PSA: Severe Vulnerability in All Wi-Fi Devices
This is a public service announcement (PSA) from the Wordfence team regarding a security issue that has a wide impact.
Today is being called “Black Monday” in many information security circles. We have had a major Wi-Fi vulnerability announced that affects absolutely every device that supports Wi-Fi. The vulnerability allows attackers to decrypt WPA2 connections. A second vulnerability also emerged today, and we will cover that at the end of this post.
The Wi-Fi vulnerability is being called “KRACK”, which is short for Key Reinstallation Attacks.
I’m going to cover the problem in relatively non-technical terms in this post so that you are able to clearly understand how this affects you and what you can do about it, right now.
Once you are done reading this, I strongly recommend you spread the word, because this Wi-Fi weakness can allow attackers to crack WPA2 which was previously thought of as a secure Wi-Fi encryption protocol.
The WPA2 Wi-Fi Vulnerability
WPA2 is a protocol that secures all modern protected Wi-Fi networks. According to statistics by Wigle.net, it secures 60% of the world’s Wi-Fi networks.
Researchers at KU Leuven, a university in Flanders in Belgium, have discovered a way for an attacker to read sensitive information that is sent over a Wi-Fi network using WPA2.
Attackers can use this to steal sensitive information like credit card numbers, passwords, chat messages, emails, photos and more. The attack works against all modern protected Wi-Fi networks.
It may also be possible for an attacker to inject malicious information into the Wi-Fi network. This could include ransomware and malware.
The vulnerability is in the Wi-Fi standard itself, and not in individual products or their implementations. That means that all products that correctly implement the WPA2 standard are affected.
If your device supports Wi-Fi, it is likely affected by this vulnerability.
Products that are known to be affected by this at this time include Android, Linux, Apple, Microsoft Windows, Linksys and more. The list of affected vendors is enormous, and vendors including Amazon, Cisco and Netgear are scrambling to release patches to fix this issue.
BleepingComputer has compiled a running list of vendors that will be growing over time as more information about patches becomes available.
You can find out the technical details on the KRACK attack from the researchers themselves at krackattacks.com. This includes an academic paper and demonstration video, shown below:
What to Do About the WPA2 Vulnerability
This affects every device you own that uses Wi-Fi. If your device uses public Wi-Fi, you are at higher risk. The vendors that make your products are working on patches which they will release in the coming days. As they release the patches, you will need to update your devices and hardware.
The good news is that this vulnerability does not require you to replace any hardware. It is fixable through a software update.
The devices and hardware you will need to update, once patches are released, include the following:
- Desktop workstations
- Mobile phones
- Tablets and e-readers that use Wi-Fi
- Home and office routers
- Home devices like NEST, Amazon Echo and Google Home
- Printers, both home and office, that use Wi-Fi
- Any other device that uses Wi-Fi
You should prioritize devices that use public Wi-Fi higher than your other devices. This puts mobile phones and tablets at the top of the list.
How to Stay on Top of Updates
Your desktop, mobile and tablet devices will prompt you when an important security update is available. Many may update automatically. Most devices also provide an option to manually check for updates. We recommend you do that periodically this week so that you catch any updates as soon as they are released.
For routers, printers and other “Internet of things” devices, you may have to sign into the device to manually update the device “firmware.” For routers, you can contact your Internet service provider for help if you are unsure how to update. You may need to consult the manual of other devices or do a Google search to learn if they are affected.
Another vulnerability known as “ROCA” was also announced today. This vulnerability involves an attack on public key encryption which may weaken the way we authenticate software when installing it. It affects many other systems that rely on public/private key encryption and signing. Fixing this also requires you to update your devices using vendor-released software updates, so keep an eye out for security updates for your devices and workstations that fix any ROCA-related issues.
The combination of KRACK and ROCA is why we are referring to today as “Black Monday.” These are both severe vulnerabilities, and they emerged on the same day.
It is imperative that we get the word out about these vulnerabilities so that our friends and colleagues can update their devices before they are exploited. Please spread the word.
How can I update my wifi system?
You can usually do this by visiting http://192.168.1.1/ or http://192.168.0.1/ and signing in. From there, you should be able to update your WiFi router firmware.
