If you pay attention to what passes for “news” lately, you may have seen reports crediting Belgian computer security wunderkind Mathy Vanhoef with the discovery of a KRACK (Key Reinstallation Attack) vulnerability in the IEEE 802.11i-2004 standard’s Wi-Fi Protected Access II (WPA2) security protocol.
Vanhoef documents his “discovery” in Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2, a research paper he wrote for presentation at the ACM Conference on Computer and Communications Security (CCS 2017) being held in Dallas, Texas October 30th through November 4th, and also via his website KrackAttacks.com. It’s worth noting, however, that KRACK exposes a defect in the WPA2 standard itself, and has therefore existed since 2004. That means it is possible that other parties may have discovered the defect earlier, but never disclosed it in order to exploit it. This slide from a 2010 PowerPoint presentation suggests that the NSA may have been wise to KRACK years ago, but not surprisingly they deny that.
Either way, the KRACK in the WPA2 standard impacts every device and application that leverages Wi-Fi wireless networking technology – which means smartphones, tablets, notebooks, other computers, printers and other peripherals, routers and other networking equipment, TVs and entertainment gadgets, “smart” appliances, even automobiles – and all the communications and network traffic that passes between them. Exploiting this vulnerability, hackers might steal confidential information, redirect web page requests, inject computer viruses or other malware, hijack devices, or execute man-in-the-middle (MITM) and other cyberattacks.
A significant portion of WiFi traffic placed at risk by this latest computer security nightmare is web traffic, i.e. information exchanged between websites or apps and their visitors or users. Perhaps that is why Vanhoef used a Match.com session to demonstrate the KRACK in WPA2. In this video he successfully executes a protocol-downgrade MITM attack which exploits the KRACK vulnerability to defeat the website’s SSL/TLS/HTTPS security and gain access to sensitive data.
In this tweet, Microsoft computer security expert Troy Hunt observed that “Match.com was the perfect site to demonstrate the KRACK Attack on – 6 redirects with 5 insecure requests & no HSTS anywhere!” HSTS is short for “HTTP Strict Transport Security“, an HTTPS deployment policy which guards against protocol-downgrade attacks by allowing only secure HTTPS exchanges and denying all unsecure HTTP requests. Like many other sites “secured” by HTTPS, Match.com had not implemented HSTS prior to the embarassment of Vanhoef’s demonstration – but you better believe Match.com has HSTS now!
Have you protected your website and its visitors by deploying HSTS? If your website is a speedy secure responsive web design (SSRWD) by WLWeb.US, then YES you have. Here are some Brewster County examples:
Have you deployed HTTPS without HSTS, or are you still using unsecure HTTP transport protocol? If so, then your website and its visitors are especially susceptible to an MITM attack exploiting the WPA2 KRACK vulnerability. Here are some Brewster County examples:
The encryption protection provided by HSTS is powerful, but it is not a cure-all for KRACK: You should also apply all KRACK-related hardware upgrades and software updates as quickly as your Wi-Fi technology vendors provide them. And adding HTTPS Everywhere to your web browser is a little thing that can go a long way towards protecting you. The takeaway is this:
KRACK does not affect HTTPS traffic – but HSTS is the only way to guarantee that all your website traffic is HTTPS.