Yesterday, we learned about KRACK (or Key Reinstallation Attack) – a security flaw in the WPA2 protocol, which could see an adversary break the encryption between a router and a device, allowing them to intercept and interfere with network traffic. Or, more succinctly, shit’s fucked.
But understanding the issue beyond glib remarks like “shit’s fucked” is tricky. This, obviously, is profoundly complicated stuff. To help clear things, I spoke to David Gorodyansky, CEO of AnchorFree and HotspotShield, and asked him to explain KRACK like I was five.
Step one, Gorodyansky explained, was a hacker finds a network they want to breach that uses WPA2-PSK, and waits for an individual to connect. This could be at a coffee shop, or an office. PA2-PSK is an encrypted connection that requires individuals to connect with a password (that’s what the PSK stands for, pre-shared key).
When an individual connects to a Wi-Fi hotspot, long before they visit any websites, their laptop or phone will do something called a four-way handshake. This is a process that checks that the password the user has provided is correct, and establishes the encrypted connection between the router and the device.
Here, Gorodyansky said, the hacker “interferes with the initial handshake between your device and the WiFi router in a way that allows the attacker to gain an ability to decrypt the traffic you exchange over WiFi. This means they’re able to do many, many bad things without even being on the network.”
“The attacker doesn’t even need to connect to the network – only to listen to the data you exchange with an access point and emit their own packets back to change things on your system and the router.”
So, what kind of bad things? Well, obviously they’ll be able to intercept traffic. According to Gorodyansky, depending on the router configuration, they’ll be able to modify and forge fake data, interfering with the content of non-secure websites.
According to the researcher that discovered Krack, Mathy Vanhoef, it means that an attacker would theoretically be able to inject ransomware or other malware into otherwise benign websites. This would make it easier to infect those users who tend not to download sketchy attachments, or visit the darker ends of the Internet.
Gorodyansky explained that the adversary would also have access to any attached storage. So, if you’ve attached a USB flash drive or external hard drive to your router, they’d be able to read that.
KRACK also works against WPA-Enterprise, which is typically used in large business environments, rather than personal and small-business networks. “If a company’s network-attached storage (such as company servers) are accessible without a password, or data is accessible between computers on a network, untold amounts of records could be stolen,” he said.
So now, let’s put all this into a sense of proportion. What makes KRACK so scary is that it isn’t an issue with a piece of software, but rather a widely-used protocol. As Vanhoef pointed out, “if your device supports Wi-Fi, it is most likely affected.”
The good news is that it’s easily remedied with a backwards-compatible patch. Vanhoef disclosed the issue to various vendors and software manufacturers months before he told the public about it. This means they’ve had a head-start to issue fixes, which most have done, or will do in the coming weeks. Apple’s fix, for example, is already present in the latest developer beta of iOS 11.
Patches for Kracked:
🆘 IOT deviceshttps://t.co/1IOD5THtum
— ⚡️ Owen Williams (@ow) October 17, 2017
(Incidentally, TNW alumni Owen Williams is curating a running list of manufacturers that have already issued patches. It’s amazingly thorough and clear, and worth checking out.)
So, shit’s not as fucked as we first thought. Good. That said, there’ll be some problems in patching everyone. For starters, people aren’t all that good at installing patches. I’ve met people in my time that were proud of the fact that they didn’t install updates, arguing that they slowed down their computers.
Worse, some manufacturers are positively woeful at issuing them. That’s especially true of the fragmented Android world, where the majority of devices don’t even run the latest version of the operating system.
It’ll be interesting to see how patches are issued to Wi-Fi enabled Internet of Things devices and embedded systems. Especially when you consider many of these devices are either discontinued, or come from manufacturers that have since ceased trading. I predict that a significant chunk of these gadgets won’t see any sort of remediation whatsoever.
Help how do I convince my discontinued “Smart tv” maker to patch their shit
— Internet of Shit (@internetofshit) October 16, 2017
Unsurprisingly, as the CEO of not one, but two VPN companies, Gorodyansky is eager to point out that a VPN would prevent an adversary from intercepting any communications via this method. A VPN is essentially an encrypted tunnel between computers – in this case, a laptop or phone, and a server.
“Using a VPN in this situation, to use a very, very simple metaphor, is as if someone has stuck their head through your window as you discuss sensitive matters – but you’re speaking a language they don’t (and can’t) understand,” he said.
It’s worth mentioning (as highlighted by the excellent Swift on Security twitter account) that if you use a VPN, you won’t be able to access the other connected devices on your network, like Chromecasts and smart speakers, making it impractical for many people.
“Use this VPN to secure your WiFi”
“Hey wait now my chromecast doesn’t work.”
— NightmareOnTayStreet (@SwiftOnSecurity) October 16, 2017
If the WPA2 issue is as predicted, a VPN will literally do nothing to help a home network with IoT devices and stuff. It’s orthogonal.
— NightmareOnTayStreet (@SwiftOnSecurity) October 16, 2017
The burden isn’t – or, at least, shouldn’t – be on end-users. Websites can play their part by using SSL/TLS. This is encryption that’s secondary to that offered by a wireless network, and means that even if a device was vulnerable to KRACK, an adversary wouldn’t be able to intercept or modify traffic.
Mercifully, most sites that deal in sensitive information – like online banking and e-commerce providers – use SSL, which dampens the impact of KRACK quite a bit. And moreover, it’s easier than ever to get an SSL certificate, with several free providers.
The most famous, obviously, is Let’s Encrypt, which secures communications for 56 million websites. The New Jersey-based security giant Comodo also offers free SSL certificates.
Josh Aas, head of Let’s Encrypt, said: “The recently disclosed issues with wireless security further emphasize the need for end to end encryption between websites and their visitors. It’s critical that websites move to HTTPS and not depend solely on intermediate security measures, like wireless encryption, for protection.”
We started this post with a popular Reddit trope (ELI5). Let’s end it with another. TL;DR – shit’s a little bit fucked; please install your patches.