Wi-Fi modules

On October 16th, Mathy Vanhoef and Frank Piessens have detailed their research on a major Wi-Fi vulnerability that could have huge implications.

Update: added new information based on disclosed vulnerability

Their paper "Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2" will be formally presented on November 1st at the ACM Conference on Computer and Communications Security, but details on this vulnerability were publicly revealed on October 16th.

The vulnerability, called KRACK (Key Reinstallation AttaCK), is found within the 4-way handshake process which takes place when a device attempts to connect to a wireless network. This process involves generating unique single-use numbers to secure the connection between the device and the wireless access point. As it turns out, due to a weakness in WPA2, by repeatedly re-transmitting the third message in the handshake, an attacker can force this single-use number (called a nonce) to be reused, which may significantly weaken the encryption for traffic between Wi-Fi access points and devices connecting to them.

This vulnerability affects all versions of WPA2 security, including those using AES-CCMP. While some routers and other may receive updates against KRACK, many will be left unpatched.

Since this problem is bigger than just one individual router's WPA2 implementation, but is instead a flaw in WPA2 itself, it leaves many devices at risk – currently, most implementations of the protocol, especially on Linux and Android versions after 6.0 are vulnerable. Funnily enough, due to incorrectly implementing the standard, iOS and Windows, while still at risk, are less vulnerable.

So, what does this mean for you, the end user? Your Wi-Fi is now quite possibly just a few days away from being as secure as that open hotspot in your local coffee shop. A potential attacker, given enough time, will be able to eavesdrop on whatever is being sent on your Wi-Fi network and if your wireless network is using earlier versions of WPA, possibly even hijack connections – doing things such as inserting content on insecure websites. Your Internet of Things devices – things like smart cameras, smart lights, and so on – which are already known for being quite insecure, are now even more vulnerable, since even devices that were not directly connected to the internet may now be exposed to danger.


However, the future is not as bleak as you may think. If you are browsing websites that use HTTPS and HSTS, there is another layer of security in place, since connections between those websites and your computer are encrypted. More and more websites are using HTTPS, and as of January 2017, over half of web traffic on Google Chrome and Firefox is secured by HTTPS.

You should still be on the lookout for security patches for your router and other devices (especially IoT), since HTTPS is also not perfect, but a much more important step to take is to ensure that most of your traffic is secured – for example, even on your local network, try to use encrypted connections with strong passwords, such as SFTP instead of FTP, and SSH (hey Jailbreak users, you changed that default "alpine" password, right?) instead of Telnet.

More detailed information is available at the the website for the KRACK vulnerability, along with Mathy Vanhoef's and Frank Piessens' paper.

Special thanks to Philo