What do those two IP addresses direct to? I can't tell if they are taking me someplace safe as they are reported as Private on Whois.com and IPChecking.com.
Unless I can tell where I'm being directed no go.
One of those are the IPs usually used for your router.
My broadband/wifi supplier, here in the UK is EE but when I contacted them about updating my router with the necessary patch, they were totally clueless!!! Told me to 'reset my router'. Duh?
Would this impact information sent via a secure https connection? Or only information sent via an http form?
Not necessarily. If your connection stays HTTPS you will be secure. The problem is that this vulnerability lets an attacker downgrade your connections to non-HTTPS connections.
I suggest you watch the demo video I included above. (I added it a few mins after we sent the email alert). It demonstrates a technique that allows an attacker to use a tool called SSLSTRIP to re-route your connection to a non-secure server. Unless you actually notice that your connection is no longer HTTPS, you may fall victim to this.
That is why this vulnerability in WPA2 is so bad. It lets an attacker manipulate your traffic to force you into using non-secure application layer protocols.
If using public WiFi, would using a VPN mitigate the risk associated with this vulnerability?
It may, but as I noted in my comment to Luke, an attacker can manipulate your traffic and so may be able to downgrade certain connections, like HTTPS. This may include your VPN connection, although I have not seen this demonstrated.
It's out in the open now, so time to patch our devices. Good luck if you're on Android though, where carriers and hardware makers are simply not invested in keeping their products patched.
My Mi Pad 3 is still stuck on the Android Security Patch from March. This is a current generation device that is not receiving security patches. At least you know Apple will roll out patches for iOS which devices up to 5 years old with receive.
As for IoT devices, 'smart' TVs, printers and so on... better disable wifi, because they are never going to be patched.
Not disagreeing with any of this. The situation is dire.
If you update all the WiFi routers in a home/office, would that protect the loT devices connected via WiFi in that home/office?
See my reply to Tom. I would guess, yes. But again, the patches are not out yet, so there has been no time for analysis to determine if that is true.
It's not clear if this will require a client and AP update or just one of them to be updated to protect against this.
So let's say I update my cell phone with a patched operating system, but I go to a coffee shop who's wireless router has not been patched. Would my phone still be vulnerable if I connect to their router?
Probably not. But the patches have not yet been released, so researchers have not had a chance to analyze that, yet.
Sorry for what may be a dumb question. Why should I be concerned about the security of my wifi printer. I live in a single family house in a residential neighborhood. Are you saying that a hacker could intercept my data between my laptop and printer and then reconstruct and print the contents of that printed document on their printers?
Exactly that. They don't even need to re-print your data. They can just read the contents of everything you print using this attack.
Clarification please, does this attack only work when in range of the WiFi signal, or can this attack be performed without having to use the WiFi signal?
Sorry Mike, but I can't confirm that you're fine with an unpatched device that is not connected to anything. I think this relies on a wireless client and server, both using WPA2, but there may be an attack vector that can be used for a single device that I'm not aware of. I recommend patching everything you can.
Let's assume for a moment that there are two devices connected to a public wi-fi. Both device A and the wireless router have received the patch. However, device B has not been updated or no update is available. Would device A still be at risk, due to the network being exposed?
Eric I'd say with a high degree of certainty that Device A and the router will be fine in this scenario.
I purposefully do not use any appliance or item that requires Wi-Fi, because I knew this would happen. My printer is usb, no Nest, no garage door opener, no refrigerator to tell me my wine is cold enough. We are getting lazy and stupid buying all these wifi products and therefore will be needlessly vulnerable. My IP company provides the modem, I will forward this on to them. Thanks for the info Mark.
You are most welcome Sara.
Thanks for the heads-up! I see that the regular news outlets are jumping on this - though they ignored BlueBorne.......
Yeah, this is going to be headline news on the major news outlets tomorrow.
According to TechCrunch, an attacker would need to be within range of a person logged onto the target wireless network in order to use this exploit. Do you concur?
Yes. I'd refer you to the video and research paper and website we linked to. That is the source that news outlets like TC and others are quoting.
