It's time to get patching again. Another widespread vulnerability affecting practically everyone and everything that uses Wi-Fi was revealed on Monday, allowing hackers to decrypt and potentially look at everything people are doing online.
Researcher Mathy Vanhoef, from Belgian university KU Leuven, released information on his hack, dubbing it KRACK, for Key Reinstallation Attack. Vanhoef's description of the bug on his KRACK website is startling: "This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites."
What's behind the vulnerability? It affects a core encryption protocol, Wi-Fi Protected Access 2 (WPA2), relied on by most Wi-Fi users to keep their web use hidden and secret from others. More specifically, the KRACK attack sees a hacker trick a victim into reinstalling an already-in-use key. Every key should be unique and not re-usable, but a flaw in WPA2 means a hacker can tweak and replay the "handshakes" carried out between Wi-Fi routers and devices connecting to them; during those handshakes, encryption keys made up of algorithmically-generated, one-time-use random numbers are created. It turns out that in WPA2, it's possible for an attacker to manipulate the handshakes so that the keys can be reused and messages silently intercepted.
The researchers, who said the attack was particularly severe for Android and Linux users, showed how devastating an attack could be in the demonstration video below:
The attacks on Google's Android are made simpler by a coding error, where an attacker will know the key just by forcing a reinstallation. That's because the operating system uses what's known as an "all-zero encryption key" when the reinstallation is initiated, which is easier to intercept and use maliciously.
As for how widespread the issue was, it appears almost any device that uses Wi-Fi is affected. "The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected. To prevent the attack, users must update affected products as soon as security updates become available. Note that if your device supports Wi-Fi, it is most likely affected. During our initial research, we discovered ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others are all affected by some variant of the attacks," explained Vanhoef.
What to do?
For that reason, users may want to be wary of using Wi-Fi at all until patches are widely rolled out. For now, it looks as if some manufacturers are pushing out updates, which should go some way to preventing attacks. Note that devices such as laptops and smartphones will require updates as well as routers. Indeed, Vanhoef said it's more urgent for general users to patch their personal devices, whether phones, PCs or any smart device, be they watches, TVs or even cars. He recommended users get in touch with the relevant vendors to find out when patches are coming.
Given the range of devices affected, it's almost guaranteed patches won't make it to everyone. The US Computer Emergency Response Team (CERT) has released an advisory, which notes a number of affected vendors, including Cisco, Intel and Samsung, amongst many other major tech providers.
A range of vendors have promised updates are already available or will be soon. A Google spokesperson wrote in an email to Forbes: "We're aware of the issue, and we will be patching any affected devices in the coming weeks."
Microsoft confirmed it had rolled patches out already: "We have released a security update to address this issue. Customers who apply the update, or have automatic updates enabled, will be protected."
Cisco also said it had published a security advisory to detail which products are affected, and a blog to help customers better understand the issue. "Fixes are already available for select Cisco products, and we will continue publishing additional software fixes for affected products as they become available," a spokesperson said.
Intel confirmed it was "working with its customers and equipment manufacturers to implement and validate firmware and software updates that address the vulnerability." It also released an advisory.
And Apple confirmed it has a fix coming for its Mac and iOS operating systems that's currently in the betas for its next software updates. Those will land in the next few weeks.
Some good news
There's some good news: truly remote attacks won't be possible with this hack alone. In the most likely attack scenario, the hacker would have to directly connect to the Wi-Fi access point, and so would need to be within physical proximity to the device (possibly up to a few hundred feet away depending on whether they had access to antennas to extend their reach). "This attack doesn't scale," noted Alan Woodward, encryption expert from the University of Surrey. "It's a very targeted attack. Not like we're all going to be hit as attackers can only be in so many Wi-Fi zones at once."
But Woodward did have words of caution, especially for businesses: "The reason this is so worrying, and why everyone is so interested, is that many (including large organisations) assume their [local Wi-Fi network] is a trusted environment. For example, some don’t require authentication on network resources. If that boundary is now easily breached then there would need to be a lot of rethinking about threat models.
"This is the sort of flaw that the security community dreads: it is not about a single vendor having messed up a particular implementation but rather a fundamental flaw in the way the protocol was specified. Even those that have implemented the standard correctly will have baked in this flaw."
The research appears to have been built on previously-released findings from July, when Vanhoef and colleagues discussed issues with Wi-Fi security at the Black Hat conference in Las Vegas. They've released the research paper in full on their dedicated KRACK attack website.
For those users whose routers, PCs and smartphones don't yet have updates, there are some measures they can take to protect their online privacy. A Virtual Private Network (VPN) software could protect them, as it will encrypt all traffic. Only using HTTPS encrypted websites should also benefit the user, though there are exploits that can remove those protections. Changing the Wi-Fi password won't prevent attacks, but it's advisable once the router has been updated.
Vanhoef is promising more too. Though he admitted some of the KRACK attacks would be difficult to carry out, he's to release more information on how to make them significantly easier to execute, especially for Apple's macOS and the OpenBSD operating system.
