KRACK–the vulnerability in the WPA2 security protocol proven this morning–is an interesting and amusing vulnerability from a technical standpoint and a great lesson in how our computer security is “dancing madly on the lip of a volcano”. It demonstrates a sober lesson for cybersecurity policy, showing just how tough seemingly “simple” security problems can be and how wide-reaching flaws can last unnoticed for years. But don’t buy into the hype: KRACK is a non-issue for the typical Lawfare reader’s day-to-day life.
Multiple protocols are used to generate a secure encryption key for a Wi-Fi network. We already knew that most common one, the Wi-Fi password, is insecure against a nearby attacker. A proximate attacker can listen for the “handshake,”–the agreement process between the access point and the client. Then, the attacker can use that information to launch a “brute force” attack, trying as many passwords as necessary until a check against the captured information shows the guess is correct.
So unless your Wi-Fi password looks something like a cat’s hairball (e.g. “:SNEIufeli7rc”–which is not guessable with a few million tries by a computer), a local attacker had the capability to determine the password, decrypt all the traffic, and join the network before KRACK.
KRACK is, however, relevant for enterprise Wi-Fi networks: networks where you needed to accept a cryptographic certificate to join initially and have to provide both a username and password. KRACK represents a new vulnerability for these networks. Depending on some esoteric details, the attacker can decrypt encrypted traffic and, in some cases, inject traffic onto the network.
But in none of these cases can the attacker join the network completely. And the most significant of these attacks affects Linux devices and Android phones, they don’t affect Macs, iPhones, or Windows systems. Even when feasible, these attacks require physical proximity: An attacker on the other side of the planet can’t exploit KRACK, only an attacker in the parking lot can.
KRACK is a bother for IT managers who have already taken pains to secure their Wi-Fi networks, where the Wi-Fi network is substantially trusted, the attackers can get close to the protected network, and where other, easier avenues are already closed. But for everybody else–it is a non-issue.
Of greater concern for most Lawfare readers is a completely unrelated vulnerability in Infineon smartcards. If you end up having a new CAC card, PIV card, Estonian Electronic-ID or similar smart ID card replaced in the next month or two, that is why.