Hundreds of millions of wireless devices may be affected by a flaw in WPA-2, a widely used standard for securing wireless Internet connections. (Updated to add commentary by Bob Rudis of Rapid 7.)
Researchers are warning that a flaw in WPA-2, a widely used standard for securing wireless Internet connections, could leave users and businesses open to hacking and snooping by outsiders.
The flaw, discovered by researchers at Katholieke Universiteit Leuven, could allow an attacker who was on the same wireless network as a vulnerable device to launch so-called “key reinstallation attacks” (or “KRACKs”). Such attacks could steal sensitive information sent over encrypted wireless channels like credit card numbers, passwords, chat messages, emails, photographs and more, the researchers warned.
Flaw in widely used standard
WPA-2 stands for “Wi Fi Protected Access.” It is the most common form of security used on wireless networks, from homes and businesses to hotels and conference centers. The KRACKs attacks work by exploiting a flaw in the implementation of a so-called ‘4-way handshake’ for exchanging cryptographic “session” keys. The handshake is part of the 801.11 wireless standard and the flaw is in the standard itself meaning that any “correct” implementation of WPA2 is vulnerable.
An attacker could compromise a vulnerable system by reinstalling an already-in-use key. Depending on the network configuration, attackers could inject and manipulate data, injecting ransomware or malicious software into websites, or hijacking and forging whole streams of data.
According to the researchers, the attack works against all modern protected Wi-Fi networks making its impact enormous. “If your device supports Wi-Fi, it is most likely affected,” the researcher wrote. Research found that wireless devices running Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and other software were all affected by some variant of the attacks.
Their research is scheduled to be presented at the Computer and Communications Security (CCS) conference, and at the Black Hat Europe conference.
But security researchers caution that the latest flaw is no “Firesheep,” a trivial hack of insecure communications, nor is it a vulnerability that exposes anyone to remote attacks.
“This is a close proximity attack they need to do,” Bob Rudis, the Chief Data Scientist at the firm Rapid7 told The Security Ledger. An attacker would also need to create a phony wireless setup where they would clone a legitimate access point and then get you to associate with the dummy access point the attackers create. “You would need a level of sophistication to even start doing this attack,” Rudis said. “And even then there’s no guarantee of this attack working every time.”
Over time, tools may be developed that lower the bar to the KRACK attacker. “It requires a pretty smart attacker in a good position and determined to do what they’re going to do.” That attacker will also need to have some luck to get the attack to work, Rudis said. “This is not trivial and not easy.”
A mixed bag on patches
Microsoft claims to already have fixed the flaw in supported versions of Windows with an already deployed security update. However, many other devices, including those running Linux or Google’s mobile Android operating system remain vulnerable.
The Department of Homeland Security’s CERT Coordination Center (CERT/CC) on Monday warned about the flaw in WPA2 and urged those affected to apply any available updates to affected products.