Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys and others are all affected by some variant of the attacks, called KRACK. Security researcher Mathy Vanhoef said that 41 percent of Android devices are vulnerable to an “especially devastating” variant of the attack, while attacking macOS and OpenBSD is easier than he initially thought since he has found simpler techniques since submitting his research paper for review in May.
Users are urged to update affected products as soon as security updates become available. Linux patches are available now. The vulnerability is not believed to have been actively exploited in the wild.
The main attack is against the 4-way handshake of the WPA2 protocol which is executed when a client wants to join a protected Wi-Fi network.
“Currently, all modern protected Wi-Fi networks use the 4-way handshake. This implies all these networks are affected by (some variant of) our attack,” Vanhoef writes.
“Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates. We strongly advise you to contact your vendor for more details,” he notes. “In general though, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming).”
Here is a demo of the attack on Android and Linux devices:
According to the Wi-Fi Alliance, the organization that certifies Wi-Fi devices, “There is no evidence that the vulnerability has been exploited maliciously, and Wi-Fi Alliance has taken immediate steps to ensure users can continue to count on Wi-Fi to deliver strong security protections. Wi-Fi Alliance now requires testing for this vulnerability within our global certification lab network and has provided a vulnerability detection tool for use by any Wi-Fi Alliance member. Wi-Fi Alliance is also broadly communicating details on this vulnerability and remedies to device vendors and encouraging them to work with their solution providers to rapidly integrate any necessary patches. As always, Wi-Fi users should ensure they have installed the latest recommended updates from device manufacturers.”
Vendors whose products were tested against the attack were notified on July 14, 2017. Once it was clear how widespread the vulnerability was, Vanhoef notified CERT/CC, which sent out a broad notification to vendors on August 28.
To prevent these kinds of vulnerabilities, Vanhoef said that there needs to be more rigorous inspections of protocol implementations, which “requires help and additional research from the academic community.”
Vanhoef will present his research at the Computer and Communications Security conference and the Black Hat Europe conference.