The KRACK attack — How WPA2 encryption was broken by a security researcher

Yes, you heard it right. WPA2 is broken ! Security researcher Mathy Vanhoef of imec-DistriNet has discovered this vulnerability and he has disclosed the vulnerability to the public. He quotes

We discovered serious weaknesses in WPA2, a protocol that secures all modern protected Wi-Fi networks. An attacker within range of a victim can exploit these weaknesses using key reinstallation attacks (KRACKs). Concretely, attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted. This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.

Networking companies and hardware manufacturers have started patching their products immediately after this vulnerability was disclosed to the public. Looks like Android and Linux users are hit badly by this vulnerability. Here is the detailed list of companies who are pushing the updates right away,

1. Aruba — Aruba has been very quick and it has released security release note and updates for Aruba OS

2. Cisco — The company is investigating about the vulnerability. It has released a few patches and we can expect more patches in future.

3. The WiFi Standard — It has not released the fix for the end user but the update/patch is available for the vendors.

4. Fortinet — Looks like FortiAP 5.6.1 is not vulnerable but FortiAP 5.4.3 is still vulnerable. So we can expect a patch soon !

5. Espressif Systems — Espressif systems have started patching their chipsets. It is available for download here.

6. FreeBSD Project — There is still no official response from them till now.

7. Intel — As always, Intel has released the security advisory and patches for various chipsets which are affected by this vulnerability.

8. Linux — The patch is already available for download. Debian builds can download the patch now whereas the OpenBSD was fixed back on july.

9. Google — Google is aware of the issues and they will be releasing the updates very soon.

10. Microsoft — Microsoft has patched this vulnerability in its security updates but it is not clear which update it is. It is expected that they will soon release a security bulletin about this vulnerability. Update — Details about various security patches released by Microsoft can be found here.

11. Android — It is confirmed that devices running Android v6.0 or later are affected by this vulnerability. Few sources say that Google has already released a patch while others say that it is about to roll out. Let us wait for an official statement from Google.

12. iOS — Apple hasn’t made any public statements at the time of writing. No patches or fixes are announced yet. However it’s reported that iOS is generally “safe” from this attack and it has limited impact for iOS devices.


Like what you read? Give Rizwan Ahmed a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.