Several news reports today sounded the alarm that the WPA2 protocol, currently the most popular method of securing Wi-Fi communications, is vulnerable to the “KRACK” attack. Despite the amusing name, this vulnerability is extremely serious.
KRACK stands for Key Reinstallation Attack. In essence, this attack tricks Wi-Fi enabled devices into reinstalling the “nonce,” which is a randomly generated, one-time numerical key used to encrypt communications between the targeted device and the router/gateway. Once the attacker has compromised this key, it can eavesdrop on the packets that are sent to/from the target device or, alternatively, it can forge packets to inject viruses or other malicious code onto a target machine.
Because this attack exploits the underlying protocol, neither changing your WPA2 password nor a strong password will provide protection. However, industry and security experts have indicated that patches and updates will be released soon, which should be installed. Perhaps a more long term problem exists in the untold number of legacy and unsupported devices that are Wi-Fi enabled and that may not be updated or at least updated in a timely fashion.
What can people do to protect themselves? While some suggest that Wi-Fi should be a no-go zone for more sensitive information in the interim, most experts recommend making use of HTTPS and other end-to-end encryption mobile technologies (e.g., WhatsApp, iMessage, Viber, etc.) to offer some protection. End-to-end encryption should prevent an attacker from decrypting the ultimate payloads of Wi-Fi packets even if the attacker can decrypt them at the Wi-Fi level – in other words, decrypting a message only to find another encryption.
For more information regarding cybersecurity issues, please contact the author of this blog or Polsinelli’s Privacy and Data Security team.