KRACK – What is it and should I be concerned?
Amethyst’s Andy Heathcote offers some important advice
KRACK is the name for a flaw in the WiFi’s security protocol WPA2 (WiFi Protected Access).
KRACK is short for Key Reinstallation Attack and this attack type targets part of the four-way authentication process (handshake) performed when the WiFi enabled device (laptop, tablet, smartphone) connects to a WPA WiFi network or router.
In a little more detail, when any device uses WiFi to connect to a router it does what is known as a "handshake". This is a four-step dialogue, where the two devices agree an encryption key to use to secure the data passed between them – this is known as a session key.
The KRACK attack begins by tricking a victim into reinstalling the live key by replaying a modified version of the original handshake. This then means that the attacker can also understand the traffic between the device and the router as they too have the session key – i.e. they can enter your network (including home networks) and snoop on the data. This data could include credit card numbers, passwords, e-mails and photographs. When a KRACK attack is successful it also enables the attacker to have more opportunity to introduce malware, including ransomware, to the connected device(s). However, there are two mitigating factors to this vulnerability or attack:
Firstly, the attacker has to be physically nearby, within range of the WiFi signal.
Secondly, if the web site or web browser you are on has encryption (which is quite common) it is harder for KRACK to fully exploit the vulnerability.
So, the fundamental question for users (business and private) is how to protect against this type of attack. The good news is that hardware (servers, PCs, laptops, tablets, etc) and operating system (Windows 8.1, Windows 10 etc) vendors are producing updates (also patches) to address the vulnerability. For example, up to date Windows 10 PCs are likely to now be protected. However, until that happens across the board, there are some basic precautions that can be taken. These are:
If possible use an ethernet connection rather than WiFi for the office network.
If you are out and about use your mobile phone provider’s 3G or 4G connection rather than a WiFi connection (friends or hotspot or hotels).
If you need to use a public or unknown WiFi hotspot try to stick to websites that use encryption – HTTPS will appear in the web address to show that it is an encrypted website. Unencrypted websites only have HTTP.
Use a virtual private network (VPN) such as Mullvad, Cyber Ghost or SURFEASY as this will make an encrypted tunnel within the WiFi connection and to the Internet; and beyond to your colleagues (if they are also on the VPN).
What will not help protect you is:
Changing your phone or device (laptop) - the source of the vulnerability is in the WiFi connection.
Changing your router.
Changing the WiFi password. The vulnerability is in the session key generated during the connection authentication.
KRACK is a serious vulnerability but if you take the following precautions then the risk is minimised:
Aim to not allow unknown personnel too close to the WiFi router – the attacker needs to be within range.
Minimise use of unprotected WiFi hotspots (i.e. use your phones 3G/4G or if on an office network use ethernet to connect your computer to the router).
Aim to use encrypted websites (HTTPS).
Aim to have your devices and software updated and patched to the latest version as the vulnerability is being addressed by vendors.