When you set up a new Wi-Fi network, you’re probably conditioned by now to check the “WPA2” box. You may not specifically know when or why someone advised you to do this, but it was solid advice. Wi-Fi Protected Access 2 is the current industry standard that encrypts traffic on Wi-Fi networks to thwart eavesdroppers. And since it’s been the secure option since 2004, WPA2 networks are absolutely everywhere. They’re also, it turns out, vulnerable to cryptographic attack.
A flaw in WPA2’s cryptographic protocols could be exploited to read and steal data that would otherwise be protected, according to new research from security researcher Mathy Vanhoef of KU Leuven in Belgium. In some situations, the vulnerability even leaves room for an attacker to manipulate data on a Wi-Fi network, or inject new data in. In practice, that means hackers could steal your passwords, intercept your financial data, or even manipulate commands to, say, send your money to themselves.
An attacker needs to be physically in range of a particular Wi-Fi network to carry out the assaults, an important limitation. But given the ubiquitous use of WPA2 on tens of millions of Wi-Fi enabled devices around the world, the problem has enormous scope.
“Any correct implementation of WPA2 is likely affected. To prevent the attack, users must update affected products as soon as security updates become available,” Vanhoef urges. “If your device supports Wi-Fi, it is most likely affected.”
The weakness Vanhoef identified is in the WPA2 protocol’s so-called “four-way handshake.” That procedure determines whether a user attempting to join a network and the access point offering the network have matching credentials. It’s essentially an exchange that ensures the user knows the network password. The four-way handshake also generates a new encryption key—the third communication in the four-step process—to protect the user’s session. The newly discovered vulnerability, which Vanhoef calls a Key Reinstallation Attack, allows a hacker to tamper with or record and replay this third message, enabling them to reinstall a cryptographic key that’s already been used. That key reuse also resets the counters for how many packets, or bits of data, have been sent and received for a particular key. When these tallies are reset, an attacker can replay and decrypt packets, and even forge packets in some cases.
All of this manipulates contingency steps in the WPA2 protocol that keep a four-way handshake from totally failing even if the third communication gets lost or dropped (something that can naturally happen at times). As part of developing WPA2—a standard known as IEEE 802.11i—the Wi-Fi Alliance industry working group published a mathematical proof analyzing the security of the four-way handshake implementation. But Vanhoef notes that Krack attacks are not in conflict with that proof. For example, the attacks don’t leak any encryption keys. It keeps them “private,” and they allow the other steps in the handshake to play out to verify the identity of the user and the access point. In other words, the proof was accurate, but not exhaustive.
“This sort of complicated crypto is a fertile area for bugs,” says Matthew Green, a crypotgrapher at Johns Hopkins University. “The problem is not so much that there are a ton of bugs in WPA2. It’s that it will be very hard to patch most low-cost consumer devices. So all it takes is one bad one to screw a lot of people up for years.”
Release the Krack
Focusing on the four-way handshake means that there are possible Krack attacks for most Wi-Fi enabled devices out there, including Android and Linux, not to mention a seemingly infinite list of embedded and Internet of Things devices from companies like Linksys. All of these devices need to be patched—a painfully slow process when it comes to routers and IoT especially.
There’s some good news: Most current versions of iOS and Windows aren’t vulnerable, or are only vulnerable in one niche circumstance, because of the way Apple and Microsoft implemented the WPA2 standard to prevent resends of the third handshake message. But the millions and millions of impacted devices will present a challenge to fix. While the flaw is in the WPA2 standard and can be patched accordingly, different companies take different approaches to installing the protocol in their products, creating a patchwork of exposures and vulnerabilities in practice.