WPA2 has been broken. Now what?

A new attack method called KRACK is able to break WPA2 encryption
Bjorn: Focus your resources to close that gap between vulnerability disclosures and targeted exploits as much as possible.
Bjorn: Focus your resources to close that gap between vulnerability disclosures and targeted exploits as much as possible.


By  Kalle Bjorn, director, systems engineering at Fortinet

A new attack method called KRACK (for Key Reinstallation AttaCK) is now able to break WPA2 encryption, allowing a hacker to read information passing between a device and its wireless access point using a variation of a common – and usually highly detectable – man-in-the-middle attack. If successful, this vulnerability can potentially allow a hacker to spy on your data as well as gain access to unsecured devices sharing the same WiFi network.

Of course, as computing power grows, it was just a matter of time before another encryption protocol was broken. In this case, Belgian security researchers at KU Leuven university, led by security expert Mathy Vanhoef, discovered the weakness and published details of the flaw on Monday morning.

Essentially, KRACK breaks the WPA2 protocol by “forcing nonce reuse in encryption algorithms” used by Wi-Fi. In cryptography, a nonce is an arbitrary number that may only be used once. It is often a random or pseudo-random number issued in the public key component of an authentication protocol to ensure that old communications cannot be reused. As it turns out, the random numbers used on WPA2 aren’t quite random enough, allowing the protocol to be broken.

The US Computer Emergency Readiness Team (CERT) issued a warning on Sunday in response to the vulnerability that reads in part that, “The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection and others.”

But how bad is it, really?

First, an attacker needs to be in reasonably close proximity in order to capture the traffic between an endpoint device and the vulnerable wireless access point. So, until things are fixed, you should be especially careful using public WiFi. Of course, we’ve been saying that for years.

In addition, the attack is unlikely to affect the security of information sent over a connection using additional encrypted methods such as SSL. Every time you access an HTTPS site, for example, your browser creates a separate layer of encryption that will keep you safe when doing things like online banking or making purchases, even in spite of this latest security threat. So keep your eye on that little lock icon in the corner of your browser when you are conducting transactions online over a WiFi connection.

Likewise, VPN connections – which you should already be using – will continue to protect your corporate data even if your WPA2 connection is compromised.

Users of Fortinet’s suite of secure wireless access points that are running the latest software updates are already protected. For information about your WiFi-enabled Fortinet solutions, this PSIRT Advisory provides details on which versions of devices are affected, and what you can do to ensure you are protected.

The most important thing users can do, and you will see this repeated across the Internet, is to remain calm. Yes, it’s a big deal. And yes, lots of devices are impacted. But with good information, some careful planning, and encouraging users to continue to use good security basics – like using VPN and SSL – your data should be safe until you can get your devices patched and updated.

But your window of opportunity is closing. Over the past year we have seen a number of exploits launched right on the heels of an announced vulnerability. Organisations that have let their security hygiene lapse, especially with regards to patch and replace protocols, were the ones most affected by the rash of attacks that followed. The most important thing you can do is focus your resources to close that gap between vulnerability disclosures and targeted exploits as much as possible.


REGISTER NOW | Webinar Event | Security you can bank on – Safeguarding the Middle East’s financial sector

Presented in partnership with security and network specialist Cybereason, the second in the three part webinar series will bring together a panel of experts to discuss how banks and financial institutions are evolving their service offering while simultaneously staying one step ahead of the cyber criminals who seek to bring their operations crashing to the ground.

Editor's Choice

Emerson expands analytics platform for industrial enterprise-level wireless infrastructure management
Plantweb Insight platform adds two new Pervasive Sensing applications that manage wireless networks more efficiently with a singular interface to the enterprise
Digitalisation seen as a competitive advantage by Middle East private businesses
Nearly 80 per cent of private business leaders acknowledge that digitalisation can impact business sustainability
Etisalat introduces Multi-Access Edge Computing architecture delivering best-in-class video streaming performance for 5G networks
MEC architecture achieves performance gains of as much as 90% in video streaming, validating how ultra-low-latency applications will be delivered over 4G and 5G networks

Most popular

Don't Miss a Story