KRACK Attacks: Bypassing WPA2 against Android and Linux
Chances are you are affected by a serious vulnerability in the WPA2 encryption protocol that was publicly disclosed by Security researcher Mathy Vanhoef. “Note that if your device supports Wi-Fi, it is most likely affected”
This means that an attacker, who needs to be in range of your WiFi network, can intercept some of the traffic between your device and your router. Once in the middle the attacker can just look at your unencrypted traffic if he knows what he is doing. With some devices, attackers can also perform packet injection and do some nasty things.
“The attack works against all modern protected Wi-Fi networks,” according to Vanhoef.
Depending on network configuration, the vulnerability could allow an attacker to inject and manipulate data — such as adding ransomware or malware to a website that you are browsing.
“The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected,” Vanhoef further, writes. “To prevent the attack, users must update affected products as soon as security updates become available”
Companies should release patches as soon as possible to prevent that attackers make use of it. This vulnerability could be exploited by hackers to make it more scalable as an attack vector in future, for example, how worms have been developed and released that spread from one insecure IoT device to another to build a zombie botnet. However, currently this is not the case.
It’s not clear how long it will take for all Wi-Fi devices to be patched and their users to update to get the security patch but it’s inevitable that some wireless devices and some wireless users will remain vulnerable to this attack for some time.
So here’s what to do now that the WPA2 protocol is vulnerable…
Update all the wireless things you own
Your devices can be updated to prevent the KRACK vulnerability. Updated devices and non-updated devices can co-exist on the same network as the fix is backward compatible.
So you must update all your routers and Wi-Fi devices (laptops, phones, tablets…) with the latest security patches. You also should turn on auto-updates for future vulnerabilities as this will not be the last one. Modern operating systems are good at auto-updates. Some devices (ahem Android) do not receive many updates and could continue to pose risks.
The key point is that both clients and routers need to be fixed against KRACK so there are lots of potential attack vectors to consider.
Update your router
Your router’s firmware absolutely needs updating. If your router was provide by your ISP, ask then to patch or update it. Make sure your router is up-to-date.
Use wired network (Ethernet)
If your router doesn’t yet have a fix, and you don’t have a patched Wi-Fi access point that could be used for wireless instead, you could Ethernet into your router and turn off its wireless function until it’s patched (assuming WiFi can be disabled on your router). Turn off WiFi on your device as well, so that you are sure all traffic goes through that sweet Ethernet cable.
If you still want to keep WiFi for some devices, consider switching to Ethernet for your essential devices. For instance, if you spend hours every day on a computer and use a ton of internet traffic from this computer, buy an Ethernet cable.
Consider using cellular data on your phone
Your phones and tablets do not have an Ethernet port. If you want to make sure nobody is watching your traffic, disable WiFi on your device and use cellular data instead. This is not ideal if you live somewhere with a spotty network, pay extra for mobile data, or if you don’t trust your telecom provider.
Devices running Android 6.0 and later are more vulnerable than other devices. It is trivially easy to perform a key reinstallation attack because of a bad implementation of the handshake mechanism in the WiFi stack. So Android users do need to be more careful.
What about Internet-of-Things devices?
If you own a lot of IoT devices, consider which of those devices pose the most serious risk if unencrypted traffic is intercepted. Say, for example, you own a connected security camera that doesn’t encrypt traffic when you’re on the same WiFi network — well, that could allow attackers to snoop on raw video footage inside your home.
Take action accordingly — e.g. by pulling the most risky devices off your network until their makers issue patches. And be sure to keep an eye on the kinds of devices your kids might be connecting to your home network.
At the same time, if an attacker can intercept traffic between your smart lightbulbs and your router, it’s probably fine. What are they going to do with this information anyway? So you should determine your own level of risk and act accordingly.
That said, the Internet of Things does have a horrible reputation when it comes to security. So this could be a good moment to audit your connected device collection and consider junking any WiFi device whose makers don’t quickly issue a patch — they could pose some form of long term risk to your network.
Install the HTTPS Everywhere extension
As mentioned above, you can mitigate risks by prioritizing encrypted internet traffic over unencrypted traffic. The EFF has released a neat browser extension called HTTPS Everywhere. If you’re using Google Chrome, Firefox or Opera, you should considering installing the extension. There’s no need to configure it, so anybody can do it.
If a website offers unencrypted access (HTTP) and encrypted access (HTTPS), the extension automatically tells your browser to use the HTTPS version to encrypt your traffic. If a website still relies exclusively on HTTP, the extension can’t do anything about it. The extension is no use if a company has a poor implementation of HTTPS and your traffic isn’t really encrypted. But HTTPS Everywhere is better than nothing.
Don’t rely on a VPN as a solution
On paper, using a VPN server sounds smart. But we’ve been there already — be careful with VPN services out there. You can’t trust any of them.
When you use a VPN service, you reroute all your internet traffic to a VPN server in a data center somewhere. An attacker can’t see what you’re doing on your WiFi network, but a VPN company can log all your internet traffic and use it against you.
For instance, The Register discovered last week in a legal document that PureVPN shared key information with authorities to track and arrest a man. And yet, the company’s website claims that PureVPN doesn’t keep any log. Again, don’t trust any VPN company. Unless you’re willing to build your own VPN server, a VPN service is not the solution.