Digital security researchers publicly reveal vulnerability in WPA2 WiFi protocol

This is the stable version, checked on 5 August 2020. Template changes await review.

Thursday, October 19, 2017

On Monday, digital security researchers Mathy Vanhoef and Frank Piessens of Belgium's KU Leuven university publicly disclosed a security vulnerability in the WPA2 Wi-Fi (wireless local-area networking) protocol, which they called KRACK (for Key Reinstallation Attack). Their study claimed KRACK affects every modern device using Wi-Fi; it can be fixed by a software update, researchers said.

Vanhoef wrote, "Attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted. This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos and so on." Vanhoef notified vendors about the flaw in July, including UNIX-like operating system OpenBSD. "If your device supports Wi-Fi, it is most likely affected. [...] In general, any data or information that the victim transmits can be decrypted", he wrote.

The study papers, which were submitted for review on May 19, were kept in confidence allowing companies to fix the security flaw. The United States-based Computer Emergency Response Team (CERT) informed vendors on August 28. The Wi-Fi Alliance said it "could be resolved through a straightforward software update." OpenBSD released their software patch on August 30.

Exploring the flaw which affected every device the researchers had tested, National Cyber Security Centre of the UK said "the attacker would have to be physically close to the target". But due to this flaw, an attacker can send malware or ransomware on the websites, Vanhoef claimed.

Linux-based operating systems including Android v6.0 and higher are especially affected by this flaw, while Windows and iOS are not as vulnerable as Android by this flaw as they do not fully implement WPA2.

Microsoft reportedly has released security patches for Windows 7, 8, 8.1 and 10. Google said Android operating systems would receive the updates in the software update scheduled to be made available on November 6. Apple has implemented the patch in the beta versions of their operating system iOS, macOS, tvOS and watchOS, however it is yet to roll out patches for stable operating systems.

WPA2 protocol has been used for more than a decade, and has been compulsory for Wi-Fi since 2006. KRACK would also affect various home appliances which can be controlled over Wi-Fi, within the so-called "Internet of things". Andrew Martin from Oxford University said, "We can be sure a lot of these devices won’t be patched[...] Whether that matters for this attack or only for some future attack is yet to be seen."

The study and its findings are scheduled for presentation at the ACM (Association for Computing Machinery) Computer and Communications Security conference on November 1.

Sources