KRACKs and ROCA security protocol vulnerabilities: routers at risk
WPA2 (Wi-Fi Protected Access II) was considered to be a secure Wi-Fi encryption suite for around 13 years. It became an industry and home standard. As recent history tells us, there is nothing 100% hack-proof.
Very recently a research group has detected a critical vulnerability in the WPA2 protocol called KRACKs (Key Reinstallation Attacks). It should be stressed that *most* of modern Wi-Fi networks are vulnerable to this attack.
How severe could it be? The vulnerability could be critical. Personal data such as credit card information, passwords or your activities online could be at risk.
“During our initial research, we discovered ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attacks,” – notes Mathy Vanhoef, a researcher who discovered the vulnerability.
As the proof-of-concept demo below shows, various operating systems could be deceived to use a known (i.e., not secret) encryption key. That could be used to decrypt your internet traffic, including sensitive information. Although the fact that most of the sensitive data is transferred via a safe and encrypted HTTPS is soothing, there is plenty of information (especially coming from the IoT devices) that could be extracted from the unencrypted traffic.
Moreover, as demonstrated by the video, it is possible to use advanced techniques, tap into the HTTPS stream, and reveal encrypted data.
What could you do to protect your data?
- Do not connect to unsecured public wi-fi spots;
- Start using VPN if you haven’t got one already;
- Only visit secured websites (the link will start with HTTPS://);
- Check this list of affected vendors. Contact your vendor for specific information if your devices are vulnerable;
- Update the firmware of your router;
- Update your devices (including smartphones) as soon as the patches are released. Microsoft and Apple have already done it;
- Use strong wi-fi passwords and passphrases as an additional precaution after updating the firmware – this will not fix the vulnerability.
Read more about how the vulnerability was discovered here.
UPDATE: ROCA vulnerability, worse than KRACKs
Companies like Microsoft, Lenovo and Google, are warning their clients about a similar security vulnerability ROCA. It’s called worse than KRACKs and could impersonate an RSA key owner, decrypt data, inject malware or in other ways breach personal and financial data.
Mostly it’s related to the internet privacy. To understand this better, you need to know the fundamental principle of how you use the internet. You either get data transferred to you (i.e. when you visit a website), or you transfer your data (ie. when you send out a message on social media).
Usually, both of these transactions are cloaked by an additional layer of security, called Secure Socket Layer (SSL).
To put it simply, when using SSL, the data directed towards some recipient is encoded using recipient’s public key. Yes, this key is public and anyone could acquire it. However, if one wants to decode the message, he must possess a private key. It is the key that you want to keep secret.
These two keys are related: the public key could be derived from the private one, but not vice versa. This ensures security elegantly: your messages are scrambled-up and only you can decipher them.
However, it was discovered, that private-public key pairs, generated by Infineon’s Trusted Platform Module, a microchip dedicated for cryptography, are not secure. It is possible to acquire the private key by having knowledge of the public key only.
This vulnerability would allow hackers to use public information to get the private key and decrypt the data that you want to communicate.
Meaning that instead of safely chatting or sending emails, you show your messages to anyone who has cracked the key. That is why this security vulnerability is way potentially way more problematic than the first one.
Also, this vulnerability can be used globally, all the way across the internet, while KRACKs has a local scope only. However, it should be noted that computing a standard private key would take ~100 days on a usual PC while cracking a secure key would take up to 150 years.
The companies that were possibly exposed to this vulnerability all say that they patched their products. Make sure to update your devices one more time.