The KRACK panic!

A lot is going on now, 16th of October 2017, about the KRACK attack on WPA2. Links will follow. There was even a (misleading) claim by the president of the German Service for Information Security, Bundesamt für Sicherheit in der Informationstechnik - BSI, Arne Schönbohm, about this attack recommending to switch over to VPN to secure the connections.

In this article I want to clear one detail and potentially somewhat relax the horror this attack, and more of it – its press coverage, is posing on people now. The fact is - all TLS protected connection are still reasonably secure despite the attack! You can surf further without a problem if the sites you visit connect over HTTPS. And most of them do in fact!

Disclaimer On this web site you might read about or get access to various kinds of software and technology, including but not limited to libraries, operating systems, software for communications, mobile phones and tablets, Android software and Linux, even cars and motorcycles, security and penetration testing software, software used in security research and forensics, some samples of software which can be used (elsewhere) for malicious or illegal purposes. You will read about or be provided with the ways to change it, to operate it and to use it. You might find advice and recommendations, which are only an opinion, and not a legal advice or commercial recommendation..
Bear in mind, please, that everything you do, you do solely at your own risk and responsibility. In no way the author of this web site, information, graphics and other materials presented here or related to it can be made liable or anyhow else responsible for your own actions as well as actions of any third party and their direct or indirect results or consequences with or without the use of this information as well as the software, technology and systems mentioned and/or presented here, no matter if developed by the author or by any third party.
In no way it is guaranteed that you will meet any suitability for any particular purpose, safety, security, legality or even simply functioning of the software and systems described here. You have to make sure each time yourself, whether what you do, is really what you intend to do, and that you are ready to be yourself responsible for. All the recommendations and experiences described here are the opinions of corresponding authors and are to be taken with care and own full responsibility.
The software provided on or through this web site, linked to from this web site or anyhow else related to this web site is provided by the corresponding authors on their own terms. We provide all the software here as is without any guarantees to you. You are responsible for deciding whether it is suitable for you or not. You are also responsible for all direct or indirect consequences of using this software.
Other web sites linked to from the current one are out of the author's control, we can not guarantee anything about their content, its quality or even legality. We can not be liable for any use of the linked to web sites or of the information presented there.
We reasonably try to keep this website running smoothly and to deliver information to the best of our knowledge corresponding to the state of the art at the times when the information is composed, usually presented together with the information, and out of good intents. We can not however guarantee and can not be liable for this website being temporarily or permanently unavailable, presenting unreliable information or software, or any other similar or not malfunctioning or functioning not up to your expectations as well as any consequences which might result from this site's operation.

That is basically it, the information in the header. Let’s give some links for starters.

Press coverage

Here is the paper discussing the attack: PDF. This is the actual information. It is a technical paper however, so the press picks up and (mis-) interprets it.

BSI

Followed by a statement from BSI, citing their president: bsi.bund.de (in German).

Overexaggerate and panic!

BSI quotes Arne Schönbohm (I will try to translate it below):

Nutzen Sie Ihr WLAN-Netzwerk so, als würden Sie sich in ein öffentliches WLAN-Netz einwählen, etwa in Ihrem Lieblings-Café oder am Bahnhof. Verzichten Sie auf das Versenden sensibler Daten oder nutzen Sie dazu einen VPN-Tunnel. Auch das kabelgebundene Surfen ist weiterhin sicher. Unternehmen sollten ihre Mitarbeiter sensibilisieren und geeignete Maßnahmen zur Absicherung ihrer Firmennetzwerke ergreifen. Sicherheitsupdates wurden bereits von verschiedenen Herstellern angekündigt und sollten umgehend durch den Nutzer eingespielt werden, sobald sie zur Verfügung stehen.

My non-professional translation below (both languages are foreign to me):

“Use your Wi-Fi network as if it was an open network in places like your favorite café or on the train station. Avoid sending sensitive data or use a VPN tunnel for this. The wired Internet surfing stays secure as it was before. Companies would better sensitize their employees and take corresponding measures to secure their corporate networks. Software security update were already announced by manufacturers and shall be immediately installed by the users after they are available."

Heise

A very popular IT news agency, heise.de, tells that now our protected traffic can be read without problem: heise.de.

Here is the title, and the way I translate it:

Schwachstellen im WPA2-Protokoll führen dazu, dass Angreifer eigentlich geschützten Datenverkehr mitlesen könnten. Davon sind im Grunde alle Geräte mit WLAN-Chip bedroht. Das WLAN-Passwort ist aber nicht gefährdet.

“Vulnerabilities in WPA2 protocol lead to attacker able to eavesdrop on the protected traffic. Basically all the devices with WiFi chips are affected. The WiFi password is not in danger however."

How people react

Such stories amplify a lot the reaction of normal people. I’ve got a funny story from my colleague today. His mom woke up early and gave him a call from Berlin to Munich waking him up as well. Her message to my colleague was that he should avoid using on-line banking completely, otherwise he would be hacked and all the money would be stolen. She meant that BSI confirms this fact.

Well.. This is simply not true. Let me explain you briefly, why:

Is it secure to connect to my bank now? (-Yes!)

The traffic from your computer to, let’s say, your bank usually is transferred through a set of other networks and computers called routers. Each such transfer is called a hop usually. The most effective way over the best hops for the moment is selected by Internet routing protocols for you and the data travels along this way. You do not even need to know what these hops are for everything to work.

When it comes to trust: we do not trust hops. Neither we trust the computer nodes nor the links between them! It has always been like that: Internet has no security built in.

That is why, on top of the insecure network the end points (you and your bank) use encryption between each other. Remember a green message on the left side of the address bar in your browser identifying that connection to your bank is secured by TLS? It shall mean that this connection is free from eavesdropping or manipulation by others. Sure, we can also talk about how secure HTTPS is, but it is not the point when talking about KRACK attack. It is not known that KRACK affects HTTPS connections anyhow.

The crucial information to understand about KRACK is that now between your computer and your wireless router you have an insecure hop as well, before you have an update for your computer. This does not change anything for you and your bank. There is just one more insecure hop to about 5 to 12 other not-trusted hops you have had already all the time along the way to the bank.

Some application do not use HTTPS/TLS or other sorts of encryption. Well, they were not secure before KRACK attack too. So what is this fuzz all about?

Speaking of wired connections, in reaction to Mr. Schönbohm’s quote, most of the time wired LANs are deployed without any connection security in place.

There is nothing wrong in using VPN which would add a layer of security between you and your counterpart. Banks do not connect to you over VPN however. They use HTTPS instead. And this is obviously not only about banks. Google, Facebook, and all the multiple web services you use daily – use HTTPS and not VPN.

All in all – browse how you did before, and do not worry about your HTTPS connections.

Summary

This said, we still have to tell that the KRACK attack is a clever technical attack on the first hop, on your Wi-Fi network secured by WPA2. If some of your application’s security depends on Wi-Fi network channel security you should now take an action. Most likely, however, you had to do it before…

Different media on-line tend to overexaggerate the security problems. This is probably, to get more views.

Some interesting facts about KRACK

• The attack uses a subtle feature to renegotiate keys quickly. This is often the case – some performance or ease-of-use optimization might open an attack vector.
• In order to fix you have to patch the client only. Access points do not have to be patched unless they act as clients to other access points. Security now episode claiming this