Interaction Fraud

What’s a KRACK Attack and How To Prevent It

The latest on the devastating threat to the WPA2 protocol.

The feeling of safety that we enjoyed with the WPA2 protocol is gone with the wind. The recent critical exploit to Wi-Fi was announced this week. KRACKs are the latest threat to our cybersecurity that affect our connection to Wi-Fi. Key Reinstalling Attack (KRACK) takes advantage of a foundational gap in the WPA2 protocol to eavesdrop on your Wi-Fi traffic as a middleman. WPA2’s job is to make sure the information we send through the internet is encrypted, so a hacker would need to know the Wi-Fi password to begin an attack. KRACK skips all that password-guessing game and dives directly into the WPA2 protocol. When you connect to a Wi-Fi network, the hacker forces the nonce (number used once) to reset – which should never be reset in the first place. This is when they reinstall the encryption key, et voilà, all the information you send through Wi-Fi is now intercepted and decrypted by the attacker, and you won’t even notice.

This vulnerability was discovered earlier this year by Mathy Vanhoef of imec-DistriNet, in Leuven, who showed in his proof-of-concept that a couple of minutes are enough to spy on all the online traffic from a Wi-Fi user. Vanhoef will present his paper at the Computer and Communications Security conference on November 1st, 2017. Because the problem is in the Wi-Fi protocol itself, your device can’t do much about it, the fact that Linux and Android 6.0 or higher are especially simple to hack may make Apple users feel slightly better. This is because Linux and Android have a vulnerability that allows installing an all-clear encryption key when you connect to a wireless network, so decrypting your data becomes trivial for the attacker.

The truth is we are going to have to be especially careful about what networks we connect to and how. A statistic from Morgan Stanley Research shows we now access information through a mobile device more often than through a desktop computer. Luckily, this attack doesn’t affect Ethernet or 4G, so splurging on our data plan for the time being may be a good way to stay protected when you are on the go.

The Wi-Fi Alliance is working on fixing the WPA2 protocol but this could take years. Device and router providers are the ones left with the burden of coming up with patches to block this hack. While there have been no reported attacks yet – Vanhoef’s paper was the first one to reveal the threat – experts say it’s just a matter of time until they come; like a giant wave about to break. There are some limitations to this attack, the biggest one being that the attacker must be within your Wi-Fi range. This makes large-scale attacks harder – and also gives you the hope that perhaps, if you look around, you will see your attacker.

For the time being, here are some things you can do to prevent a KRACK attack:

  • Use VPN where possible
  • Avoid using public Wi-Fi – despite how tempting it is
  • If possible, use a hardwired connection to connect a network
  • Look for the padlock next to HTTPS on the top left; if it’s not there don’t type sensitive information
  • Check for device and router updates as manufacturers work on new patches

The value of the information stolen is what lays at the core of this attack. Fraudsters don’t care about the pictures they intercept or the latest YouTube video you sent to your cousin. They want the information and data that will allow them to use your accounts fraudulently (passwords, usernames, answers to security questions…). The real question is: why are passwords and usernames still enough to identify who you are? If we de-valuate this static information and establish dynamic identification layers such as behavioral biometrics, attackers won’t have anything useful to steal.

 

Related to this post: Who needs behavioral biometrics the most?

 

Want to learn more about biometric authentication? Download our co-sponsored Aite Group report, Biometrics: The Time Has Come.

Want to read more posts like this? See our full blog here.