A major risk in the WiFi security standard has been discovered, and the fallout may continue for years to come.
The WPA2 Wi-Fi standard was released nearly 13 years ago introducing AES and allowing for compliance with FIPS140-2 government security requirements.
WPA2 is the standard that all WiFi enable devices use, which in today’s world includes pretty much every phone, computer, television, security systems and many point of sale systems (POS). For more than a dacade, it has been assumed that a properly implemented wireless network based on the WPA2 standard was as secure as a wired connection. These assumptions are no longer correct.
The Key Reinstallation Attack, or KRACK, was announced early Monday, October 16th, 2017. It turns out there is a flaw in the 4-way handshake used in WPA2’s phase 3 of the connection process between wireless routers and endpoints, such as phones, computers, security devices, etc.
Part of the recovery mechanism for phase 3 allows for the reuse of previously used keys to encrypt the key that the router and endpoint will use to secure traffic. All routers and endpoint at installation initially used "all zeros" to secure its first path; KRACK takes advantage of it allowing for a MiTM (Man-in-The-Middle) attack. Once inserted, data that was once encrypted by WPA2 and therefore unreadable is now seen as plain text. KRACK, combined with other attacks, allows for the reading of pain text username, passwords, credit card numbers as well as the injection of code including ransomware.
Our first reaction: how long has it been used, by whom, and is the script available on the Dark Web? As bad as this sounds, and it sounds bad, there have been no known instances of this attack being used in the real world. Tools and scripts to test for the flaw are just now being developed so there is a very small likelihood that the “Script Kiddy” sitting in the coffee shop is skimming your personal information while sipping a “mocha latte frappe something." But, it will happen soon.
It took nearly 13 years and thousands of code reviews to find a flaw hidden in one small portion of the WPA2 protocol. Now that the flaw, its location, and the nature of the flaw is known; it will only be a matter of time before “bad actors” recreate the exploit or reverse engineer a “White Hat” tool or script designed to test for the vulnerability. Many home systems and small businesses use older wireless routers or access points that have embedded WPA2 code that cannot be upgraded or patched. If history holds true, many will remain in operation until replaced. Consequently, this attack vector will be around for several years to come.
Retailers, issuers and other companies can communicate protective measures to their customers. All devices (phones, computers etc.) should receive the latest security patches, and the wireless router for home security systems should be updated or replaced. Consumers should also be told to make sure their browsers show the “Green Secure Lock” before logging in to a site and putting credit card or other sensitive information into a site’s web form.
