A WPA2 exploit known as KRACK allows attackers to break every form of Wi-Fi encryption.
The global security community is reeling from the discovery of a devastating flaw in the WPA2 wireless encryption protocol, which affects virtually every modern Wi-Fi connection.
Discovered by KU Leuven researcher Mathy Vanhoef, the flaw is being referred to as 'KRACK' – short for key reinstallation attack – and involves exploiting a design flaw in the four-way handshake used by the WPA2 wireless protocol, along with numerous other cryptographic protocols.
"Every Wi-Fi device is vulnerable to some variant of our attacks," Vanhoef warned. It can be exploited to access virtually any information being transmitted over a Wi-Fi connection, including login credentials, photos, financial information and more.
How does KRACK work?
When a client device (like a laptop or smartphone) wants to join a network, the four-way handshake determines that both the client device and the access point have the correct authentication credentials, and generates a unique encryption key that will be used to encrypt all the traffic exchanged as part of that connection.
This key is installed following the third part of the four-way handshake, but access points and clients allow this third message to be sent and received multiple times, in case the first instance is dropped or lost. By detecting and replaying the third part of the four-way handshake, attackers can force the reinstallation of the encryption key, allowing them to access the packets being transmitted.
Although Vanhoef suggests that the attack is most impactful against the four-way handshake, the same exploit can also be employed against the group key, PeerKey, TDLS and Fast BSS Transition handshakes as well.
What can KRACK do?
What actions the attacker can carry out depends on which subset of the WPA2 encryption standard is in use. If the victim is employing AES-CCMP encryption, then packets transmitted by the victim can be decrypted and read, allowing the theft of sensitive information. Vanhoef warns that "it should be assumed that any packet can be decrypted".
This also allows the decryption of TCP SYN packets, which can then be used to hijack TCP connections and perform HTTP injection attacks such as infecting the target with malware.
If the target is using WPA-TKIP or GCMP (also known as WiGig), the potential damage is even worse. In addition to decryption, key reinstallation allows hackers to not only decrypt and read packets, but also to forge packets and inject them into a user's traffic. WiGig is particularly vulnerable to this.
What devices are affected by KRACK?
Attacking the four-way handshake allows hackers to decrypt packets sent by the client to the access point, whereas attacking the Fast BSS Transition handshake allows the decryption of packets sent from the access point to the client.
One of the most worrying revelations in the report is that Android devices are especially vulnerable to this attack, due to the use of a Linux Wi-Fi client that installs an all-zero encryption key when it's hit with the exploit, "completely voiding any security guarantees".
"This makes it trivial to intercept and manipulate traffic sent by these Linux and Android devices," warned Vanhoef, who pointed out that more than 40% of Android devices (including any device on Android 6.0 and above) are vulnerable to this attack.
The attack is catastrophically broad in scope, with Vanhoef noting that it "works against all modern protected Wi-Fi networks," and that "if your device supports Wi-Fi, it is most likely affected. During our initial research, we discovered ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attacks."
Security methods such as virtual private networks (VPNs) and HTTPS – the web standard that the encrypts data from the browser to the server – are unaffected by the vulnerability, although Vanhoef pointed out that they been bypassed using other methods.
Is WPA2 permanently broken?
Luckily, the discovery does not represent a death-blow for wireless connection protocols; the flaw can be patched in a backwards-compatible way, meaning that the existing WPA2 standard can still be used. Patches are currently being worked on by vendors, and all users are urged to install the latest patches for all their wireless devices as soon as they are available.
In the meantime, we've offered some advice elsewhere on what you can do.
Vanhoef and his colleagues are also working on a tool to detect whether the exploit can be used against specific implementations of the affected encryption protocols, which is close to release, as well as a proof-of-concept that will be released once sufficient time has passed for users to update their devices.