It is considered stronger and more reliable than its predecessor, and is essentially in universal use around the world. For enterprise Wi-Fi deployments, Ubiquiti noted that UniFi access points on firmware 3.9.3 and above are not affected by WPA2 key issues, but that fast BSS transition is still affected, though that feature is in beta. He also suggested that "it's likely" that users' protocols don't rely exclusively on WPA2 encryption, meaning that information sent over the network is not automatically in jeopardy.
The KRACK exploit could affect any device that uses Wi-Fi.
'WPA2 is now the recommended option for securing your WI-FI network; the flaw, if successful, and if you're not using any other advance features ( VPN, encrypted data etc) could enable a hacker to eavesdrop on your data and or possibly gain access to any unsecured shares available on the same network, ' says Mark James, Security Specialist at ESET.
Currently, over two-fifths (41%) of Android devices are vulnerable to this kind of attack.
As a proof-of-concept, Vanhoef has published a demonstration of how a key reinstallation attack might be carried out against an Android smartphone.
The flaw is also present in the earlier, WPA security protocol, and with any encryption suite, including WPA-TKIP, AES-CCMP, and GCMP. It will install this key after receiving message 3 of the 4-way handshake. Hackers can even decrypt the data that is sent from the server to the access point or the user. In a test run demonstrated on video, researchers were able to attack an Android device, exposing all of the victim's transmitted data. IP packet headers, in turn, provide exactly that.
An attacker may be able to do things like redirect traffic on a Wi-Fi network or even send bogus data in place of the real thing.
They call the vulnerability a "serious weakness" through which hackers can "read information that was previously assumed to be safely encrypted". The problem is made worse by Android and Linux, which don't force the client to demand a dedicated certificate. This means that wireless internet traffic could be vulnerable to eavesdroppers and attacks. In short, it allows an attacker to intercept and read sensitive data being transferred over the network. He says each vulnerability represents a unique key reinstallation attack and that many vendors' products will be vulnerable to multiple CVEs. Therefore, if your device supports Wi-Fi, it is most likely affected. Fortunately, these key reinstallation vulnerabilities can all be fixed in a backwards-compatible manner, and the Wi-Fi standards are expected to be updated to require defenses against key reinstallation attacks.
Security researchers have now released details regarding the vulnerability in the WIFI authentication protocol, and it appears the issue is mainly at the client rather than access point level.
OpenBSD has silently patched the vulnerability.
See also: Time to review your economy class Wi-Fi?
After verifying the Wi-Fi password for the network itself, the encryption key for the session is negotiated. It allows an attacker to remotely extract decrypted data from a protected Wi-Fi network without knowing the password.
The flaw is not in the cryptography underlying WPA2 or its predecessor, WPA.
This is also not the first widespread security flaw affecting common network infrastructure to have been disclosed recently.
"The easiest way to protect yourself is to use a Virtual Private Network (VPN)", continued Migliano. The severity of these bugs ranged from denial of service to remote code execution and affected both the DNS and DHCP functionality of DNSMasq.