A severe flaw in the encryption protocols used by nearly all modern Wi-Fi networks could let attackers hijack encrypted traffic, steal passwords and even inject malware into smartphones and laptops.
Dubbed KRACK, or Key Reinstallation Attack, by its discoverer, the flaw affects all widely used platforms: Windows, Mac, iOS, Linux and Android. Android 6.0 Marshmallow and later, and Linux kernel 2.4 and later, are especially hard-hit.
Despite the severity of the flaw, it is rather difficult to implement. The user needs to be within Wi-Fi range of a smartphone or laptop to attack it. The attack does not work over the internet.
What to Do
Users should keep using encrypted Wi-Fi wherever necessary, such as at home and at work. However, you might want to avoid using the networks, even password-protected ones, in coffeeshops, hotels, airports and other public places for the time being.
Fortunately, many Wi-Fi router and client-device makers have already or are about to issue patches — a list of vendors that have already issued patches is here — so users should update their routers, smartphones and laptops as soon as possible.
KRACK was discovered by Mathy Vanhoef, a postdoctoral researcher at the Catholic University of Leuven in Belgium. He’s put up a website detailing the flaw in relatively easy-to-understand terms, as well as a research paper that’s not so easy to grasp.
“The attack works against all modern protected Wi-Fi networks,” Vanhoef wrote on the “official” Krack attack site. “To prevent the attack, users must update affected products as soon as security updates become available. Note that if your device supports Wi-Fi, it is most likely affected.”
The flaw is not in the cryptography underlying WPA2 or its predecessor, WPA. Rather, it’s in the implementation.
When communicating with a client device to initiate a Wi-Fi connection, the router sends a one-time cryptographic key to the device. That key is unique to that connection, and that device. In that way, a second device on the same Wi-Fi network shouldn’t be able to intercept and read the traffic to and from the first device to the router, even though both devices are signed into the same Wi-Fi network.
The problem is that that one-time key can be transmitted more than one time. To minimize connection problems, the WPA and WPA2 standards let the router transmit the one-time key as many as three times if it does not receive an acknowledgement from the client device that the one-time key was received.
Because of that, an attacker within Wi-Fi range can capture the one-time key, and, in some instances, even force the client device to connect to the attacker’s bogus Wi-Fi network. The attacker can use the one-time key to decrypt much of the traffic passing between the client device and the router.
Android 6.0 and later and recent versions of Linux are particularly vulnerable, because the attacker can resend a fake one-time key of all zeroes — in other words, a blank key. In such cases, the encryption between the router and client device will be completely broken.
The attack will NOT affect traffic between client devices and websites that use proper implementations of HTTPS web encryption. Such traffic will be encrypted on its own, and cannot be read by the attacker.
However, many websites improperly set up HTTPS. Vanhoef demonstrates such an attack by completely breaking the encryption on a connection between and Android device and the British website of Match.com, which did not set up HTTPS properly. Vanhoef manages to steal the user’s Match.com password and username.
“Our attack is not limited to recovering login credentials (i.e. e-mail addresses and passwords),” he wrote. “In general, any data or information that the victim transmits can be decrypted. Additionally, depending on the device being used and the network setup, it is also possible to decrypt data sent towards the victim (e.g. the content of a website).”
The silver lining is that WPA2 is NOT fundamentally broken, and that this flaw is relatively easy to fix by eliminating the re-sending of one-time keys. Vanhoef noted that Windows and iOS are less affected because they do not accept one-time keys that have been sent more than once. However, those platforms are still vulnerable to more creative versions of this attack.
However, it may be difficult to update some older Wi-Fi routers. Thankfully, updating client device should protect against these attacks. Ironically, older Android devices running 5.0 Lollipop or earlier, which are most likely to not receive updates, are less vulnerable than their newer cousins.