Early this morning, Mathy Vanhoef (@vanhoefm on Twitter), a Belgium-based researcher released his findings about a vulnerability in the WPA2 protocol. WPA2 is a widely-used encryption standard utilized in consumer and business WiFi networks.
Vanhoef dubbed the vulnerability KRACK, short for “Key Reinstallation Attacks”. Vanhoef published his findings on a website, https://www.krackattacks.com
The vulnerability allows an attacker to decrypt a user’s WiFi traffic, thus potentially exposing data assumed to be safe from prying eyes. Users still enjoy a degree of protection if they are using a secure application layer protocol (like HTTPS) while on a compromised WiFi network. However, some of these application layer protocols are also subject to existing attack methods of their own.
Since the vulnerability is in the protocol itself, there is no effective workaround at this time. Vendors will have to release patches for their products, which will take some time.
So, what should individuals and businesses do in the interim? I recommend the following:
- Continue to rely on WPA2, do not switch to WEP
- Monitor your hardware provider for news of a patch. This includes your mobile device(s), laptop computers, tablets, and WiFi routers. Once they release the patch, install it immediately.
Steve Regan (@SteveD3 on Twitter) is doing an excellent job of reporting on this. You can read his piece at KRACK: Researcher discovers flaws in WPA2 authentication. Steve is keeping the piece updated as he hears about patches being released by vendors and ISPs.
UPDATES10.16.17 – Removed duplicate wording in the third paragraph, and added language to explain about the possibility of application layer protocols being subject to existing attacks.
10.16.17 – Corrected to reflect Mr. Vannoef being located in Belgium, not Germany.