A proof-of-concept (POC) of a key reinstallation attack — or KRACK for short — shows weaknesses in the core WPA2 protocol. The attack affects a wide range of devices from desktops to servers to mobile devices with Wi–Fi connectivity. Devices running Android, Linux and Open BSD are most at risk; while attacks on macOS, Windows or MediaTek Linksys are more difficult, the devices are still vulnerable.

An attacker within range of a vulnerable device or access point could decrypt sensitive data such as passwords, emails, credit card numbers, messages, etc. — essentially, any data transmitted on an infected device. The attack could potentially manipulate or inject code, such as ransomware, into websites.

The researchers have demonstrated KRACK on an Android device via video and released an academic paper. Using 10 vulnerabilities, “Android and Linux can be tricked into (re)installing an all–zero encryption key,” according to the site detailing the POC.

  • The key reinstallation attack targets the four–way handshake in the WPA2 protocol that’s executed when a client requests to join a protected Wi–Fi network which confirms that pre–shared network password is correct on both ends
  • Once credentials are established, the handshake also negotiates a new encryption key to be used on all traffic over the connection.
  • KRACK “tricks a victim into reinstalling an already–in–use key … manipulating and replying the cryptographic handshake messages.”

KRACK targets both vulnerable access points and clients. But patching the client even if connected to a vulnerable access point can neutralize the threat, and patches are also available for select Wi–Fi access points.

While there is no proof of an exploit in the wild, with this level of detail, it shouldn’t take long. Enterprise and government Wi–Fi networks accepting connections from Android or Linux devices at the most at risk.

Detecting KRACK Vulnerabilities 

For customers using Skybox™ Vulnerability Control, the Vulnerability Detector feature can discover vulnerable devices running Windows, RedHat Linux and other network devices without waiting for a scan.

The following vulnerabilities have been updated in the Skybox™ Security Intelligence feed and details are accessible to the public at Skybox Vulnerability Center:

A detailed advisory on KRACK is available here and CERT has also released an advisory.

Related Posts

ZNIU — Mobile Malware and Dirty COW: How a Dirty COW steals your information and your money.

Resources

See how the Skybox intelligence feed and the threat–centric vulnerability management approach identified and prioritized vulnerabilities used in WannaCry and Petya, as well as the Equifax data breach before their highly publicized attacks, so customers could take proactive security measures.