What is this KRACK vulnerability?
The vast majority, if not the complete majority, of all wifi connections, use the WPA2 protocol.
WPA2 protocol is considered as the most secure protocol for wifi connections.
But now Belgian researchers have found out a huge potential for hackers to expose internet traffic using an exploit in the protocol.
In other words, security researchers have broken the security protocol that the vast majority of wifi connections use.
This exploit could potentially expose Wifi traffic to malicious attacks and eavesdroppers.
Researchers who have discovered the weakness will present their findings at an upcoming talk on November 1.
KRACK Vulnerability
A security expert working at the Belgian University KU Leuven, Mathy Vanhoef, recently discovered a potent weakness in WPA2, a wireless security protocol.
He then went ahead and published the details of his findings on a website krackattacks.com.
Vanhoef reported that hackers could use such novel cyber attack techniques to read information that everybody presumed as safely encrypted before.
Hackers could also abuse this technique to get away with sensitive information relating to,
- Passwords
- Credit card numbers
- Photos
- Emails
- Chat messages
Vanhoef had more bad news for everyone as well.
He emphasized that the newly-discovered attack worked against all types of modern (supposedly protected) Wifi networks.
And if hackers found the right network configuration, they could also manipulate and inject data.
Vanhoef report said that attackers might use the exploit to create opportunities to inject malware and ransomware into any given website.
Researchers also found out that this particular vulnerability several types of devices and operating systems.
The report pointed out that systems running on,
- Linksys
- MediaTek
- OpenBSD
- Android
- Windows
- Linux
- Apple
- And others
had specific characteristics that made them particularly vulnerable to KRACK.
Vanhoef report said that if a user’s device supported wifi, then it had a high chance of having the vulnerability.
Vanhoef also wrote that generally speaking, any information or data that a victimized device could transmit could be decrypted.
Moreover, he said, the exploit also depended on the device that the client used and the setup of the network.
Vanhoef reported that hackers could decrypt data that made its way towards the victim’s machine using the hack.
As pointed out earlier as well, Vanhoef preferred to name his newly-discovered weakness.
And he named it KRACK, a codename and short for Key Reinstallation Attack.
The National Cyber Security Centre in Britain said in an official statement that the centre had examined the vulnerability.
It further said that the published research pointed to a potential global wifi system weakness.
Furthermore, an attacker would have to make sure he/she is physically close to the vulnerable target.
Moreover, the National Cyber Security Centre, said that the potential weakness would actually not compromise secure website connections.
These websites included websites related to online shopping and banking services.
The Centre also said they were examining the research a bit more and would provide any necessary guidance if required.
Moreover, the Centre also pointed out that it considered Internet security as a key NCSC priority.
Hence, the NCSC would continue to continuously update their advice on wifi safety-related issues along with browser security and device management.
Other Responses
The United States CERT (Computer Emergency Readiness Team) also came forward by issuing its own warning this past Sunday.
The warning came as a direct response to the newly-found vulnerability.
The US-CERT said that the impact of exploiting the newly-discovered vulnerabilities could impact several areas.
Some of those areas included,
- Decryption
- TCP connection hijacking
- Packet Replay
- HTTP content injection
- And much more
The US-CERT alert also detailed several types of potential cyber attacks.
The United States Computer Emergency Readiness Team further added that vulnerability existed in the protocol itself and not any given software or device.
That meant that all correct and proper implementations of the protocol standard would have this vulnerability.
And hence all such devices could be affected.
Why Is This Development Important?
The KRACK development is very important because it potentially has comprised the most secure protocol in the industry today.
Almost all wifi connections use the WPA2 security protocol to encrypt traffic and make communications safe.
It is also true that researchers and hackers have broken older security standards before.
But the KRACK exploit is different from before because before people and organizations could go to successor standards.
Currently, the industry doesn’t have a successor to WPA2.
Moreover, the WPA2 is widely used across all wifi connections.
That makes such a vulnerability potentially very harmful.
Other Crucial Point Regarding KRACK vulnerability
Researchers have revealed that the KRACK vulnerability is not likely to affect information or data that goes over a network with additional layers of security in addition to WPA2 standard encryption.
In other words, clients that use more than one security protocol don’t have to worry about the security of their information on their network.
What Does That Mean For The End User?
For the end user, it means that secure websites are still safe when it comes to connections.
Other types of connections such as SSH communications along with virtual private networks are also safe.
But that doesn’t hold true for websites with insecure connections.
These are websites that do not show the user a green padlock symbol in the browser’s address or URL bar.
The green padlock icon simply shows (for each website) if the website in question supports HTTPS.
If a website does not support HTTPS then that means the connections to the site are public.
In other words, other users on the network can view those connections.
And until this new vulnerability is fixed, users should stay away from such websites.
What About Home Internet Connections?
Continuing from previous points, developers will find it difficult to fully secure home internet connections for a considerable amount of time to come.
Why?
Because home internet users don’t update their wireless routers.
