A new Wi-Fi vulnerability leaves information open for theft


Joshua Baldwin

On Oct. 16, two Belgian researchers revealed a severe flaw in standard Wi-Fi security protocols. The exploit is known as the Key Reinstallation Attack, or KRACK for short.

When exploited, an attacker can intercept and manipulate data that was previously thought to be secure, such as passwords, social security numbers and credit card numbers.

The previous standard in Wi-Fi security was Wired Equivalent Privacy, known as WEP, but it was proven to be insecure and was eventually replaced with Wi-Fi Protected Access II.

WPA2 has been the standard for the last 15 years, and is used by the vast majority of Wi-Fi-enabled devices around the world. This is because it was mathematically proven to be secure.

However, that is no longer the case.

The flaw lies in how WPA2 handles connections between a computer and an access point, such as a home router.

WPA2 uses four-way authentication to establish a secure connection between the computer and access point. Four messages are sent back-and-forth between the machines, which include data on how further data should be encrypted.

On the third message, the computer installs a unique key that lets it encrypt its data so it can’t be read by outsiders like hackers.

However, this third message can be re-sent if the fourth and final message from the computer to the access point is blocked, which makes the computer reinstall the same key multiple times.

KRACK works by blocking this fourth message and forcing the computer to connect through a malicious copy of the network. Since the same key is being reused, it is a trivial matter for the hacker to decrypt the data.

According to Mathy Vanhoef, the researcher who initially discovered the exploit: “This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos and so on. The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.”

Any Wi-Fi-enabled device that utilizes WPA2 is at risk of being compromised, and because WPA2 is the standard, that means almost every Wi-Fi-enabled device is at risk.

This includes laptops, smartphones, tablets, smart home devices like the Amazon Echo and desktops connected to the internet through Wi-Fi.

Fortunately, one drawback to the attack is that many websites use Hypertext Transfer Protocol, or HTTPS, which is a secure protocol separate from WPA2 that allow sites to protect data sent to and from a computer. HTTPS is indicated by a lock symbol at the beginning of address bars in web browsers.

However, if HTTPS is not properly configured on a website, it can easily be bypassed by a hacker.

Big sites that implement HTTPS, like Facebook and Google, are likely to not be affected by this, but it was demonstrated by Vanhoef that smaller ones, like the popular dating site Match, are highly susceptible.

Another major drawback to the attack is that any hacker wanting to exploit this WPA2 vulnerability needs to be within physical range of the network the target computer is connected to.

This means that there is very little concern for home networks becoming compromised, but a lot of concern for bigger, more public networks like those in businesses and college campuses.

There are already patches to the issue being rolled out by companies and manufacturers. These patches are backwards-compatible, which means a new Wi-Fi standard will not have to be created.

The patches are rolled out in the form of device or operating system updates on the user end. Users must install these updates in order to benefit from the patches.

However, patches are not readily available on all devices and some, like many smart home devices, have either incredibly slow or nonexistent update cycles.

Big first-party smart devices like the Google Home and Amazon Echo systems should be receiving updates in the coming weeks, but smaller third-party devices may never receive updates, leaving them susceptible to attack.

The silver lining in the wake of the news about this massive Wi-Fi vulnerability is that the Belgian researchers who discovered the vulnerability did not find any evidence that it had been exploited before.

Certain devices may be heavily affected, but companies and manufacturers are working overtime to patch the vulnerability in order ensure that hackers are not able to abuse it.

The average person is unlikely to be affected, but only time will tell how much of an impact KRACK will have.

Joshua Baldwin is a freshman computer science major Greensboro, North Carolina

Photo by: Kevin Ku, Pexels