Key Reinstallation Attack (KRACK)

by Jonathan Ashton.

KRACK is a newly published attack on wireless communications between a device (smartphone, laptop, Wi-Fi cameras, etc) and the wireless access point

The attack works by interfering with the handshake process that the device and the access point undertake to secure communication between the two.  It enables the attacker to:

  • Listen in on wireless traffic between the device and access point
  • Inject it’s own data to the traffic
  • Apply additional attacks to further reduce security

This means that an attacker can listen into all unsecured communications you’re having over Wi-Fi (e.g. instant messaging, websites, logins, emails, etc).  They can also modify unsecured data you send/receive or insert new data (e.g. implanting a piece of malware in a website page) although this is a worst case scenario.

On the bright side vendors and manufacturers were warned months ago about this and have been working on security patches for a while.  Some manufacturers have already released the patches via automated updates whilst others will be rolling them out shortly.

At this point in time (18/10/2017), and assuming you have automatic updates turned on, the status of the major vendors are:

  • macOS 10.11.1 – Patch Pending
  • Windows 7, 8, 8.1, 10 – Patched
  • Linux Ubuntu 14.04+, Arch, OpenBSD, Debian, Gentoo, Linux upstream – Patched
  • iOS – Fixed in iOS 11.1 due out in a few weeks
  • Google Devices (Android) – Patch Pending for Google Pixel and Google Nexus (although not clear if older Nexus devices will receive this patch)
  • Samsung (Android) – Newer devices receive Google security fixes (Patch Pending), older devices do not
  • Other Android – Refer to your manufacturers support site

Android devices tend not to get newer versions of the OS (let alone security patches) as they get older but vendors may have no option but to release a fix for this (especially if pressure is applied via social media, etc).

This blogger is keeping track of the status of patches for the most popular vendors (it’s about halfway down the page).  Note that although patching home routers helps with some other issues presented by this attack, patching your router alone will do nothing to stop it if your device hasn’t been patched.

The University is currently advising the following (which should be considered normal practice to help keep yourself and your data safe.)

  • Make sure the software on your device is up to date.  Manufacturers regularly release security patches to fix issues and vulnerabilities in operating systems and it is important that these are promptly installed. For University equipment, Digital Technology Services (DTS) will provide advice about what you need to do when these are available. Users of SHU-owned Macs have been advised NOT to accept an update to High Sierra until DTS has confirmed that it is okay to do so but they should continue to install any security patches which are offered.  On your personally-owned devices, use the latest operating system and install patches when they are offered to you.
  • Wherever possible, use websites that are encrypted – these normally display a padlock next to the address.
  • University staff should use the VPN (Virtual Private Network) service when using laptops and other portable devices to ensure any University data is encrypted while using Wi-Fi networks. This includes while in public areas on campus such as University cafes and other open areas.  More information on the VPN service.