Is the Krack attack back?

WiFi may be one of the greatest conveniences of the 21st century but, as is often the case, with great
convenience comes security implications. The dangers of using public WiFi have long been public knowledge, but there have also been concerns about the danger of the WiFi protocol itself. In particular, back in 2017 it was discovered that the WPA2 wireless protocol had a vulnerability which left it open to key reinstallation attack, commonly known as Krack. Vendors rushed to fix their products, but concerns have been raised that these purported fixes were not completely secure and that even the introduction of WPA3 will not entirely address the problem of Krack.

When security flaws are made public, even just within the IT industry, the associated vendors tend to fall over themselves in their haste to address them. This is natural, but it is not optimal. Ideally, vendors should put their solutions through rigorous real-world testing (or at least rigorous simulations of real-world environments) to ensure that it does actually provide sufficient protection.

Instead, what can (and often does) happen is that vendors come up with a solution that appears to address the security flaw and, not to put too fine a point on it, can be motivated to release that solution without asking too many questions about it so that they can honestly tell the (IT) public at large that they have fixed the reported issue. Recent findings from researchers at KU Leuven suggest that this was exactly what happened when the Krack vulnerability was first reported and that the patches created by many vendors only limit a network’s exposure to Krack rather than eliminating it completely.

There are two reasons why WPA3 is not likely to be a panacea for all WiFi ills. The first is that it will probably be rolled out slowly, meaning that it will be some time before its full influence is felt and, given the nature of IT, it’s entirely possible that some networks will be moving onto WPA4 before others have even migrated to WPA3.

The second is that the Wi-Fi Alliance has backtracked on its January 2018 announcement that there would be four new components to WPA3 certification and has instead only mandated one, with the other three being optional. The one it has mandated, the use of the dragonfly handshake, is a major step forward in security and should do a lot to help mitigate the risk of attack, but, it is not foolproof, as the researchers at KU Leuven have demonstrated.

In fact, very few security measures are foolproof on their own, which is why security experts tend to deploy a range of protective measures tailored to suit the situation. Ideally, therefore, vendors should voluntarily support the other three optional measures, but in reality, there is a distinct possibility that pressures of finance and time will motivate vendors to do the minimum necessary to achieve WPA3 certification, even if they know that this is compromising security.

The researchers concluded that the dangers are “not as serious” as the original attacks, however, they also highlight the importance of keeping on top of updates and of not getting complacent when it comes to resolving attacks like Krack.