Key reinstallation attacks (KRACK) are a type of cyberattack that exploit a vulnerability in WPA2 for the purpose of stealing data transmitted over networks. These attacks can result in the theft of sensitive information like login credentials, credit card numbers, private chats, and any other data the victim transmits over the web. KRACKs can also be used to perform on-path attacks, serving the victim a fake website or injecting malicious code into a legitimate site.
Wi-Fi Protected Access II (WPA2) is a security protocol that protects virtually all secured WiFi networks. WPA2 uses strong encryption to protect communications between a user’s device and the device providing the WiFi. This is meant to stop anyone who might intercept the communication from making sense of the captured data.
An encrypted WPA2 connection is initiated with a four-way handshake sequence, although the entire sequence isn’t required for a reconnect. In order to enable faster reconnections, only the third part of the four-way handshake needs to be retransmitted. When a user reconnects to a familiar WiFi network, the WiFi network resends them the third part of the handshake sequence; this resending can occur multiple times to ensure the connection succeeds. This repeatable step is the vulnerability that can be exploited.
An attacker can set up a clone of a WiFi network that the victim has previously connected to. The malicious clone network can provide access to the Internet, so the victim won’t notice a difference. When the victim tries to reconnect to the network, the attacker can force them to join the clone network instead, positioning themselves as a on-path attacker. During the connection process, the attacker can keep resending the third part of the handshake to the victim’s device. Each time the user accepts the connection request, a small piece of data is decrypted. The attacker can aggregate this series of communications to crack the encryption key.
Once the WPA2 encryption has been compromised, the attacker can use software to capture all the data transmitted by the victim over the WiFi network. This won’t work for websites that use SSL/TLS encryption, but the attacker can use a tool like ‘SSLStrip’ to force the victim to visit HTTP versions of websites. The victim may not notice that the site is unprotected, and may end up entering sensitive information that the attacker will intercept.
It should be noted that KRACK attacks require proximity to work. An attacker cannot target someone across the globe or even across town; the attacker and victim must both be in range of the same WiFi network to carry out the attack.
Fortunately, security experts discovered the KRACK vulnerability before attackers started using it, so there aren’t currently any reports of KRACK attacks in the wild. Even so, operating systems have been patching the vulnerability to ensure it isn’t used against their devices.
Windows, OSX, Linux, Android, and iOS have all patched their software to address KRACK attacks. Users should update their operating systems to ensure they are protected. Additionally, when surfing the web, users should always browse over HTTPS when possible – this can be verified in most browsers by a symbol marking a secure connection. For websites and API looking to increase security easily, Cloudflare offers free SSL in an effort to keep the Internet as protected as possible.