Cadzow Knowledgebase

KRACK: Yet Another Article

KRACK (Key Reinstallation Attacks) is a vulnerability in the WPA2 (Wi-Fi Protected Access II) algorithm used to provide access to wireless access points by devices such as computers, smartphones and printers. The vulnerability relates to the ability of an attacker to view, change or fake information on a network.

Information

KRACK was discovered by Mathy Vanhoef.

Main KRACK Site

A dynamic list of vendors and affected devices

Further vendor information

Risk

At the time of discovery, KRACK is a concerning vulnerability, partly because it is a flaw in a fundamental algorithm and partly because WPA2 is so widely-used, across virtually every router, wireless access point and device. Additionally, even with widespread updating of affected devices, there will be many affected devices in the wider ecosystem for many years, because many devices will not receive updates due to vendor or end-user inaction.

However, the risk to individuals will be low:

It requires physical proximity to the wireless access point, and can't be exploited remotely;

It is difficult to exploit and requires sophistication by the attacker;

Most modern client devices such as Windows workstations, iOS (iPhone/iPad) and Android have been patched; and

Virtually all important traffic is encoded with https anyway, so that information can't be intercepted or modified even after a successful attack.

Businesses will need to consider their risk to targetted attacks. For example, unpatched devices may be considered a low risk in some environments, but businesses sensitive to the possibility of an attack may decide to dispose of all vulnerable network hardware and replace with non-vulnerable hardware.

What To Do

For Windows 7 and above, and Windows Server 2008 and above, fixes were included in the October 2017 security updates.

iOS 11.1 contains the fix.

For routers and wireless access points, some vendors will release firmware updates and some won't. Some updates will install automatically, and some won't. How this plays out is yet to be seen. As of October 2017 there is very little to be done to network devices as vendors must develop their response.

Equally, for any other wifi-connected device, check vendor website for responses.

Other Information

Netgear Response

Copyright © 1996-2023 Cadzow TECH Pty. Ltd. All rights reserved.
Information and prices contained in this website may change without notice. Terms of use.
Question/comment about this page? Please email webguru@cadzow.com.au