Wi-Fi is a staple of the modern technological world. It links us and our devices together and makes connection smoother. However, it was recently discovered that an attack called KRACK, or Key Reinstallation Attack, can intercept data on WPA-2 and enable a hacker to transfer malware like ransomware into a device or system. WPA-2 is used in many Wi-Fi systems, including at the University of Alabama.
“The Key Reinstallation Attack is a vulnerability deep in the core of the WPA-2 protocol itself and affects both the wireless access devices and the clients trying to connect to those devices,” said Ashley Ewing, chief information security officer for the University’s Office of Information and Technology.
Like a leaky tire, KRACK will cause major problems for WPA-2 if left unchecked.
“If not patched, the vulnerability could allow attackers within range of vulnerable devices or access points to read encrypted and non-encrypted communications such as passwords, emails and other data,” Ewing said. “It could also inject malicious content into a website the client is visiting.”
Meagan Bennett, the marketing and communications manager for the Office of Information and Technology argued that The University of Alabama’s WPA-2 system is not vulnerable to a KRACK attack.
“Anybody using WPA could be vulnerable to it,” Bennett said. “…The good thing is that The University of Alabama wireless network is not vulnerable to it. We keep up with our patches and our updates so our network is definitely safe from this type of attack.”
Ewing explained that the University patched all of its controllers and access points on Oct. 17. However, users should make sure they apply patches or updates as soon as they are available for wireless devices. The best way to avoid a KRACK attack is to regularly update devices to the most recent software.
“With WPA-2 there’s something called a four-way handshake … It’s like a World War II challenge code,” said Alexander Wilson, a junior electrical and computer engineering major and the SGA webmaster. “What happens in the KRACK attack, the third handshake from the router to the device is intercepted by something called a ‘man in the middle.’ It’s something in between the router and the phone that emulates being the phone.”
He compares this to a German solider overhearing Americans issuing a challenge code and reusing it for themselves.
The flaw of the KRACK attack is that it needs to be within range of a Wi-Fi system in order to take place. While the University has made a lot of progress in dealing with this attack, Android devices and Linux are still susceptible.
WPA-2 is still considered to be a better encryption, and the University will work to ensure that the KRACK attack does not pose a threat to students, staff and faculty, Wilson said.
“One of my best suggestions is to download a plug-in,” Wilson said. “There is a plug-in for Chrome and Firefox called HTTPS Everywhere … it would greatly improve security.”