When The Secure Becomes Unsecure: WiFi WPA2
The world we know is now more connected. With personal assistants gaining field, more of our lives gets connected wirelessly to the cloud. From our health data, home security, even to switching off lights, all the devices are now wirelessly connected with each other, as a result of which our lives have become much more easier.
The way the home wireless network otherwise called as our dear old WiFi, is protected by WPA/WPA2 standards commonly. Even though loop holes have been found through WPA, WPA2 (WPA stands for WiFi Protected Access) has been considered as the gold standard for wireless WiFi security.
But, what if WPA2 can be hacked through ?
There has been serious weakness identifies in WPA 2 protocol that allows attackers within range of vulnerable device or access points to intercept user data such as passwords, emails and other protected data.
The proof-of concept exploit is called KRACK- short for Key Reinstallation Attacks. The attack is found to be effective against devices running Android,Linus and Open BSD Operating Systems.
The weakness Vanhoef identified is in the WPA2 protocol’s so-called “four-way handshake.” That procedure determines whether a user attempting to join a network and the access point offering the network have matching credentials. It’s essentially an exchange that ensures the user knows the network password. The four-way handshake also generates a new encryption key—the third communication in the four-step process—to protect the user’s session. The newly discovered vulnerability, which Vanhoef calls a Key Reinstallation Attack, allows a hacker to tamper with or record and replay this third message, enabling them to reinstall a cryptographic key that’s already been used. That key reuse also resets the counters for how many packets, or bits of data, have been sent and received for a particular key. When these tallies are reset, an attacker can replay and decrypt packets, and even forge packets in some cases.
How to protect yourselves ?
Always enter your passwords in websites that have “green” secure HTTPS connection. Having an HTTPS connection between you and the web server makes sure that the data cannot be read as its crypto logically encrypted.
Until device manufacturers patch the issue, its just that we should sit and wait and see how the issue evolves into.