The KRACK Epidemic!
A vulnerability in wifi has been discovered which if exploited, hackers are able to listen in on communications between your devices and your router. Effectively a middle man approach, a hacker when physically located near your device would be able to steal sensitive information such as credit card data, passwords, emails, photos, and any traffic passing through the network.
Who discovered it?
The KRACK vulnerability was disclosed to the world on October 16th 2017 by security researcher Mathy Vanhoef. He demonstrated how the vulnerability worked via a Youtube video by replicating a scenario where a hacker could use this exploit to intercept data between a router and a Android phone. The flaw he discovered was within wifi authentication and surprisingly, the hack only took 4 minutes. Security research Vanhoef has referred to the vulnerability as KRACK which is short for, ‘key reinstallation attack’ and he explained in a blog post that it could be used to read data transmitted between a device and the wireless network it’s connected to, even if that network is password-protected and encrypted. KRACK exploits a vulnerability in Wi-Fi Protected Access 2 (WPA2), the encryption protocol most consumers and many organisations use to protect their networks.
How does it work?
The “KRACK” attack works by exploiting the “handshake” that a wi-fi network and a device give to each other when the latter wants to join. Usually, the two decide on an encryption key for all future traffic, meaning that each device will only be able to read data if it has that key.
The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected. To prevent the attack, users must update affected products as soon as security updates become available. Note that if your device supports Wi-Fi, it is most likely affected. It is also worth noting that a hacker would have to be within range of a targeted wifi network for them to execute the attack.
What systems are affected?
It was discovered during the research that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attacks.
Microsoft was first to announce that it has already fixed the problem for customers running supported versions of their operating systems. “Customers who apply the update, or have automatic updates enabled, will be protected. We continue to encourage customers to turn on automatic updates to help ensure they are protected.” Microsoft says the Windows updates released on October 10th protect customers, and the company “withheld disclosure until other vendors could develop and release updates.”
Google has promised a fix for affected devices “in the coming weeks.” Google’s own Pixel devices will be the first to receive fixes with security patch level of November 6, 2017, but most other handsets are still well behind even the latest updates. Security researchers claim 41 percent of Android devices are vulnerable to an “exceptionally devastating” variant of the Wi-Fi attack that involves manipulating traffic, and it will take time to patch older devices.
According to Apple Insider, the latest from unofficial Apple sources is that the company has rectified the "KRACK Attack" Wi-Fi WPA-2 exploit in "recent" macOS, iOS, tvOS, and watchOS betas —but was unable to confirm that a patch is coming for the AirPort series of routers. It is also worth noting that The last firmware update for the AirPort family of hardware was in Dec. 2016 —well before the May disclosure of the vulnerability. It is not clear at this time if a patch for the KRACK exploit will be issued for the AirPort.
What to do
The technique KRACK employs highlights the importance of HTTPS, the secure protocol that websites can use to encrypt data transmitted between them and your web browser. The attack is particularly effective at extracting data your device transmits to websites that don’t use HTTPS or, as the video demonstrates, websites that use the protocol but have configured it incorrectly. As a general rule, always keep an eye on the address bar in your web browser, and look for the padlock icon, the word “Secure,” and the “https” at the beginning of the address you’re visiting.
Over the coming weeks it is well worth updating all devices that are connected to wifi as the update comes through. Whilst Google has promised updates for Pixel owners, it is worth keeping an eye on other Android suppliers such as BlackBerry, HTC and Samsung. Cyber news website ZDNet has compiled a list of all vendors who have started pushing out updates in related to the vulnerability here.