View All Alerts & Outages

Critical vulnerabilities in Wi-Fi encryption protocols (“KRACK” attack) on October 16, 2017

A vulnerability has been identified in current wireless encryption standards (WPA1/WPA2)[1]. An attacker within range of a victim can exploit these weaknesses using Key Re-installation Attacks (“KRACKs”).  These attacks can be used to read Wi-Fi network traffic that was previously assumed to be encrypted. This can be abused to reveal sensitive information transmitted through unencrypted protocols, like standard (HTTP) web browsing, FTP, and other unencrypted communications. Additionally, this attack can be used to spoof website responses (such as redirecting you to a fake or malicious website).
 
The vulnerabilities are in the Wi-Fi standard itself, and not in individual products or implementations.  To prevent the attack, users must update affected products as soon as security updates become available.  Researchers discovered that Android, Linux, macOS/iOS, Windows, OpenBSD, MediaTek, Linksys, and other operating systems/devices are all currently affected by some variant of the attack[2].
 
Remediation and mitigation:
-          Operating systems should be patched as soon as patches are available including: Windows, macOS, iOS, and Android.  We will send additional notices as patches are available.
-          WPA1 and WEP should NOT be used instead of WPA2 – even with this new attack, WPA1/WEP are still considered much less secure than WPA2.
-          This attack does not break HTTPS/SSL connections – however, in certain scenarios, downgrade attacks may be possible.  To reduce this risk, we recommend the following:

  • Using a VPN service whenever connected to a Wi-Fi access point.
  • Using the “HTTPS Everywhere” browser plugin[3] to prevent downgrade attacks for HTTPS (secure) websites.
  • Ensuring any website you are about to enter sensitive information into is SSL secured (with the padlock icon) and displays the correct URL.

 
Additional points and takeaways:
-          It is unknown if this vulnerability is currently being exploited in the wild, but as the research for this attack has been published, it is anticipated that it soon will be.
-          Both WPA2 Personal & Enterprise are affected.
-          This is the first workable attack against WPA2 that does not use password guessing – incidentally, the WPA2 password itself is not exposed to the attacker.
 
References:
[1] https://www.krackattacks.com
[2] https://papers.mathyvanhoef.com/ccs2017.pdf
[3] https://www.eff.org/https-everywhere