Love Krack, baby! WPA2 Encryption vulnerability

October 16th, 2017

KrackSignificant vulnerability (Krack) discovered in the WAP/WPA2 wifi encryption standard.

If you’re connecting through wireless connectivity, and you think your connection is encrypted, then you’re impacted by this.  ‘Cuz it turns out your traffic isn’t encrypted.  Or at least, not as encrypted as you’d like.  Say hello to Krack.

Krack is short for Key Reinstallation Attack.  If you want to read one of the original papers about it, click here.  For a medium altitude description, click here.  Apparently Krack even has its own logo.  Wow.

The bottom line is this:

When we connect to a wireless network, we’re joining a lot of other devices connecting to the same “network.”  We want to make sure (and yes, you do want to make sure) that our data going back and forth is properly encrypted.  The two most popular encryption types are WPA and WPA2.  A majority of wireless access points using encryption use those protocols.

When your mobile device first connects to a wireless access point, there’s a process commonly referred to as a handshake, where both devices share information about each other to create a proper shared one-time key for encryption.

The Krack attack happens during that handshake and essentially temporarily impersonates the access point to your mobile device for that handshake.

Again, go to the links above for more detailed information.  We’ll be pushing out updates once released from our partners such as Sophos and Ubiquity.  What should you do in the meantime?  We’re going to defer to the experts here.  According to Sophos’ Naked Security Blog:

Here’s what you can do:

  • Until further notice, treat all Wi-Fi networks like coffee shops with open, unencrypted, wireless.
  • Stick to HTTPS websites so your web browsing is encrypted even if it travels over an unencrypted connection.
  • Consider using a VPN, which means that all your network traffic (not just your web browsing) is encrypted, from your laptop or mobile device to your home or work network, even if it travels over an unencrypted connection along the way.
  • Apply KRACK patches for your clients (and access points) as soon as they are available.
  • Sophos Customers should read knowledgebase article 127658.

Simply put, if you ever use open Wi-Fi access points (or Wi-Fi access points where the password is widely known, e.g. printed on the menu or handed out by the barista), you are already living in a world where at least some of your network traffic could be sniffed out at will by anyone.

The precautions that you take in those cases – why not take them all the time?