KRACK Attacks (WiFi security vulnerability)

KRACK Attacks

Security researchers have announced a major security vulnerability in the WPA2 protocol yesterday called KRACK (Key Reinstallation Attacks). WPA2 (WiFi Protected Access II) is the encryption protocol that secures all modern WiFi networks. It was designed to provide wireless networks with stronger data protection and network access control. The current vulnerability exploits a weakness in the encryption process, allowing an attacker to eavesdrop on wireless traffic. An attacker may also be able to inject and manipulate data (e.g. uploading malware to a website).

 

Impact

Most devices that support WiFi are affected by this vulnerability until the manufacturers release a patch to address it. If exploited, an attacker will be able to steal sensitive information that a client device sends to an access point on a wireless network. This may include credit card details, passwords, chat messages, photos etc. Malicious software can also be loaded onto the device, causing further damage.

What can I do?

Certain precautions can be taken to ensure that you do not fall victim to such an attack. Firstly, ensure that all communication is encrypted – for example, by only browsing sites over HTTPS. Most sites support HTTPS by default. For those that don’t, this feature may be enabled with an extension such as “HTTPS Everywhere” which forces websites to work in HTTPS mode whenever possible. Whenever browsing a website that requires any data input, check to make sure that ‘HTTPS’ is in the address bar and a green padlock is visible. Secondly, use a VPN provider which creates an encrypted tunnel between your device and the VPN host, encrypting all traffic automatically. UCL provies a free VPN service for all staff and students. Lastly, update your wireless devices as soon as patches becomes available. If possible, avoid using WiFi and use a wired connection instead!

Further reading

More details on the attack, a proof-of-concept and FAQs can be found on the KRACK Attacks site. The NCSC provided some useful guidance in relation to the vulnerability.