How bad is KRACK? Tips to be protected
Today, the internet is on fire. Media is publishing about KRACK, the new Wi-Fi security flaw that allows attackers eavesdrop on traffic between computers and wireless access points. Headlines might one think in an apocalypse, where anyone will be able to get the password from our wireless network and read our data. Well, Krack is bad, but not that bad. Here our analysis.
The problem lies in how a wifi client connects to a wifi access point. One of the step of this connection is called “4-way handshake”, where encryption and authentication keys are negotiated to continue the connection. Without entering into deep technical details, Krack has found a way to fake messages sent from the Access Point to the Device, in such a way that the device reinstall encryption keys and enable further messages to be decrypted from the encryption provided by the Wi-Fi protocol.
Krack affect WPA2 Wi-Fi networks, which were unfortunately the only ones considered safe up to date. Others, such as WEP, had been cracked in the past.
It can be executed over all WPA2 configurations (WPA-TKIP and AES-CCMP), however in case the TKIP in addition to the security problem explained above, we would find that an attacker could not only decrypt packages, but also could generate new ones and send them during the communication. This would lead to a multitude of possible attacks much greater than the previous one, for example it could force a client to disassociate with the authentic Access Point to which it is connected, associate to a false Access Point that could, using other methods like ssltrip, be able to deceive to the user to share their data, as you can see in the demo video.
In addition to the above, if the client is Android or Linux based, because of the way in which the keys are negotiated the problem is even greater, as it allows the modification of packages regardless of the Wi-Fi setup. In the case of Android, any version after 6.0 is vulnerable (41% in October 16th), in the case of Linux, any version of wpa_supplicant greater than 2.4.
The most important thing to mention is that the physical distance between the victim, the access point and the attacker matters. The attacker should be closer to the victim than the access point, so that its packages arrive before those sent by the real Access Point. So if you are 1 meter closer to the access point, it would be pretty complex for an attacker to get you.
The objective of this attack are the clients of the Wifi connection and not the Access Point, so the patches that solve this problem should come from the device manufacturers (cell phones, computers, etc).
Summarizing the bad news:
- How bad is crack? Pretty bad, it allows a number of attacks depending on the Access Point configuration and the client you are using to connect the Wi-Fi
- What can an attacker do? In the worst cases, pretty much everything from reading messages, connect to roge Access Points, etc.
- How spread is it? Pretty spread, it affects all WPA2 configurations and the majority of the devices
And on the positive side:
- Could this be patched? Yes, stay tuned to your device manufacturer updates and apply them as soon as they are released
- What is the attack surface? Not as big as it needs the attacker physically close to you and the access point. Stay close to your Access Points until you get the patch 🙂
- Any additional recommendation that I can use to be safer?
- Ensure you configure WPA2-AES on your access point
- Ensure HTTPS when browsing critical sites. HTTPS adds additional encryption over the network one, and makes it [much] harder for an attacker using Krack to decrypt.
- If possible, use a VPN software when reading corporate or sensitive emails or cloud documents, same than HTTPS, it adds an extra layer of security.
- NEVER provide or read sensitive data when connected to a Wi-Fi network you don’t trust (hotels, restaurants, etc.), even if they are apparently protected by a password. This is just a false sense of security, as they might have wrong configurations.
Originally published at tiptaplabs.com on October 16, 2017.