Who is affected?
This is a weakness within the standard, more precisely: in the Wi-Fi security protocol WPA2. In general, all devices using Wi-Fi technology are affected, including routers, access points, notebooks, mobile phones, and tablets from all manufacturers, etc.
However, according to the discoverers of the security vulnerability (www.KrackAttacks.com), the weakness can only be exploited if the WPA2 protocol negotiation is initiated by the Wi-Fi client – i.e. a smartphone or tablet, for example. According to their explanation, routers and access points are only vulnerable if they assume a client role, such as when they are used as a repeater. Besides that, fast roaming functions based on the 802.11r standard, as well as the 802.11s protocol, are vulnerable, too.
Also affected are directional Wi-Fi radio links (point-to-point / point-to-multipoint) as well as wireless distribution systems (WDS), which are often used in outdoor installations. Although the actual risk of attack is considerably lower due to the technical peculiarities here, these installations should also be updated.
Who is not affected?
The problem does not affect operators of Wi-Fi hotspots working without WPA2 encryption. This is widely the case. In this case, no update is required.
Users and companies who do not use 802.11r, 802.11s are also not affected.
How does the attack work?
Put simply, this is a kind of man-in-the-middle attack. The intruder taps into the secure connection between the Wi-Fi client and the access point or Wi-Fi router, which allows them to record the encrypted data packets. This means that the intruder must be within range of the WLAN. Unlike the router vulnerabilities that have been repeatedly reported, this vulnerability does not allow for remote attacks via the Internet. The method allows only one connection between a specific client and its access point to be intercepted. This means that an affected client does not compromise other clients.
How big is the actual risk?
Even though the attack method is rather complex, the risk is real. Particularly in environments with numerous Wi-Fi devices, a potential intruder may be able to work without being noticed.
How can I find out whether my devices are affected?
Currently, there is no universal “KRACK testing tool” available. It is therefore recommended to contact the manufacturers. Basically, all devices with a Wi-Fi radio module are affected. Exceptions are Windows computers with the latest updates and a number of Linux distributions that have already received a security fix. All Android phones and tablets, as well as iPhones and iPads, currently (17 October, 2017) remain vulnerable.
LANCOM Wi-Fi devices in their factory configuration are not affected by the vulnerability. The LANCOM configuration tools also do not enable these functions by default.
Where do I obtain the required patches?
Only from the manufacturer of the respective device or operating system. Take a look at the manufacturer’s website, or use the automatic update functionality of your device where available.
What can I do if no patches are available?
Until patches are provided, you should assume that the data traffic between the affected clients and their access points or Wi-Fi routers can potentially be intercepted. When transmitting personal information, make sure that an additional encryption layer, such as HTTPS, is used. Another alternative is to use a VPN, as this effectively secures data transmissions even via insecure channels.
Is it sufficient to update my routers and access points?
No! You need to update the Wi-Fi clients too. Communication between an updated router or access points and an insecure client are potentially still open to attack by an intruder. However, the intruder will not be able to hack into the actual network.
Does this make the use of Wi-Fi hotspots insecure?
No. Most hotspots work with unencrypted Wi-Fi connections, i.e. WPA2 is not used at all. When using hotspots, additional encryption, such as HTTPS or VPN, should always be used to secure the connection.
Is online banking etc. compromised?
No. Online banking systems in particular always use additional encryption layers that are not affected by the vulnerability. The same applies for connections secured via HTTPS – they are usually indicated by a green lock icon in the web browser – and for messenger services, etc., that use end-to-end encryption. Web shops, too, always use encrypted connections for their transactions.
Has this vulnerability already been exploited?
No. According to the Wi-Fi Alliance, no attacks via KRACK have been reported so far.