What is the KRACK attack?
The KRACK attack is a newly disclosed attack on WPA2. WPA2 has been the de facto wireless security standard for over ten years now, and it’s adoption is nearly universal. If you have a wireless network, it most likely uses WPA2, so you may be vulnerable.
The full 16 page white paper on the KRACK attack can be found here:
How bad is the KRACK attack?
To us in cyber security, the KRACK attack bug is a pretty big deal, and not something that most of us saw coming. The attack itself is novel and very clever. However, a few things to keep in mind here – firstly, a potential attacker would have to be physically at your location, within range of your wireless network. This attack cannot be mounted remotely at all. Secondly, the attack is on wireless clients themselves (not the servers) and appears to mostly affect Android, Linux, and Apple WPA2 client implementations. Keep in mind that numerous vendors run Linux on their devices – CERT information on which vendors are affected can be found here:
The white paper does not indicate that Windows is susceptible to the KRACK attack at all – so good news there.
What should I do about the KRACK attack?
Check the CERT list to see if your devices are affected. If they are, and you can operate without them, consider turning them off until the vendor releases a patch or firmware. If you have affected devices and cannot operate without them, ensure that all of your transport and application layer encryption is functioning as it should. If you need help with this, contact us.
Is there any good news here?
Actually, yes. The researcher (Mathy Vanhoef) who discovered the KRACK attack bug did all the right things by notifying the vendors and CERT before doing a press release. Mr. Vanhoef is obviously an upstanding guy and an asset to the cyber security community.
What about the bad news?
In his white paper, Mr. Vanhoef himself states “The idea behind our attacks is rather trivial in hindsight”. He is not exaggerating here. In my estimation, it is HIGHLY likely that various state security services were aware of this flaw, possibly for some time, and decided to sit on it instead of informing the public.
As a cyber security professional, I often feel like a See ’n-Say, repeating a few pre-recorded messages when you pull my string. Two of them come to mind with the news of the newly disclosed KRACK attack today:
- Your network has been breached, or it is going to be breached. Plan accordingly by having an Incident Response Plan, and a BDR (Backup and Disaster Recovery) solution in place.
- Defense in depth. Never assume that a specific mechanism such as WPA2 or HTTPS is secure. When one breaks, the others will help keep you protected.