To quote this article, "The good news is that this vulnerability does not require you to replace any hardware. It is fixable through a software update."
Those who have older devices that are no longer supported or eligible for firmware updates WILL have to replace hardware to be protected, yes?
I'd say yes. If updates aren't available you're going to have to replace.
My husband's computer is wireless. Mine is not but the household Wi-Fi is connected to my computer and his reads from mine. We do have an AT&T router modem combined. However, my business serves as the webmaster for several local non-profit groups which are hosted by other companies, not mine.
I've tried the updating of the wi-fi system posted above. But the system timed out before anything could open. How worried should I be?
All computers, tablets, smartphones & the new Samsung Smart TV work off the same wi-fi.
Everything using your wifi needs to be updated, including the access point itself. Wait for vendor updates and apply them.
Thanks for this information received this evening (UK). I've forwarded it to my broadband supplier and await an answer. Hopefully there will be a reply from them tomorrow morning! ?
They'll probably have an update soon. This is a big story.
Thanks for the heads up! On campus APs on a central controller, do both (APs and controller) need to be upgraded or just the controller?
Depends on the system. Ask the vendor.
Thanks for the information.
Just to be clear...assuming I'm on a private network, let's say I used my phone to hotspot my laptop and only the two are connected, are my still vulnerable to this attack?
Anyone within range can monitor your traffic and interfere with it using this attack. Unless you're at home and home is far away from everyone else, you're vulnerable.
It's a small consolation in the short run, but I'm thinking about the chance of being attacked, bearing in mind the number of likely attackers versus the number of targets.
Time to dust off that box of old CAT5 cable I guess lol. Thanks for posting this. Glad someone out there has our backs.
I have the Netgear WNDR3300 as an AP and so far Netgear has issued a handful of patches but not that model. This AP is hard wired to the AT&T uverse router. Will I need to install an update to the AT&T router? I suppose I could replace the AP switch to a one that has been updated for this patch.
Also my Galaxy note 4 is not offering any system updates at this time, wonder if Samsung will offer a fix for this to phones that old!
My guess is you'll see a LOT of android updates to fix this. Android specifically is very vulnerable to this attack. Not sure about your AT&T hardware - I'd contact the vendor.
Good news for me, I guess:
Awesome, thanks for sharing.
Can you use MAC Address Filter option on your router and just put in the devices that you use and their MAC Addresses and then that would block out any hackers, right? This would be a temporary solution until the patches are available, right, Mark?? I figure you could use this feature on newer hardware. It takes longer but at least you would be protected somewhat, right? Or can the attacker still exploit this?
Ha! Great question Kris. I don't think that will work. Your MAC filter prevents unauthorized hardware addresses from connecting to the network.
If you watch the first three quarters of the video, you'll see they are getting the victim (android device in this case) to connect to a malicious network.
They then give the victim access to the Internet but they man-in-the-middle their traffic and use an weakness to decrypt the data.
So the victim actually isn't even connected to your router with MAC address filtering enabled. They're connected to a malicious network that sees all traffic in and out and can decrypt the WPA2 encrypted packets.
One last scenerio, if I do not broadcast my ssid at home and it is not discoverable to any wifi devices but my own devices, will this give me some protection since the person would not know the ssid for the wifi connection?? Or is it best just to cut off my wifi connection and run wired only? Thanks.
Even if you aren't broadcasting your SSID, your network can be discovered, as can your SSID. See: https://www.acrylicwifi.com/en/blog/hidden-wifi-network-secure-hidden-ssid/
I would not advise getting rid of Wi-Fi. Just secure it when updates are released.
Thanks WordFence folks. Reading everyone's questions and Mark's answers has been good learning for me. We are taking steps to patch everything. We are building a house and all of our devices will plug in. Wifi will be for visitors. Crazy world it's getting to be.
Thank you. Don't lose faith in Wi-Fi. These things happen and will happen again. As with all other software and products that you use, you will need to keep everything up-to-date in real-time in this brave new world we live in.
Maybe we all need to add a "patch Tuesday" to our lives. If it's Tuesday evening, you update everything. Weekly routing.
