was accurate, but not exhaustive.
"This sort of complicated crypto is a fertile area for bugs," says Matthew Green, a crypotgrapher at Johns Hopkins University. "The problem is not so much that there are a ton of bugs in WPA2. It’s that it will be very hard to patch most low-cost consumer devices. So all it takes is one bad one to screw a lot of people up for years."
Focusing on the four-way handshake means that there are possible Krack attacks for most Wi-Fi enabled devices out there, including Android and Linux, not to mention a seemingly infinite list of embedded and Internet of Things devices from companies like Linksys. All of these devices need to be patched—a painfully slow process when it comes to routers and IoT especially.
There's some good news: Most current versions of iOS and Windows aren't vulnerable, or are only vulnerable in one niche circumstance, because of the way Apple and Microsoft implemented the WPA2 standard to prevent resends of the third handshake message. But the millions and millions of impacted devices will present a challenge to fix. While the flaw is in the WPA2 standard and can be patched accordingly, different companies take different approaches to installing the protocol in their products, creating a patchwork of exposures and vulnerabilities in practice.
The Wi-Fi Alliance said in a statement that it "now requires testing for this vulnerability within our global certification lab network and has provided a vulnerability detection tool for use by any Wi-Fi Alliance member." That should help keep new devices safe, but does little for those already on the market.
"It's a problem in the core design of how keys are managed and integrity is assured," says Kenneth White, director of the Open Crypto Audit Project. "When every Wi-Fi client is vulnerable to some of these flaws, the standard is underspecified (and flawed). There will be many millions of internet connected devices that will likely never get fixed."
For consumers, immediate actions like changing your Wi-Fi password or getting a new router won't protect against Krack attacks. As is too often the case, consumers will largely be at the mercy of manufacturers and software developers, relying on them to release patches and hoping there's an easy way to apply them.
For now, you should still use WPA2. Its protections are still worth the risk that someone might be exploiting Krack somewhere near you. The best thing you can do to protect yourself is to install updates for as many of your devices as possible as soon as they come out, and make sure you only share sensitive data on sites that use HTTPS encryption. For large institutions, the key is architecting networks with multiple layers of protection, so data security doesn't hinge on any one standard.
"It does highlight that enterprise networks need to be secure even if they have WPA2-enterprise protection," says Robert Graham, an analyst for the cybersecurity firm Erratasec. He notes that networks should be segmented, so compromising one component doesn't give attackers access to everything. "Also implement things like isolation, so one Wi-Fi client can't talk to another," he says.
With a vulnerability as widespread and hard to fix as Krack, the best anyone can do is try to soften the damage. And if being on public Wi-Fi made you paranoid before, well, at least you know you're not altogether wrong.