KRACK in the code: Software flaw affects security of nearly every Wi-Fi enabled device
JHU experts explain why the bug is such a big deal, and—paradoxically—why it likely won't lead to many personal breaches
Hacks and cybersecurity attacks are in the news so frequently—and the threats can be so abstract—that some people find it easier to tune out.
But the software vulnerability revealed Monday is worth paying attention to—the bug compromises the security of nearly every Wi-Fi-enabled device in active use.
The bug affects the ubiquitous WPA2 protocol that protects users by encrypting information that passes over wireless Internet networks—including passwords or financial or personal information.
WPA2 used to be the industry standard for security. But a researcher from the University of Leuven in Belgium identified a flaw dubbed the Key Reinstallation Attack, or KRACK, that allows a hacker to first clone a wireless network, then trick a user into entering their encryption key, and finally to decrypt the information previously sent over the secure network, or even forge new data to be sent.
"This sort of complicated crypto is a fertile area for bugs," Johns Hopkins University cryptographer Matthew Green told WIRED in a report published today. "The problem is not so much that there are a ton of bugs in WPA2. It's that it will be very hard to patch most low-cost consumer devices. So all it takes is one bad one to screw a lot of people up for years."
In The Los Angeles Times, he added: "Nobody has ever found this vulnerability. It's pretty serious."
Fortunately, reports the Wi-Fi Alliance, there seems to be no evidence of malicious hackers exploiting the bug at this time. And somewhat paradoxically, Green explains in The Wall Street Journal that "for the average person, it probably doesn't matter very much."
Because in order to clone a network, a hacker would need to monitor that network through an eavesdropping device—which requires the hacker to be physically nearby. In an attack on a personal network, the return on investment for a hacker would be relatively low.
Instead, Green suggested in a tweet, it's far more likely that this kind of flaw will be exploited on a commercial or corporate scale, as was the case in the 2007 attack on the retail giant T.J. Maxx, in which the information of more than 94 million customers was stolen.
This is probably going to turn into a slew of TJ Maxxes.— Matthew Green (@matthew_d_green) October 15, 2017
So what can individuals do? Avi Rubin, a professor of computer science in JHU's Whiting School of Engineering and the technical director of the Johns Hopkins University Information Security Institute tells the L.A. Times that consumers could be protected by using encrypted email features and websites that use protected transfer protocols like HTTPS. (To determine this, note whether the URL begins http:// or https://. The latter is secure.)
And of course, install security updates and patches whenever possible. Microsoft and Apple have already issued patches that protect against KRACK, so don't let those updates sit in your app store.