The last few months have not been kind in the cyber security world, between the Equifax and Kaspersky hacks and now it seems anything with WiFi capability is no longer safe. Most people know what WPA2 is in passing, it’s one of the options you can select for your router when set the password. Or, it’s one of the options you can pick when your trying to login into a router from your phone/laptop/tablet/piano playing DOOM. WPA2 stands for “WiFi protected Access II” the successor to WPA which is (you guessed it) “WiFi Protected Access” and it uses a 64 or 128-bit encryption scheme that must be manually entered, as well as checking data packets for alterations or gaps. It does have the normal weaknesses of any password protected devices, which is that a weak password means defeats any amount of encryption.
The vulnerability is known as, KRACK, for Key Reinstallation Attack and its a represents a flaw in the core code of WPA2. The bug takes advantage of how new devices are added to the network, namely devices that have had the password shared with them from another device. This is a feature in newer devices which allows them to bring other trusted devices by sending them the password to use. KRACK allows an attacker to alter the data being sent and received, as well as allowing the attacker to add whatever they want to the data stream. This sort of bug represents a complete failure of the WPA2 protocol, since even with a truly random password it wouldn’t stop an attack from gaining access to your traffic. There is one positive to the KRACK problem, it was found by a cyber security researcher, who’s smart enough to not release the code he used to exploit WPA2. While KRACK can affect any device that uses WPA2 (most of them), without seeing the code no one can currently do it. However, now that people know its possible there may very well be a race going on for unscrupulous hackers who want to recreate the code before KRACK gets patched out.
The US cyber security emergency unit known as US-CERT confirmed that KRACK is a real threat, and that they had warned distributors of it over two months ago. (Want to know what it takes to join a unit like CERT? Check out our guide here: So You Want to be a Cyber Commando?) US-CERT has also reported other vulnerabilities for WiFi and potentially WPA2 as well, but those still lack any proof-of-concept code, so they should be safely patched out. It is noted that Windows and Apple phones are immune to this sort of attack, due to the way they handle WPA2 security. This bug does affect all Android devices, from Marshmallow 6.0 onward.
