What’s KRACK, and Why Should It Bother You?

You may have recently noticed a new headline on the IT Newsreel you see when logging into a UMass service. The headline reads “Campus Wireless Infrastructure Patched Against New Cybersecurity Threat (Krack Attack)“. It’s good to know that UMass security actively protects us from threats like Krack, but what is it?

The KRACK exploit is a key reinstallation attack against the WPA2 protocol. That’s a lot of jargon in one sentence, so let’s break it down a little. WPA2 stands for Wi-Fi Protected Access Version 2. It is a security protocol that is used by all sorts of wireless devices in order to securely connect to a Wi-Fi network. There are other Wi-Fi security protocols, such as WPA and WEP, but WPA2 is the most common.

WPA2 is used to secure wireless connections between the client, such as your smartphone or laptop, and the router/access point that transmits the network. If you have a Wi-Fi network at home, then you have a router somewhere that transmits the signal. It’s a small box that connects to a modem – another small black box – which might connect to a large terminal somewhere in your house called the ONT, and which eventually leads to the telephone poles and wiring outside in your neighborhood. Secure connections have to be implemented at every level of your connection, which can range from the physical cables that are maintained by your internet service provider, all the way to the web browser running on your computer.

In order to create a secure connection between the router and the client, the two devices have to encrypt the data that they send to each other. In order to encrypt and decrypt the data they exchange, the two devices have to exchange keys when they connect. The two devices then use these keys to encrypt the messages that they send to each other, so that in transit they appear like gibberish, and only the two devices themselves know how to decipher it; they use these same keys for the duration of their communications.

WPA2 is just a protocol, meaning that is a series of rules and guidelines that a system must adhere to in order to support the protocol. WPA2 must be implemented in the software of a wireless device in order to be used. Most modern wireless devices support the WPA2 protocol. If you have a device that can connect to eduroam, the wireless network on the UMass Amherst campus, then that device supports WPA2.

This KRACK exploit is a vulnerability in the WPA2 protocol that was discovered by two Belgian researchers. They were able to get WPA2-supporting devices to send the same encrypted information over and over again and crack the key by deciphering known encrypted text content. They were able to get WPA2-supporting Android and Linux devices to reset their WPA2 keys to all zeroes, which made it even easier to crack encrypted content.

The real concern is that this is a vulnerability in the WPA2 protocol itself, not just any one implementation of it. Any software’s implementation of WPA2 that is correct is vulnerable to this exploit (newsflash – most are). That means essentially all wireless-enabled devices need to be updated to patch this vulnerability. This can be especially cumbersome because many internet-of-things devices (think of security webcams, web-connected smart home tools like garage doors) are rarely ever updated, if at all. Their software is assumed to just work without needing regular maintenance. All of those devices are vulnerable to attack. This WIRED article addresses the long-term impact that the KRACK exploit may have on the world.

The good news is that many software implementation patches are already available for your most critical devices. UMass Amherst has already updated all of our wireless access points with a patch to protect against the KRACK exploit. Also, with the exception of Android & Linux devices which are vulnerable to key resets, it is not very easy to exploit this vulnerability on most networks. One would need to generally know what they are looking for in order to crack the encryption key, but an attacker may be able to narrow down possibilities with social cues, such as if they see you at Starbucks shopping for shoes on Amazon.

The general takeaway is that you should update all of your wireless devices as soon as possible. If you are interested in learning more about KRACK, how it works on a technical level, and see a demonstration of an attack, check out the researchers’ website.