Times are changing for mobile devices

Personal computers have fallen prey to cybercriminals from the moment we began connecting to the World Wide Web through the internet. And not much has changed. In fact, virus and malware infiltration into computer systems continues to prevail, as predators develop code that is smarter, harder to detect, and more difficult to eliminate. Simply put, the threat of cyber-attack is a reality that should never be downplayed.

Mobile devices such as iPhones, smartphones and tablets seem to be almost immune to cybercrime compared to their desktop counterparts. Some say the reason for this is that devices running Apple iOS, Google Android and other mobile operating systems are not as common as PCs. Moreover, smartphones and tablets tend to have a more robust and complex design than PCs. Hence they are resilient to cyber-attacks designed to raid apps and steal sensitive information such as passwords and credit card numbers. Apple’s authoritarian control over the apps that can and cannot be installed on its i-technology means devices such as iPads are not susceptible to breach. On the face of it, PCs remain the target for hackers … for now.

According to CTIA, a wireless technology association based in Washington D.C., incidents of malware and other forms of cybercrime affect less than 2% of the 140 million smartphones currently operating in the United States. That’s an impressive metric compared to say China where malware infection rate is in excess of 40%. So can we rest easy knowing that mobile technology is at the forefront of cybersecurity? Unfortunately not. Times are changing for mobile devices and we are in need of a wakeup call in order to negate vulnerability of these technologies to attack.

Now KRACK in the news

Hitting the business and tech headlines right now is KRACK. No, it’s not a drug, but its effects on mobile device security are potentially as detrimental as any illicit substance. KRACK, an acronym for Key Reinstallation Attacks, enables cyber-crooks to exploit vulnerabilities in any device connecting to WiFi through a router. KRACK targets a serious flaw in the WPA2 protocol designed to secure wireless computer networks. As such, KRACK allows attackers within range of an access point or vulnerable device to ambush data assumed to be encrypted such as passwords, emails and social media postings.

WPA2 security protocol timeline

Before looking further into the implications of a KRACK attack and what you can do to avoid one, let’s take a brief tour of the history of wireless security protocols.

  • • 1997: WEP (Wired Equivalent Privacy) is incorporated in wireless networks with the intention of providing the same level of data security and confidentiality as a wired network.
  • • 2003: WEP protocol is replaced by WPA (WiFi Protected Access), a dynamic protocol using 128-bit encryption as opposed to the static, 64-bit encryption applied by WEP.
  • • 2004: WPA is superseded by WPA2, a wireless protocol believed to be more secure than WPA, having enhanced encryption and the WiFi Alliance endorsement.
  • • 2006: WPA2 certification is mandatory for all new mobile devices displaying the WiFi trademark.

Despite all efforts by the Wifi Alliance to guarantee wireless data security, WPA2 has its shortcomings. The protocol is vulnerable to password cracking if user passwords are deemed weak. Other flaws include data packet decryption and WPS (WiFi Protected Setup) PIN recovery by hackers. For those not in the know, the WPS protocol facilitates easy setup of home wireless networks without the hassle of entering long passphrases. In 2011 a grave security flaw was revealed in which a remote attacker could gain access to the WPS PIN and, by extension, the router WPA2 password within hours. To make matters worse, WPA doesn’t possess forward secrecy. In layman’s terms, this means that if a hacker detects the pre-shared wireless key, they are able to decrypt and encrypt all WiFi data packets – past, present and future.

As if password cracking and data interception wasn’t enough to showcase the weaknesses of the WPA2 protocol, on the 17th October 2017, along came KRACK.

KRACK and the 4-way handshake

KRACK works by sabotaging the four-way handshake security protocol enforced when a client wants to join a WPA2-protected wireless network. The handshake confirms that the client and access points are using the appropriate credentials. KRACK targets the third step in the four-way authentication handshake. In this step, the encryption key can be sent several times. When an attacker collects and replays multiple transmissions, Wi-Fi encryption is non-existent. In essence, KRACK tricks the unknowing user into reinstalling an already-in-use key.

The knock on effect is that the client is forced to reset packet numbers containing a cryptographic nonce (number used once) back to initial values. KRACK then forces the nonce, a single-use, random number used for protocol authentication, to be reused so that encryption can be bypassed.  And this is when the trouble begins.

KRACK discovered

KRACK was discovered and given its moniker by security expert Mathy Vanhoef at a Belgian university. Mathy discovered the WPA2 vulnerabilities recently and issued a report on Monday, 17th October 2017 detailing his findings. Read some extracts from Mathy’s report to develop a better understanding of how serious this threat is.

KRACK and stolen information

“Attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted. This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos and so on.”

KRACK and Wi-Fi networks

The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.”

“If your device supports Wi-Fi, it is most likely affected. In general, any data or information that the victim transmits can be decrypted … Additionally, depending on the device being used and the network setup, it is also possible to decrypt data sent towards the victim (e.g. the content of a website).”

KRACK and Wi-Fi passwords

It doesn’t end there. Mathy’s report goes on to detail that the vulnerability affects most operating systems that you’ll be familiar with, including Android, Apple iOS, Linux, Linksys and more. Also, the attack does not recover your Wi-Fi network password, so changing it won’t prevent the attack.

KRACK and HTTPS

You may think that accessing only HTTPS-protected webpages will be a safe bet. Not true. If a site has not been correctly configured, KRACK will manipulate the website to transmit encrypted HTTPS traffic as opposed to only unencrypted data. For example, a hacker will use a SSL-strip script which forces a secure website to downgrade to a HTTP connection. What does this means to the likes of non-IT geeks? Simple: the vandal can then steal your account password when you log in your Android device. Mathy has this to say about HTTPS protection:

“Although websites or apps may use HTTPS as an additional layer of protection, we warn that this extra protection can (still) be bypassed in a worrying number of situations. For example, HTTPS was previously bypassed in on-browser software, in Apple’s iOS, Android apps, in banking apps and even in VPN apps.”

