WPA2 Has Been Broken, What Now?Rex Wescombe
Early Monday morning it was announced that WPA2, WiFi’s most popular
encryption standard, had been cracked. A new attack method called KRACK
(for Key Reinstallation AttaCK) is now able to break WPA2 encryption,
allowing a hacker to read information passing between a device and its
wireless access point using a variation of a common – and usually highly
detectable – man-in-the-middle attack. If successful, this
vulnerability can potentially allow a hacker to spy on your data as well
as gain access to unsecured devices sharing the same WiFi network.
Of course, as computing power grows, it was just a matter of time
before another encryption protocol was broken. In this case, Belgian
security researchers at KU Leuven university, led by security expert
Mathy Vanhoef, discovered the weakness and published details of the flaw
on Monday morning.
Essentially, KRACK breaks the WPA2 protocol by “forcing nonce reuse
in encryption algorithms” used by Wi-Fi. In cryptography, a nonce is an
arbitrary number that may only be used once. It is often a random or
pseudo-random number issued in the public key component of an
authentication protocol to ensure that old communications cannot be
reused. As it turns out, the random numbers used on WPA2 aren’t quite
random enough, allowing the protocol to be broken.
The US Computer Emergency Readiness Team (CERT) issued a warning on
Sunday in response to the vulnerability that reads in part that, “The
impact of exploiting these vulnerabilities includes decryption, packet
replay, TCP connection hijacking, HTTP content injection and others.”
But how bad is it, really?
First, an attacker needs to be in reasonably close proximity in order
to capture the traffic between an endpoint device and the vulnerable
wireless access point. So, until things are fixed, you should be
especially careful using public WiFi. Of course, we’ve been saying that
In addition, the attack is unlikely to affect the security of
information sent over a connection using additional encrypted methods
such as SSL. Every time you access an HTTPS site, for example, your
browser creates a separate layer of encryption that will keep you safe
when doing things like online banking or making purchases, even in spite
of this latest security threat. So keep your eye on that little lock
icon in the corner of your browser when you are conducting transactions
online over a WiFi connection.
Likewise, VPN connections – which you should already be using – will
continue to protect your corporate data even if your WPA2 connection is
For users of Fortinet’s suite of secure wireless access points and Wi-Fi enabled solutions, please consult the latest Fortinet PSIRT Advisory that provides details on which versions of Fortinet devices are affected, and what you can do to ensure you are protected.
In the meantime, the most important thing users can do, and you will
see this repeated across the Internet, is to remain calm. Yes, it’s a
big deal. And yes, lots of devices are impacted. But with good
information, some careful planning, and encouraging users to continue to
use good security basics – like using VPN and SSL – your data should be
safe until you can get your devices patched and updated.
But your window of opportunity is closing. Over the past year we have
seen a number of exploits launched right on the heels of an announced
vulnerability. Organizations that have let their security hygiene lapse,
especially with regards to patch and replace protocols, were the ones
most affected by the rash of attacks that followed. The most important
thing you can do is focus your resources to close that gap between
vulnerability disclosures and targeted exploits as much as possible.