- KRACK affects nearly all wifi devices.
- Most devices are still vulnerable, but patches are rolling out.
- The attacker must be physically close.
- "Zero-days" like this will always happen. Therefore we should identify the best web security practices to maintain proactively.
- One of the best things Websites can do is use SSL (also known as https://) to try and mitigate damage from attacks.
How the attack works
An attacker within range of a person logged onto a wireless network could use key reinstallation attacks to bypass WPA2 network security and read information that was previously assumed to be securely encrypted — thereby enabling them to steal sensitive data passing over the network, be it passwords, credit card numbers, chat messages, emails, photos, and so on.
It was discovered by Belgian researchers who named it KRACK ("Key Reinstallation Attacks").
It's a proof-of-concept attack ( view full paper), and also happens to require the attacker to be in close physical proximity to the device it wants to attack. This is probably the main reason why it hasn't been patched faster.
Who is affected
Nearly all wifi devices.
WPA2 has long been the industry standard for wifi security, which is why vulnerability is so prolific.
Though a difficult attack to pull off, security expert Mathy Vanhoef of Belgiant university KU Leuven warns:
If your device supports wifi, it is most likely affected.
- Microsoft: Per Windows Latest, Microsoft has a patch ready and will be rolling it out in the coming weeks.
- Apple: Apple also has a patch ready, and it will be bundled with the next set of OS updates, which it has not provided a release date for.
- Google: Google says the company is "aware of the issue, and we will be patching any affected devices in the coming weeks."
- Android: Per the official KRACK Disclosure site, 41% of Android devices are critically vulnerable because of the implementation of WPA2.
- Linux: "Android and Linux can be tricked into (re)installing an all-zero encryption key" per the disclosure.
- IoT: Smart devices (TVs, routers, anything else that connects to wifi) are probably the most vulnerable because they are rarely updated.
What business owners need to know
Zero-day exploits are a fact of software.
The best general tactic to protect yourself is to apply updates vigilantly.
One month from now after you've applied the Windows/Mac/Android/Linux update as soon as they're released, it's more likely that your web applications' and sites' users will be compromised than you will be.
So how do we protect our users when they're compromised on their end?
The short answer is, we can't protect them all of the time.
But that doesn't mean there aren't steps we can take that protect our users many times.
Encrypting in SSL (https) is the biggest step we can take to protecting user data on the web.
Not every attack can break every defense, and not every defense and protect against every attack. SSL is no different: not a perfect solution.
But it absolutely can keep data safe in many of the most common scenarios that lead attackers to gaining user data. If the data is properly encrypted in https/SSL, then the attackers can't do anything with what they've obtained.
SSL ain't perfect, but nothing is.
If a security expert ever convinces you their defense is perfect, then I've got some subprime beachfront property in Florida I'd like to sell you.
It is our responsibility to be responsible, when we know our users won't be.
Keep updating all your devices and you'll be fine. This attack is more something I'd be worried about if I was a big corporate/state entity than a consumer – but hey anything's possible.
If you feel like revamping your entire home security system, check out DecentSecurity.com for quick actionable tips.
Basically, update your damn routers!