Krack: Your WLAN is insecure. Every WLAN is insecure
Your WLAN is insecure. My WLAN is insecure. And there's little we can do about it. An explanation of the Krack vulnerability.
Let's start with the scaremongering: every Wi-Fi secured with WPA2 is insecure. This means that every Wi-Fi secured with the password commonly known as a "Wi-Fi password" is insecure. In other words: every Wi-Fi out there, including yours in your home, is affected.
Thanks to the Krack attack, an attacker can record any traffic and read data that is transmitted wirelessly.
What is Krack?
Krack stands for Key Rinstallation AttaCKs. The abbreviation is a bit of a misnomer, but the threat is highly worrying. It's one of those threats that I think you should at least know is out there. Even if, as a private individual, you will probably never be the target of this attack. But if you work in a company, then you have a massive problem and your week is probably not so funny right now.
The main problem with Krack is that it doesn't matter which router you have at home or at work. The exploits on which the cracks are based are found in the WPA2 protocol, not in a specific implementation or a specific device. This is because, regardless of which implementation you have on your router, the basis of the software is based on the same protocols.
Whether Netgear, Fritz or Cisco: your router is at risk.
So you can see why I think you should know this.
How does Krack work?
Krack is essentially a man-in-the-middle attack. This means that an attacker hacks into the connection between you and a website.
The only difference is that WPA2 is used as the target here. In simple terms, the attack works like this:
- The victim connects to a WLAN as usual
- The attacker clones the network to which the victim is connected on a different WiFi channel
This allows the attacker to manipulate handshake messages between the victim's device and the network
.- The cloned network also offers the victim Internet access, but strips out SSL. SSL stripping does not work for all websites, but for a large proportion
- The attacker has Wireshark running, with which he can read all traffic between the victim and the cloned network
The next time the victim connects to the WiFi, the cloned network interferes and intercepts the connection. This is how the victim's device connects to the attacker's network.
Now the attacker can carry out the key reinstallation attack, because if he now reads the traffic, it is still encrypted with the WPA2 key of the original network. This is precisely the bug that Mathy exploits. He sends the command to reinstall the encryption key of the network. However, because the WPA2 standard has a bug right here, Android and Linux will not install the real secret key, but an all-zero encryption key, which can of course be forged extremely easily because it only consists of zeros.
The result: The victim has an Internet connection via the attacker's network. The attacker in question can read much, if not everything, that the victim transmits to the internet.
In the example video, vulnerability finder and cryptographer Mathy Vanhoef shows that these are not just backwoods websites, but also those of large corporations such as the dating platform match.com. In the video, Mathy also explains in technological detail how the attack works.
Update: In case the video doesn't work, try the direct link
Since the attacker has control over the network, he can record the traffic. As the attacker can also override SSL using a second attack in the same attack, they can read data in plain text. Including login data or private messages.
Oh my God, we're all going to die... aren't we?
However, it is wrong to panic. Zurich-based IT expert Stefan Friedli comments on this on Twitter.
Don't get me wrong. Krack is a problem and we need to patch pretty much everything. But it's not a break-it-all vulnerability. - Stefan Friedli
Krack is definitely a problem that needs to be patched, but not one that really destroys everything.
This may be because the attack vector for Krack is quite small and narrow - in the demo, Mathy Vanhoef attacks a single device whose MAC address he knows - but also because manufacturers are already working on patches if they have not already published them.
- Microsoft: Fixed
- Apple: Working on it
- Google: Working on it
- Cisco: Fixes partially rolled out
- Linux Debian: Fixed
- Linux Ubuntu: Fixed
- Netgear: Fixed
- Raspberry Pi Jesse: Fixed
- Raspberry Pi Stretch: Fixed
- Synology: Fixed
So: Keep your software up to date and you should be protected from Krack.
The problem for the industry
With large networks such as those in a company, however, the clean-up and patching work will take a little longer. In the age of the Internet of Things - the universe of all the smart things in a household - a large number of fixes are necessary. According to the current update policy of some manufacturers, there are likely to be devices that run confidential data that will never receive a patch.
Furthermore, the problem is quite complex. Let's take Netgear as an example. The network infrastructure manufacturer produces over 1200 devices, all of which have to be tested for an attack vector. In the event of vulnerability, the manufacturer not only has to make fixes on its own side, and these are commendably already available for many devices, but also instruct the manufacturers of its chipsets to code a patch.
This may take a while.
Until then: Stay safe.
Journalist. Author. Hacker. A storyteller searching for boundaries, secrets and taboos – putting the world to paper. Not because I can but because I can’t not.