Many thanks. Though you tried to be as simple as possible, I'm kind of unable to connect. I've got a mobile wifi device...are you saying that device is at risk or my devices I connect to it and by default my data and information are at risk by virtue of my continuing connection or what? Kind regards.
Update anything that uses Wi-Fi or provides Wi-Fi as soon as updates are released. If you don't, you may get hacked. That's about as simple as I can make it.
Another reason to blow away factory firmware on your WiFi routers and replace it with DD-WRT. Patch released 13 hrs ago.
Awesome. Thanks for sharing that Kevin. In case the rest of the folks here are curious, DD-WRT is custom firmware you can get for your router. It provides a bunch of additional features. Some of the vendors have now incorporated the features that DD-WRT lead with, but it still is pretty awesome. I ran it for a while and loved it.
More info: http://www.dd-wrt.com/site/index
Ubuntu issued an updated wpasupplicant as well a few hours ago for Ubuntu Linux. Guess all linuxes and the like should be safe now if you are running a supported version.
Does this affect the use of bluetooth hotspot? Or just WIFI?
Just 802.11X WiFi and the WPA2 standard. Bluetooth is a different standard. It is 802.15.1.
Will hardened website security headers prevent an https connection from being downgraded? Particularly thinking of HSTS, X-XSS-Protection, and Content-Security-Policy, but potentially also X-Content-Type, X-Frame-Options, and Referrer-Policy?
HSTS protects against SSLSTRIP, so yes, if you have that set up on a website that the victim is using, their connection will not be downgraded.
Keep in mind though that you're just protecting against one way of leaking data over a (now) unencrypted connection. Lots of other leaks and possible downgrade attacks are feasible. The root cause needs to be fixed and that is the fact that WPA2 can be defeated through exploiting KRACK.
Is there a safe way/online tool to check if the router has been patched correctly? A tool that can safely connect to the router and check if everything's ok.
Thanks in advance.
Not that I'm aware of.
Does this vulnerability effect WPA2 Enterprise? Mainly concerned about corporate that authenticate using an ldap server
It appears that WPA2-enterprise is also affected. Enterprise provides for a central authentication mechanism like LDAP or RADIUS. The vulnerability exploits the way encryption is set up and in both enterprise and regular WPA2, the encryption session setup uses the same 4 way handshake. So yes, WPA2-Enterprise is also affected.
More info: https://security.stackexchange.com/questions/171451/is-wp2a-enterprise-affected-by-the-krack-attack
Thank you, Mark.
"Another vulnerability known as “ROCA” was also announced today. This vulnerability involves an attack on public key encryption which may weaken the way we authenticate software when installing it."
Interesting ramifications for the process of upgrading software to protect against the vulnerability.
Are mobile phone cell networks similarly affected?
Mobile phone networks are not affected directly by the KRACK vulnerability. Their may be indirect implications through the ROCA vulnerability, but none that I'm currently aware of.
I would assume that if an attacker is running wireshark on my network via a wireless connection that packets from devices that are wired to the network will be visible as well?
You've asked a fairly specific question. Lets assume that they have not exploited your network using the KRACK vulnerability.
If someone is running wireshark on your wireless network, they will capture WPA2 encrypted wireless frames which won't be that useful.
Whether they see traffic from your wired network depends on how your home router works. (Note that even if they see packets from your wired network, they will also be WPA2 encrypted) If it is a switch, then it will route frames directly to each port and won't broadcast anything. If it is a hub, but has a bridge between the wireless and wired network, then they also won't see any wired packets. But if it is a fairly unintelligent device and treats the wireless and wired segments as a single collision domain and routes everything between them, then yes, they will see packets from your wired network.
I'm speculating, but I think most routers these days will either be a switch of have a bridge function so you won't see any traffic from the wired network on the wireless segment.
I started this based on the assumption that you have not been exploited with KRACK, just to keep things simple. I think you can use the above to extrapolate what will happen if you have been exploited. Again, it depends on how your router behaves. But if your router is putting wired traffic on the wireless network, then KRACK allows the attacker to unencrypted those WPA2 frames and see that traffic.
I think WPA3 should be released to fix this. Otherwise one will never clearly know if a given wi-fi radio interface has been patched or not. I know this comes with a cost, but it would clear up this in a very clean way.