KRACK and operating systems

Mathy also reports that the WPA2 vulnerabilities permit cybercriminals to hit vulnerable access points and endangered computers, smartphones and tablets. Depending on the operating system used, this can be achieved with varying levels of difficulty and effectiveness. Linux and Android are at the forefront of susceptibility since wily attackers can effortlessly force network decryption on users in the blink of an eye. Luckily this is not the scenario for iOS and Windows is not as dire.

Has KRACK taken us to the eleventh hour of Doomsday regarding mobile technology? It hasn’t so don’t panic. Next, you can assess just how vulnerable your devices are to KRACK. After that, decide what protection you can implement to avoid a KRACK attack.

Q & A: are you KRACK vulnerable?

Before contemplating your vulnerability to KRACK, here’s some good news to ease your nerves: In order for KRACK to decrypt your Wi-Fi security key, the attacker must be in range of your network. Simply put, your secure passwords and data are not suddenly exposed to everybody on the internet.

Going through this Q & A exercise will help to determine your own level of risk and consolidate your understanding of how KRACK operates.

Q: Is the data on my phone vulnerable?

A: No, the data stored on your phone is not in jeopardy. However, when you send information such as a credit card number, email or password via a Wi-Fi network, the data is at risk of being hijacked.

Q: Which devices are at risk?

A: Any mobile device capable of transmitting and receiving data over a Wi-Fi network is vulnerable. However, Mathy and his group of researchers believe that Android devices are at greater risk than their Mac or Linux equivalents.

Q: Is my router vulnerable?

A: No. KRACK targets Wi-Fi clients such as laptops and smartphones.

Q: Will changing my password help?

A: Unfortunately not. KRACK goes after the information that should be encrypted by your router. A hacker doesn’t need to crack your password to exploit your data. However, changing passwords should remain integral to your network and device security practices.

Q: I’m using Android Nougat? Is my device safe?

A: More bad news. Phones operating on Android 6.0 and Android 7.0 are actually more likely to fall prey to KRACK. These devices have an existing vulnerability in the WPA2 code making it easier for hackers to intercept and manipulate data traffic.

Q: Are my iPhone and Mac secure?

A: Safer than Android, but not completely safe.

Q: I use Windows 10 on my PC. There’s no problem there, right?

A: You’re fine as long as you install Windows updates. Microsoft has been pre-emptive and released patches on 10th October 2017; customers who have Windows Update enabled are automatically protected.

Q: I use Linux. Am I immune to KRACK?

A: Quite the opposite. Mathy and his research colleagues have uncovered that Linux desktop machines are the most susceptible to attack. Linux contains a similar bug to that found in the Android code.

Q: I use an old Wi-Fi enabled phone that no longer receives firmware updates. Does KRACK pose a threat?

A: Definitely. Outmoded technology that doesn’t get updates will remain vulnerable. Remember the golden rule: if it connects to the internet via a wireless network, it’s at risk. In this case, KRACK is warning you ‘out with the old and in with the new.’

Protect your devices against KRACK: patches and updates

You’re thinking: bad news, and more bad news. And it seems like there’s not much you can do to take control of the situation. Maybe not immediately. But the upside is that the technology giants have released, or soon will release, security patches that address WPA2 vulnerabilities.

Microsoft released a patch on 10th October 2017, a week before Mathy Vanhoef issued his report KRACK. In their own words: “We have released a security update to address this issue. Customers who apply the update, or have automatic updates enabled, will be protected. We continue to encourage customers to turn on automatic updates to help ensure they are protected.”

From the Q & A analysis, it seems that Android and Linux users will be the hardest hit, where hackers have the potential to steal data and manipulate websites. Fear not. Google has promised to make available a fix for affected machines “in the coming weeks” and Google’s own Pixel devices will be patched on 6th November 2017. Other Android devices will have to wait longer. This is worrying since researchers have claimed that more than 40% of Android machines face an “exceptionally devastating” variant of KRACK.

Good news for Apple fans. The company has stated that all current iOS, macOS, watchOS and tvOS beta versions include a fix for KRACK. AppleInsider confirms that the fix will go public in a few weeks so iOS and macOS systems aren’t secure just yet.

Good stuff from Linux too: An upstream Linux patch is already available. KRACK-blocking patches and updates are also out for OpenBSD, Arch Linux and Ubuntu open source operating systems.

Mathy Vanhoef advises that you should update all your devices. If you have automatic updates enabled, you can check the system’s software updates tab in the Settings to when the most recent update was installed.

Mathy also recommends updating the firmware of your router. We tend to be nonchalant regarding router updates, so log into your admin page and install any pending updates. Once this is done, continue to check back regularly; with the tangible threat of KRACK in sight, developers will be rolling out patches fast and furious. Netgear, Eero and Intel are among the networking providers that already have KRACK router patches available for updates.

For additional security, you can change the Wi-Fi password once your router has been updated. Do not switch to the vulnerable WEP protocol on your router until every device has been patched.

Take comfort in the Wi-Fi alliance

So now you can sit back, relax and wait for the patches and updates. If you’re overcome by paranoia, then avoid using WiFi until your router is patched. Before you do this, read how the Wi-Fi Alliance has responded to Mathy Vanhoef’s disclosure of KRACK. After all, they’re the experts who gave the WPA2 protocol its solid reputation.

“This issue can be resolved through straightforward software updates, and the Wi-Fi industry, including major platform providers, has already started deploying patches to Wi-Fi users. Users can expect all their Wi-Fi devices, whether patched or unpatched, to continue working well together.”