Whether that is because of the user’s themselves or because router manufacturers don’t roll out regular updates is another issue.
But the point is, these wireless routers would continue to communicate using WPA2 protocol, which as we have said before, is now not secure enough.
With that said, Vanhoef also informed the public that if a user installed the fix on a computer or a smartphone then the updated device would still have the capability to communicate with the insecure wireless router.
What does that mean?
That means users who have unpatched wireless routers should pay attention.
And should patch up as many of their devices as they can.
This is a must on their part if they want to ensure the safety and security of their network.
The Chief Technical Officer of Iron (a subscription service), Alex Hudson recently said that the best advice he could vice right now would be for users to remain calm.
Hudson wrote in an official statement that any Wifi router or network still offered a decent amount of physical security.
And because of that, an attacker would have to ensure proximity to the vulnerable target in order to launch an attack.
He also wrote that online users should understand that they weren’t suddenly vulnerable to everyone else on the internet.
Hudson further said that current wifi routers offered weak protection.
But users should understand that it was still protection especially when they were trying to review their threat levels.
Moreover, he wrote that it was very likely that users didn’t have many protocols that relied on WPA2 security.
In other words, every time a user accessed an HTTPS site, his/her web browser basically negotiated a separate and an additional layer of encryption.
Hence, users can access secure websites over their wifi connection safely.
Moreover, he said, he hoped (but without any guarantee) that users didn’t send too much information over their network that required encryption via the WPA2 protocol.
How Much Time DO We Have Before Hackers Start To use KRACK Exploit?
We should expect some delay before hackers can actually use the newly-found vulnerability.
Hackers are people too.
Hence they need time to plan out their attack using the new vulnerability.
That means, networks in the wild still have some time.
Candid Wuest, a Symantec researchers, said that any attack that relied on KRACK exploit would be extremely complex.
And that would ensure that hackers would find it difficult to carry out such an attack in practice.
But he warned that the industry had seen similar attacks before.
Hackers can always automate such attacks so that they don’t have to do the bulk of the work.
Wuest also added that people at home along with small businesses needed to show some concern.
But they should not get worried.
Wuest advised that most users can protect themselves by simply applying the relevant details to all their software.
And they should do so as soon as the new patches become available.
Lessons From The KRACK Vulnerability
Wuest said that we could all learn a very important lesson from the found weakness.
And that weakness went something like this:
We should not rely on any one type or standard of security feature.
Why?
Because it is risky.
No one should put his/her trust for all his/her security on a single point of failure.
Hence users should not just rely on their wifi.
They should make use of other technologies to protect themselves.
Technologies such as VPN services.
Or other secure connections.
Users who transfer important data on a regular basis should pay heed to the above-given advice.
Does KRACK Vulnerability Attack Each Device The Same Way?
No.
It does not.
The KRACK vulnerability impacts different operating systems and devices to differing degrees.
A lot of what KRACK can do depends on how the device or the operating system implements the WPA2 security protocol.
But it is true that the most vulnerable devices and operating systems are those that are running Android and Linux.
Why is that?
It is because of another bug.
This bug causes the encryption key on these operating systems to be rewritten to all zeroes.
Meanwhile, other operating systems such as Windows and IOS are the ones that researchers consider the most secure.
Why is that?
Because these two operating systems don’t implement the WPA2 security protocol as comprehensively as Android and Linux.
Readers should bear in mind that researchers did not find any device or software to have immunity to KRACK vulnerability.
In other words, there is not a single piece of software that has full immunity to the vulnerability.
Do Technology Companies Know About KRACK Vulnerability?
Yes.
They do.
The international CERT group informed various technology companies of the KRACK vulnerability way back in August.
Hence, technologies companies had more than a full month to come up with and implement a proper fix.
Our good friends over at The Guardian put forward the same question to technologies companies such as Linksys, Microsoft, and Google.
When The Guardian asked them about the status of their KRACK vulnerability patches each had an interesting reply.
Google responded that the company had full awareness of the issue and would roll out patches for any affected device in the coming days.
Microsoft said that the company had released a security update in order to address the KRACK vulnerability issue.
Microsoft also said that customer who would apply the update will have security against the KRACK Vulnerability.
Moreover, users who have turned on their automatic updates feature would also get the patch against KRACK vulnerability.
The Guardian did not receive any responses from the rest of the technologies companies.
But we do hope that they too are busy in coming up with a fix for this KRACK vulnerability.
Conclusion
Users should keep in mind that nothing has happened in the past couple of weeks that has suddenly made them vulnerable on the internet.
But they should apply updates to their software and operating systems as soon as related companies roll them out.
In the meantime, they should try to sign up for a VPN service in order to add an additional layer of security for their data.
But here is a little problem:
Not all VPN service providers are legit.
Only some are.
If you want to know the best VPN service providers in the market today, then click here.
To know which are the best VPN service providers for Android, click here.
And if you want to know how to install a VPN service on your home router, then click here.
