KRACK Targets WPA2 Protocol Putting Millions of Devices at Risk

Marina Kidron Oct 25, 2017

A proof-of-concept (POC) of a key reinstallation attack — or KRACK for short — shows weaknesses in the core WPA2 protocol. The attack affects a wide range of devices from desktops to servers to mobile devices with Wi–Fi connectivity. Devices running Android, Linux and Open BSD are most at risk; while attacks on macOS, Windows or MediaTek Linksys are more difficult, the devices are still vulnerable.

An attacker within range of a vulnerable device or access point could decrypt sensitive data such as passwords, emails, credit card numbers, messages, etc. — essentially, any data transmitted on an infected device. The attack could potentially manipulate or inject code, such as ransomware, into websites.

The researchers have demonstrated KRACK on an Android device via video and released an academic paper. Using 10 vulnerabilities, “Android and Linux can be tricked into (re)installing an all–zero encryption key,” according to the site detailing the POC.

  • The key reinstallation attack targets the four–way handshake in the WPA2 protocol that’s executed when a client requests to join a protected Wi–Fi network which confirms that pre–shared network password is correct on both ends
  • Once credentials are established, the handshake also negotiates a new encryption key to be used on all traffic over the connection.
  • KRACK “tricks a victim into reinstalling an already–in–use key … manipulating and replying the cryptographic handshake messages.”

KRACK targets both vulnerable access points and clients. But patching the client even if connected to a vulnerable access point can neutralize the threat, and patches are also available for select Wi–Fi access points.

While there is no proof of an exploit in the wild, with this level of detail, it shouldn’t take long. Enterprise and government Wi–Fi networks accepting connections from Android or Linux devices at the most at risk.

Detecting KRACK Vulnerabilities 

For customers using Skybox™ Vulnerability Control, the Vulnerability Detector feature can discover vulnerable devices running Windows, RedHat Linux and other network devices without waiting for a scan.

The following vulnerabilities have been updated in the Skybox™ Security Intelligence feed and details are accessible to the public at Skybox Vulnerability Center:

A detailed advisory on KRACK is available here and CERT has also released an advisory.

Related Posts

ZNIU — Mobile Malware and Dirty COW: How a Dirty COW steals your information and your money.


See how the Skybox intelligence feed and the threat–centric vulnerability management approach identified and prioritized vulnerabilities used in WannaCry and Petya, as well as the Equifax data breach before their highly publicized attacks, so customers could take proactive security measures.

Marina Kidron is Skybox Security's director of threat intelligence and leader of the Skybox Research Lab, a dedicated team of analysts who daily scour dozens of security feeds and sources and investigate sites in the dark web. Kidron has more than 10 years of experience in business and statistical data analysis, data modeling and algorithms development for information technology, mobile and internet companies and financial services companies. She earned a Master's degree in Political Marketing, and a Bachelor degree in Computer Science and Mathematics.

Recent Posts

Skybox 2021 Vulnerability and Threat Trends Report reveals emerging security challenges and growing need for exposure analysis
Read More
Biden Cybersecurity Executive Order
Read More
CISA Alert – Top routinely exploited vulnerabilities
Read More
3 trends shaping security posture management for 2021
Read More
Skybox Q&A: CRO Rob Rosiello identifies today’s and tomorrow’s top cybersecurity issues as the world reopens
Read More
Post-pandemic cyber threats
Read More