Understanding the KRACK Vulnerability

If you are part of the Wi-Fi or technology community you've probably been hearing about the key reinstallation attack (KRACK) vulnerability, which is a man in the middle attack (MiTM). It is important to recognize this type of attack requires the intruder to have proximity to the client and the access point the client is using.

The intruder uses a method of attack that takes advantage of a piece of code in the WPA2 standard impacting the Pairwise Transient Key (PTK) exchange between the client and the AP during WPA2 authentication. This method allows the attacker to intercept and request a reset using older data. The attacker then forces the client to connect to them thus creating a "man in the middle." The unsuspecting client will then browse to sites, use passwords and the attacker has gained access to the user’s information. 

The Secret Handshake 

Try this on for an analogy. The access point needs to teach the wireless client how to access the network. To do this they each share a secret language. But to ensure that each are going to speak this language, the access point first needs to teach the client a secret handshake. The secret handshake is based on the language they both know how to speak but unique to their connection together. The access point sends a clue to the client who then figures out a reply to send back to the access point.

If the access point is happy with the result, they complete a secret handshake, create a connection and start speaking the encrypted language. If not, the access point will try again for a few times before giving up. The attacker is listening and has figured out how to intercept the components of this secret handshake. The attacker then tells the client they need to relearn the handshake they already know.

Now what should happen is the client should spit back that it already knows the secret handshake and call foul. However, the WPA2 protocol does not do this. Instead the client is clueless at this point and simply sends back the same answer which is also captured by the attacker. VIOLA… the attacker is now in between the client and the access point and able to capture all the client’s data. This is an exploit of a standard which means it is industry wide.

Everywhere WPA/WPA2 is used is vulnerable to this attack. Of the identified 10 identified exposures, 9 of them are client based. To resolve this, manufactures of access points and client devices are going to need to produce firmware upgrades that are agreed industry standard; it’s going to take a while. And although this sounds scary, and it is a real issue, it is important to remember it takes a very well educated and tooled attacker who is within proximity of your network access point and your clients.

Concerned about about whether the KRACK vulnerability might impact your organization? Harbor Networks can help your organization overcome this exploitation today—before the fix, using proper network design and other security methods. 

Let Us Help