The “Krack attack,” or Key Reinstallation Attack, is a vulnerability recently discovered by Belgian researcher Mathy Vanhoef of the University of Leuven. It is a gap in the core of a protocol called Wi-Fi Protected Access II (WPA2) that leaves functions and sensitive user information completely exposed. And it’s a flaw that affects nearly every wireless device.
The weakness allows anyone in the vicinity of a WPA2-protected wireless network to intercept traffic from the devices it connects to—information related to the functionality of the gadget or private data such as credit card information, passwords, messages, emails, or photos.
The attack targets the four-way handshake between connecting devices used to establish a key for encrypting traffic. This handshake takes place every time a client joins a protected Wi-Fi network and confirms that both the client and access point have the correct credentials. The flaw forces clients to reuse an older session key, weakening security measures.
While many companies have already issued downloadable patches to reinforce the at-risk areas and protect user data on smart phones and computers, other devices like routers, garage doors, and networked appliances will be more complicated to fix. Experts explain that the extent of the vulnerability is so widespread that we will most likely continue to find affected devices for the next 20 years.
“It’s a problem in the core design of how keys are managed and integrity is assured,” Kenneth White, director of the Open Crypto Audit Project told WIRED. “When every Wi-Fi client is vulnerable to some of these flaws, the standard is underspecified (and flawed). There will be many millions of internet connected devices that will likely never get fixed.” In many cases, IT professionals indicate that the safest, easiest option may be to purchase new equipment as replacement.
Regulation may also be on the horizon. One solution recommended by Senator Mark Warner of Virginia in August is a legislative bill that would mandate certain security minimums for smart devices. What are your thoughts on mandating security requirements for the rapidly proliferating Internet of Things?