KRACK Breaks WiFi Security, But All is Not Lost

October 19, 2017  |  By Joel Odom

Researchers from KU Leuven in Belgium have disclosed a serious flaw in the WPA2 standard that allows attackers to break the encryption on WiFi networks. The flaw, dubbed KRACK, allows an attacker to trick WiFi clients into reusing cryptographic material in such a way that the attacker can decrypt the packets sent between a WiFi client and an access point. Because the flaw exists in the actual WPA2 standard, the security community believes that KRACK probably affects almost every WiFi device in existence. Major device and operating system vendors have already published patches that clients can install to prevent the attack.

IISP Analyst Joel Odom: "KRACK constitutes a complete break of WPA2 security. This means that an attacker can read (and often manipulate) the IP-level data of affected clients. Although that is a major problem, all is not lost. Applications that implement security properly adhere to the end-to-end principle for cryptography.  This means that data is encrypted for integrity and confidentiality at the application level, before the data ever reaches the TCP/IP level. An attacker who can use KRACK to read and control the IP packets still cannot compromise a properly-implemented secure network session, such sessions protected by TLS. In fact, once data leaves your local network, you have to assume that an attacker downstream of your connection can control your IP packets anyway. KRACK implies that you must confer this distrust onto your local WiFi network.
 
In addition to TLS, other defense-in-depth strategies can mitigate the impact of KRACK. For example, I typically use a VPN when I'm conducting business on any network away from the office. The same VPN technology that protects users on untrusted public networks also protects users who are vulnerable to KRACK.
 
The bad news is that not all applications use encryption properly. In their example video, the discoverers of KRACK demonstrate how an improperly configured website can be forced to downgrade a client’s connection so that the connection does not use encryption at all. Applications that don't properly validate TLS certificates or that don't use encryption are vulnerable. Devices that don't routinely receive patches, such as many IoT devices, will remain vulnerable indefinitely. The ability to control a client's WiFi connection also leaves users vulnerable to certain types of phishing attacks since attackers could potentially control client DNS queries. Thankfully, increased public attention to computer security in the last decade has advanced the deployment of strong cryptography, which users need to maintain security when attacks such as KRACK are discovered."

 

For further reading

 

More by the author(s)