Weeks ago a well known attack discovered on WPA2, a protocol that secures protected wifi networks. The vulnerability is related a key reinstallation attack, or known as KRACK.
It attacks the design or implementations flaws in the WPA2 protocol of Wi-Fi standard, or what is known as the four-way handshake (network authentication protocol) to reinstall an already-in-use key, which then resets the key and allows the encryption protocol to be attacked. To guarantee security, a key should only be installed and used once. But the research paper found this is not guaranteed by the WPA2 protocol which leads to the high possibility of this weakness to be abused.
Once the attack is successful, an attacker may take advantage of accessing and tampering network traffic, which may lead to login credentials or any other sensitive data theft or malware injection. The paper reveals that the attack is catastrophic especially against version 2.4 and above of wpa_supplicant, a Wi-Fi client commonly used on Linux and Android devices. Also affected are Apple, Windows, OpenBSD, MediaTek, Linksys, among others.
There are few recommendtions to avoid the attack:
- Update all WiFi client devices (such as smartphones, tables, personal computers, etc) once security updates become available. This ensures a key is used only once, preventing the attack.
- Update the firmware of your WiFi router.
- Changing your Wi-Fi password does not prevent or mitigate this attack. And this type of attack does not help recovering your Wi-Fi passwords. But after updating your devices and router, it’s always a good practice to change your Wi-Fi password.
- If your router does is not configured for automatic updates, please contact your vendor immediately for manual updates. Generally, you can try to mitigate attacks against routers and access points by disabling client functionality and disabling 802.11r (fast roaming). For ordinary home users, your priority should be to update your devices such as laptops, tablets and smartphones.
- WPA2 is still encouraged to be used as the safest option.
- WPA3 is not needed at this time. Implementations can be patched in a backwards-compatible manner, meaning a patched client can still communicate with an unpatched access point, and vice versa.