On 16th October a Belgian research group released their research on KRACK (Key Reinstallation Attack). KRACK is the severe exploitable flaw on the Wi-Fi Protected Access protocol discovered by Mathy Vanhoef and Frank Piessens. This discovery led to uncover a serious weakness in WPA2, which secures all modern Wi-Fi networks. KRACK attack works on all modern protected Wi-Fi network and can lead to abuse of sensitive information such as credit card numbers, passwords, chat messages, photos, and so on.
How does it work?
According to Mathy Vanhoef “Our attack is against the 4-way handshake of the WPA2 protocol. This handshake is executed when a client wants to join a protected Wi-Fi network. The handshake confirms that both the client and access point possess the correct credentials and negotiates a fresh encryption key that will be used to encrypt all subsequent traffic.” Since all modern protected Wi-Fi networks use the 4-way handshake the attack is vulnerable to all these networks.
What devices are affected by KRACK?
Any device that supports and uses Wi-Fi are affected by KRACK attack. During the initial research of Vanhoef: Android, Linux, Apple, Windows, OpenBSD and others were all affected by some variant of the attack. But devices running on Android 6.0+ and Linux OS can be easily affected by KRACK.
What happens to the affected device?
The attacker can tap on all traffic send by your device over the affected network. This can be used to steal all kinds of sensitive information such as credit card numbers, passwords, chat message, photos, etc.
How to protect your device from KRACK?
According to Vanhoef “implementations can be patched in a backwards-compatible manner.” Which means your device can download a patch that protects you from KRACK and communicate with unpatched hardware while being protected from the security flaw. Major hardware and OS developers are already developing their version of patch against KRACK.
If your device haven’t got any update specific to work against KRACK then the easiest step is to use wired Ethernet connection until then. You can also stick to only those sites that uses HTTPS encryption.
Are we need of new WPA3?
Since, patched client can still communicate with an unpatched access point (AP) so need for a new WPA3 system is not required. So just updating your device can secure it from the KRACK attack.
Does changing the Wi-Fi password work?
Wi-Fi password has nothing to do with how KRACK attack work. So, changing Wi-Fi does nothing against KRACK. Instead updating your device and router firmware is the only measures.