This morning an embargo was lifted on a newly discovered major security vulnerability that impacts essentially EVERY Wi-Fi device currently in existence.
In particular - recent Android and Linux devices are particularly vulnerable to having secure connections eavesdropped upon, though with more effort the same attack can be used against Windows, iOS, and MacOS.
Even Wi-Fi routers connecting via a WiFi-as-WAN uplink are vulnerable - including routers from Pepwave and WiFiRanger connected to secure campground networks.
This is a serious breaking story - but there is no reason for most Wi-Fi users to panic, just yet anyway.
Video Version of this Story:
Prefer Video? Subscribe to our YouTube Channel!
What is KRACK?
Security researcher Mathy Vanhoef recently discovered a vulnerability in the WPA2 encryption protocol that protects all modern password-protected Wi-Fi networks - and he has dubbed this attack KRACK, standing for "Key Reinstallation Attacks".
KRACK works by allowing a hacker to intercept encrypted traffic, and then without needing to know the password - the attacker can trick the connection into using a new encryption key that allows for relatively easy eavesdropping.
Mathy explains just how serious this is:
"The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected. To prevent the attack, users must update affected products as soon as security updates become available. Note that if your device supports Wi-Fi, it is most likely affected."
Up until now WPA2 had been considered extremely secure - only vulnerable to brute force password guessing attacks that might take hundreds of years of computer time to cary out. KRACK doesn't need the help of a supercomputer - it only needs a malicious laptop nearby within Wi-Fi range, particularly if your goal is snooping on Android devices.
Android Particularly Vulnerable?
For most targets, KRACK needs to be running for a potentially long time before the encryption is broken. But on recent Android and Linux devices, the attack can work instantly thanks to a bug that replaces the encryption key with all zeros.
"For an attacker this is easy to accomplish, because our key reinstallation attack is exceptionally devastating against Linux and Android 6.0 or higher. This is because Android and Linux can be tricked into (re)installing an all-zero encryption key. When attacking other devices, it is harder to decrypt all packets, although a large number of packets can nevertheless be decrypted. ... This makes it trivial to intercept and manipulate traffic sent by these Linux and Android devices. Note that currently 41% of Android devices are vulnerable to this exceptionally devastating variant of our attack."
This is the most serious and far reaching Wi-Fi security hole discovered in years, and this WILL soon become a core part of every hacker's toolkit.
But right now, there is NO evidence that this attack has been used maliciously in the field - and the researchers gave ample notice to major device makers before today's announcement so that hopefully by the time malicious hackers put KRACK to use most people will have installed security updates to protect themselves.
Here are some important things to know:
- HTTPS is Still Secure - If your connection is being snooped with KRACK, it just means that the Wi-Fi network is as "public" as any Wi-Fi network without a password. Websites that use HTTPS (marked as "secure" or padlocked by your browser) are encrypted between your browser and the server, and the KRACK does NOT break this connection.
- VPN Connections are Safe - Just like HTTPS, when you are connected via a VPN the connection between your computer and the VPN server in encrypted, and it does not matter if someone is listening in on the Wi-Fi.
- Wi-Fi Passwords Are Not Guessed - KRACK lets attackers snoop without knowing the password to a Wi-Fi network. Changing your network passwords in response to this new attack is not needed, and will not help.
- WiFi-As-WAN is Vulnerable - Mobile routers using WiFi-as-WAN to connect to an upstream secure Wi-Fi network are vulnerable to being snooped with KRACK - and this includes popular WiFiRanger and Pepwave models commonly used to connect to a campground Wi-Fi network.
- Mobile Hotspots & Routers Are Mostly Safe - Mobile hotspots and routers that are not using WiFi-as-WAN for an upstream connection may potentially be updated to detect and defend against KRAK, but if the client devices connecting to the hotspot are updated then the router does not need to be. The important updates needed are in the client devices.
Security Updates are Important!
One of the best things about Apple's iOS ecosystem is that security and OS updates are pushed out very quickly, even to old devices. Within days we expect almost every iOS device will have an update to be secure from KRACK snooping.
Android devices are a different story, and many never receive security updates. Even with newer Android devices, sometimes updates are delayed for months.
Current versions of Windows and MacOS are also likely to have updates soon too - but anyone holding on to older operating system releases may remain at risk.
When it comes to security - it pays to keep all your tech up to date!
Here is the latest word on KRACK software updates:
- Pepwave - Pepwave is hoping to have a firmware update within two weeks, and advises anyone concerned disable WiFi-as-WAN functionality until then. UPDATE: Pepwave released new firmware on October 27th.
- WiFiRanger - WiFiRanger tells us they are hoping to have a fix in beta testing within a week, saying "a patch will be issued, more than likely this will require a firmware upgrade. Working on this as fast as I can." WiFiRanger is hoping to be able to be able to deploy the fix to support devices all the way back to the old WiFiRanger Home / Pro models, but they can't make any guarantees until the work is completed and tested. UPDATE: The WiFiRanger KRACK fix was released to the public on November 8th.
- Microsoft - Microsoft has announced that a fix for KRACK was included in last Tuesday's security update - and Windows 10, 8, and 7 machines that install the update are protected. Windows XP and Vista operating systems are no longer receiving security updates, and machines running these obsolete operating systems can not be used on the internet safely.
- Apple - Apple has confirmed that the versions of iOS, macOS, tvOS, and watchOS already in use by beta testers incorporate a KRACK fix. These beta release will be pushed to the general public within the next few weeks.
- Google / Android - Google has stated that the November 6th Android security update will contain a KRACK fix, and this will be immediately available for Pixel and Nexus devices. Other Android devices will lag behind - and many may never be updated, unfortunately. UPDATE: Indeed, the November 6th update to Android OS "Oreo" included the KRACK fix. It will be a long while for this update to percolate to most Android devices, and many will likely never be updated.
Be on the lookout for security updates addressing KRACK, particularly if you have a vulnerable Android device.
This website is tracking the status of various fixes - so check in there for other platforms you use.
- Key Reinstallation Attacks (Technical Paper) - The website where the details of the attack have been posted, including both deep technical analysis as well as a plain language FAQ.
- Severe flaw in WPA2 protocol leaves Wi-Fi traffic open to eavesdropping - ArsTechnica article with details.