Hi, my name is YourPhone and I have a problem with KRACK. I was having a perfectly normal conversation with one of my many close Access Point pals when someone made me an offer I couldn’t refuse. When I say ‘couldn’t refuse’ I really mean it, it is in the protocol and I am not yet sentient.
This shady outsider, in a Derren Brown or the snake from The Jungle Book sort of a way (trrrust in me) asked me to reuse one of my encryption keys and tell her the full details. I was powerless. I couldn’t refuse. I am a slave to the protocol.
You will no doubt have seen the screeching headlines about vulnerabilities in the WPA2 protocol released by Belgian researchers this week. Called KRACK (Key Reinstallation AttaCKs – see what they did there?), this one is most definitely proper. It has a name, a profile picture and a website.
In order to exploit this vulnerability, the attacker must be local to the access point and can then, on a per-session (very important – per-session) basis copy the traffic between an endpoint and an access point unencrypted.
In old money this would be similar to being connected to a shared wired network (ah, remember the days of 185 metre coaxial cables with 32 close friends attached?), a hub connection, a network tap or (and would you even believe these things existed?) a sneaky network port to which all data was copied (aka a SPAN port).
Of course if you are using a secure protocol at the application layer (like HTTPS) the decryption of your wireless session is totally irrelevant. If you regularly use public WiFi on your travels or as part of your rent-free meeting room space (Costa/Starbucks/Pret, some Public Houses we will not mention) then you must assume that your traffic can be recorded.
As much as we all love a Belgian release story, this one has grabbed the headlines for the wrong reasons and has, in our opinion, caused undue concern. In order to exploit this the attacker needs to be local to you (on the same Access Point) and can record a session at a time. We are fairly sure that if Ernst Stavro Blofeld or Doctor Evil (mwahaha) were after data from you, they weren’t waiting for this vulnerability to get it.
As ever we urge you to patch expediently as manufacturer’s releases become available. This is a problem with the protocol, not a coding issue. Endpoints (especially Linux and Android) require patching. This may take a while.
In the meantime, treat all wireless networks as if you were taking an Iced Skinny Mocha in Cheltenham.
Just in case you might think you have caught us napping, the Trusted Platform Module serving up weak, encryption RSA keys (CVE-2017-15361) has not escaped our attention. Imagine who would mess with the design of a crypto chipset installed as standard on a huge number of devices? Blofeld, Doctor Evil?
If you would like to discuss your problems with KRACK, your fears about GDPR, overcoming the loss of 10Base2 or anything related to information security, please contact us at: firstname.lastname@example.org or call 0207 517 3900.
For those who clicked on the Slave To The Rhythm link, you might be surprised to know that Ms Grace Jones is only five feet and eight inches tall (and that is probably in heels). She is however much more scary than KRACK.