US CERT has privately circulated an advisory warning key stakeholders about the imminent publication of Key Reinstallation Attacks (KRACK), which exploit a heretofore unknown flaw in the WPA2 wifi security protocol, allowing attackers to break the encryption and eavesdrop upon — and possibly inject packets into — wireless sessions previously believed to be secure.
The bug was discovered by Mathy Vanhoef and Frank Piessens of KU Leuven, who hinted at their findings during a presentation at last summer's Black Hat in Las Vegas; they are presenting their expanded findings this morning at the ACM Conference on Computer and Communications Security in Dallas, and have made further details available at krackattacks.com.
It's normal — though always stressful — for major flaws to be found in widely used protocols, but KRACK is in the worst category of defect. That's because wifi access points are widely deployed to people who do not follow technology news, who don't know how to log into their access points and patch them, and/or who do not have the login and password to do so. These never-to-be-patched access points — which number in the millions, possibly the tens of millions — will never be patched, even after their vendors develop and deploy patches.
(Some of these access-points are designed to automatically update themselves without human intervention, a useful tactic for this situation, but one that leaves them vulnerable to mass-scale attacks from malicious actors who hijack the auto-update mechanism and poison millions of units around the world at once)
The full scope of KRACK hasn't been widely discussed yet. Sharing a network with malicious actors does open you up to a lot of mischief, though, from packet-injection attacks (useful for serving malware to victims) to DHCP attacks that hijack DNS, a great boon to phishers.
Some countermeasures you can take right away: use a VPN, be more vigilant of certificate errors (though, let's be honest, almost every cert error you'll ever see is a false alarm, insert shruggie glyph here), and, if you can, check your wifi access point for waiting software updates and keep your devices' operating systems patched.
According to a researcher who has been briefed on the vulnerability, it works by exploiting a four-way handshake that's used to establish a key for encrypting traffic. During the third step, the key can be resent multiple times. When it's resent in certain ways, a cryptographic nonce can be reused in a way that completely undermines the encryption.
Key Reinstallation Attacks:
Breaking WPA2 by forcing nonce reuse [Mathy Vanhoef/imec-DistriNet, KU Leuven]
Severe flaw in WPA2 protocol leaves Wi-Fi traffic open to eavesdropping
[Dan Goodin/Ars Technica]
(Image: Hannes Grobe, CC-BY-SA)