Mathy Vanhoef, a researcher from the University of Leuven (KU Leuven), has discovered a severe flaw in the Wi-Fi Protected Access II (WPA2) protocol that secures all modern protected Wi-Fi networks.
The flaw affects the WPA2 protocol itself and is not specific to any software or hardware product.
Vanhoef has named his attack KRACK, which stands for Key Reinstallation Attack. The researcher describes the attack as the following:
In simpler terms, KRACK allows an attacker to carry out a MitM and force network participants to reinstall the encryption key used to protected WPA2 traffic. The attack also doesn't recover WiFi passwords.
The attack works only if the attacker is in the victim's WiFi network range, and is not something that could be carried out via the Internet.
HTTPS may also protect user traffic in some cases, as HTTPS uses its own separate encryption layer. Nonetheless, HTTPS is not 100% secure, as attacks exist that could downgrade the connection and grant the attacker access to HTTPS encrypted traffic [1, 2, 3, 4, 5, 6].
The KRACK attack is universal and works against all type of devices connecting or using a WPA2 WiFi network. This includes Android, Linux, iOS, macOS, Windows, OpenBSD, and embedded and IoT devices.
The attack allows a third-party to eavesdrop on WPA2 traffic, but if the WiFi network is configured to use WPA-TKIP or GCMP encryption for the WPA2 encryption, then the attacker can also inject packets into a victim's data, forging web traffic.
Because the vulnerability in establishing the WPA2 handshake affects the protocol itself, even devices with a perfect protocol implementation are affected.
Changing WiFi passwords doesn't protect users. Users must install firmware updates for affected products.
"Any device that uses Wi-Fi is likely vulnerable," Vanhoef said. "Luckily implementations can be patched in a backwards-compatible manner." A list of available products and updates will be available in this US-CERT advisory page that will go live in the following hours. No updates are available at the time of publishing.
While updates are expected for desktops and smartphones as soon as possible, experts believe routers and IoT devices will be affected the most and will see a delay in receiving firmware updates.
Vanhoef discovered the issue in 2016 but kept working to refine his attack. The researcher sent notifications to some affected vendors in July 2017, and US-CERT sent a broader note to more vendors at the end of August.
The expert describes the attack in much more depth on a website dedicated to the KRACK attack, and in a research paper the expert plans to present at this year's Computer and Communications Security (CCS) and Black Hat Europe conference.
Vanhoef also published a video demoing and explaining the KRACK attack.
The following CVE identifiers will help you track if your devices have received patches for the WPA2 flaws Vanhoef discovered.
The first thing you should do is not panic. While this vulnerability could allow an attacker to eavesdrop on or modify data being transmitted over wireless connections, at the same time, this attack is not going to be easy to pull off and a working exploit has not been published as of yet.
The good news is that this is a highly covered vulnerability and vendors will quickly release updates to fix this flaw. For consumers and business users, this means updating your router, access point, wireless network adapters, and devices with new firmware and drivers as they are released.
To make it easier for you, BleepingComputer has started compiling a list of vendors who have released advisories or driver and firmware updates. This list can be found at List of Firmware & Driver Updates for KRACK WPA2 Vulnerability and will be constantly updated as BleepingComputer receives new information.