Fraud & Identity Featured Article

Krebs Indicates KRACK Isn't So Bad

By Paula Bernier Executive Editor, TMC

Fraudsters and hackers are stealing our data, our dollars, and our identities. The steady stream of news on this front, quite frankly, can sometimes be exhausting.

We need to protect ourselves. But no plan is foolproof. Regularly checking your credit score is important. But, wait, now the credit score company has been compromised.

So when I heard about one of the latest vulnerabilities – the WPA2 one – my heart sank. But then I researched it a bit more, and I felt a little better.

Here’s the deal. A guy named Mathy Vanhoef has found a flaw in the WPA2 Wi-Fi protocol. It’s a weakness related to the protocol’s four-way handshake.

Vanhoef and Frank Piessens explain “the four-way handshake is vulnerable to a key reinstallation attack. Here, the adversary tricks a victim into reinstalling an already in use key. This is achieved by manipulating and replaying handshake messages.”

This kind of attack has been dubbed KRACK. And this kind of operation could allow hackers to decrypt network traffic to hijack connections and inject content into the traffic stream.

Here’s where the good news comes in.

Brian Krebs of Krebs on Security explains that KRACK attacks require bad actors to be within range of a signal between the end user’s device and the wireless access point providing it with Wi-Fi connectivity. He adds that most of your interactions, like interactions with your financial institutions, are probably already kept private using Secure Sockets Layer. And, he continues, those in the know held off on making the WPA2 vulnerability public until they alerted Wi-Fi hardware vendors of the problem and they had a change to issue security updates.

“The Computer Emergency Readiness Team has a running list of hardware vendors that are known to be affected by this, as well as links to available advisories and patches,” Kreb said.

And he quoted this statement from the Wi-Fi Alliance (News - Alert). “There is no evidence that the vulnerability has been exploited maliciously, and Wi-Fi Alliance has taken immediate steps to ensure users can continue to count on Wi-Fi to deliver strong security protections.”