## Automatic Translation ##
I also think a WPA3 would make the scenario more transparent.
Congratulations on your excellent information work on these important safety issues.
If I have my phone's hotspot and my wifi router to only allow select MAC addresses to join my network will I still be vulnerable?
Yes. See my reply to another commenter.
I have a Netgear Nighthawk and reading the security update on their site today, I think they are saying that the vulnerabilities only apply if the router is in "bridge mode" which they say is not the default. Does that mean that this warning doesn't apply if my router is in "router mode" and not "bridge"? Thanks for clarifying!
That doesn't make sense to me. Can you provide a link?
Maybe this explains all of the leaks emanating from the White House :)
Thank you for this post!
I have a question. If i patch for example my computer SO (windows) but i had a printer that is not patched.
An attacker can use a sniffer of the traffic from my computer to the router using the printers vulnerability?
Or when you have a patched device, those communications cant be tracked even if you have other vulnerable devices in your network?
This vulnerability is exploited by having the target computer/device connect to a malicious network. So they would have to have both your printer and computer connect to their malicious network and then monitor traffic between them. If they just connect your printer to the malicious network, it becomes unavailable to your PC unless that is also connected. If you have updated your PC, it won't be connected to the attackers network, so no traffic will be reaching the printer.
There may be other ways to exploit your printer thought, so I recommend updating everything.
I have three Asus wireless routers (two RT-AC87U and one RT-AC66U). I have been looking for a new/recent firewire upgrade for these devices for two days now. There are no upgrades. Same goes for my two wireless HP printers. I have not seen any messages about upgrades (for this problem) from Microsoft or Samsung (mobile phones, TV). Are you sure that the big/major players in the IT business really recognizes the WPA2 problem?
They have to actually write the code, get it through QA and then hand it to operations to release it. This takes a bit of time.
Thanks, as always, for the great blog content.
My WiFi router tells me that it is in WPS mode. Does that mean that I'm safe?
WPS is used for WiFi configuration. It is not a network encryption protocol like WPA2.
People are blowing this vulnerability way out of proportion. Yes, it is a big deal because it affects anything using the WiFi standard. But, it really isn't a big deal because the access granted by this vulnerability is marginal at best.
1. If someone uses this vulnerability they have the same access they would have if they were sitting in a coffee shop on the open WiFi. If you are browsing a website over HTTPS they won't be able to see any of that information. If you are using a VPN to connect to work, they won't be able to see that traffic.
2. They have to be LOCAL to your WiFi meaning they have to be in the few hundred feet around your WiFi signal to be able to do this with conventional hardware. If someone is using this on you, they are targeting you. They didn't just randomly find you out of the blue.
3. They can only do it to one WiFi access point/client at a time. They can't just scan WiFi networks and get on all of them. This exploit would be limited to a single network.
4. US CERT new about this vulnerability months ago and notified vendors to get the patches out before the information was released.
5. Microsoft issued a patch for Windows last month and MacOS is releasing a patch shortly, Intel has released a large number of patches for some of the most popular chipsets used in laptops. Google has released a patch for Android, but it depends on your service provider when you will get it.
6. If you are using the modem/WiFi device provided by your cable/internet provider, firmware updates for these are most often pushed automatically from the provider. Many won't even allow you to update the firmware.
7. This attack has not been seen in the wild.
8. The WiFi standard has already been updated so future products will already have to fix baked in.
So, if you use proper internet hygiene and are careful of what information you put on the wire, this vulnerability should not affect 90% of the internet users out there. This vulnerability is too localized for the typical malicious actor that is looking to monetize accesses. This would only be used in the case of someone trying to gain access to a specific person's network and even then, they would have to have another exploit to use to gain access to anything of interest.
I think it is you who are trying to blow this out of proportion, in that you are trying to minimize a very real and widespread privacy threat.
What if I could get the key to almost any door, simply by parking down the street and running a simple piece of attack software?
But I am not surprised that someone is trying to get others to not take this very seriously. I can't know what your true intension are, but I will say that arguing what you have, seems to me like a pretty good example of the age old trick used by attackers to try to keep open an exploit.