Key Reinstallation Attack (KRACK)

In Mid October, 2017, Mathy Vanhoef set up a website to demonstrate an attack he discovered and named KRACK Attack that rocked the WiFi world.  For a security researcher, this was the mother-load.  He discovered a flaw in the WPA2 protocol that broke every WiFI device on the planet.  Fortunately for all of us, Vanhoef disclosed it properly by giving all the vendors plenty of time to develop patches before going public.  Here is a blog post I put together in 2014 about proper vulnerability disclosure.  So far, this episode is playing out the way it should.

Here are a few questions and answers.

Q: Here we go again with this Krack attack.  Is this a big deal?

A: Yeah, it is.  A security researcher named Mathy Vanhoef found a problem with the way wireless devices connect to WPA2 protected WiFi services.  WPA2 is the state of the art for WiFi security.  This attack  blows through that security like a bullet through paper.  When your device connects to a WiFi network, they go through a handshake.  Vanhoef found a vulnerability in that handshake that allows a man-in-the-middle attack.  From there,  an attacker can steal encryption keys and pretty much own the victim.  I’ll put a pointer to the details he uncovered on my website.

Q: What’s a man in the middle attack?

A: It’s just like the name implies.  If John and Greg are talking, Dan can insert himself in-between and impersonate each of them.

Q: May I see a demo?

A: I happen to have a script.  Let’s you and I have a quick conversation. And then we’ll give Dan a black hat and modify our conversation.  Let’s say you’re my banker.

John:  Hi Greg, welcome to John’s bank.
Greg: Hi John.  I want to transfer $100 from savings to checking.
John: Done.  And thanks for banking with John.

Now let’s insert evil Dan in the middle.

John:  Hi Greg, welcome to John’s bank.
Dan:  Hi Greg, welcome to John’s bank.
Greg:  Hi John, I want to transfer $100 from savings to checking.
Dan: Hi John, I want to send $100 from savings to my good friend, Dan.
John: Done.  And thanks for banking with John.
Dan:  Done. And thanks for banking with John.

Dan impersonated Greg to John and John to Greg and made some money.

Q: Who is vulnerable?

A: Everyone everywhere who uses WiFi.

Q: I’m not a tech genius, but even I can tell, this sounds bad.  What do we do about it?  Do we shut down the Internet?

A: The good news is, the problem can be patched and Vanhoef reported it properly to give the vendors plenty of time to put patches together.  My Android phone updated a few days ago – and I’ll bet this patch was the reason.  Your defense is, update all your devices to the latest versions.

Q: What about older devices that don’t have updates?

A: If you’re sitting at the airport using the airport WiFi, and somebody in a trenchcoat and shifty eyes sits down next to you and opens up his laptop, you might want to consider your cell carrier for Internet access instead of the airport WiFi.  Or if you’re at home and you see a van with darkened windows in your driveway with a bunch of antennas, don’t use your home WiFi.  More seriously, an attacker needs to be near your WiFi source to pick up the raw radio signal and insert himself between you and your Wifi.

Q: What about home WiFi routers and access points?

A: Some of those have patches too.  It’s always a good idea – we call it a best practice – to keep all that stuff updated.  People want to set it and forget it, and that’s so wrong.  When you’re shopping for equipment, find out how well the manufacturer does updates and how you get them.  It’s a big deal when we recall cars to fix a problem.  Software is different – we know software will have problems and consumers should have an easy way to update it.  As a consumer, use your power, demand ongoing updates, and vote with your wallet.

Q: What’s the deal about people who poke holes in the Internet?  Are they evil?

A: Some are.  Some are legitimate researchers.  There’s a huge market for zero day attacks.  I hear the NSA pays well.  So do foreign governments.  So do some criminal organizations.  Mathy Vanhoef spent months putting together demonstrations and properly and quietly reporting this.  He deserves our gratitude and lots of credit.  The system worked in this case – this is how these should play out.

Q: I buy this equipment to do a job. Why do I have to keep patching it?  Why don’t they get it right when they build it?

A: Some bugs are hard to find.  There’s no way to test all the possible combinations.  Also, patches are a fact of 21st century first-world life.  Ask the people at Equifax about the consequences of not applying patches.