It’s all over the news since yesterday: »WPA2 Wifi-Encryption is broken.« German news stations are asking people to not do online-banking via Wifi (that’s nonsense, but more about that later).
So what is WPA2? Wifi connections are connections over the air, radio signals in the 2.4 GHZ and 5 GHZ band. Because radio waves propagate everywhere around the antenna, they can be listened in by everybody. In order to give the over-the-air piece of the Internet connection some privacy, a simple encryption protocol had been cooked up, WEP. The WE in WEP stood for “Wire equivalent”, so the encryption wasn’t supposed to be milspec, it was supposed to give privacy comparable to a wire.
WEP was broken a long time ago, and it did not provide much of anything for a decade now. The successor protocols were WPA and later, WPA2. WPA2 was actually proven to be correct and secure, and that proof remarkably still stands.
So how is that possible?
The attacks documented in https://www.krackattacks.com/ are exposing a very fascinating flaw. It does not break WPA, nor does it expose the keys that the key exchange protocol between the base station and the client agrees on. It does something else instead – it forces the protocol to revert to a previously installed key and reuse previously used up numbers that are supposed to be used only once.
It also does not, by default, make the plain text available, so the bytes on the wire do not become readable. It does, though, allow blind redirection, hijacking or other manipulation of the connection. Blind in this context means that the attacker does not see the content of the connection, but still can overwrite or change certain content in the connection.
It does allow more than this in certain implementations where the key that is being reinstalled is predictable (i.e. anything using wpa_supplicant, including all Linuxes and all Androids – in which case the protocol attack forces wpa_supplicant to chose an all-zero key).
The WPA protocol is proven to be correct and safe, and that proof is still valid. And indeed the actual key is never exposed, as the proof promises.
Instead, the flaw uses the protocol in a way that is not anticipated by the proof, and induces new failure modes that have not been covered by the proof. The quote from the paper »Interestingly, our attacks do not violate the security properties proven in formal analysis of the 4-way and group key handshake.« is eerily reminscent of the famous MAD Magazine author Don Knuth: »Beware of bugs in the above code; I have only proved it correct, not tried it.«
»Do we now need WPA3?
No, luckily implementations can be patched in a backwards-compatible manner. This means a patched client can still communicate with an unpatched access point, and vice versa. In other words, a patched client or access points sends exactly the same handshake messages as before, and at exactly the same moments in time. However, the security updates will assure a key is only installed once, preventing our attacks. So again, update all your devices once security updates are available.«
»What if there are no security updates for my router?
Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates. We strongly advise you to contact your vendor for more details. In general though, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming). For ordinary home users, your priority should be updating clients such as laptops and smartphones.«
That means, it is (unfortunately) not your Wifi router that needs an update
You will need to update your computer, all your cellphones, your kindle, your IoT devices including your Sonos, your Wifi-enabled LED lights, your Chromecast, your Amazon Echo and your Dishwasher. Also, your car, if it has Wifi.
»Should I change my Wi-Fi password?
Changing the password of your Wi-Fi network does not prevent (or mitigate) the attack. So you do not have to update the password of your Wi-Fi network. Instead, you should make sure all your devices are updated, and you should also update the firmware of your router. After updating your router, you can optionally change the Wi-Fi password as an extra precaution.«
As explained above, the attack does not expose or recover your Wifi password. The attack is a blind overwrite or a force install of a known key in some cases, which are worse than the general attack.
Do I need to turn off my Wifi? Do I need to stop online banking?
No. The WPA2 encryption secures only the over-the-air part of your connection. That is the distance between the antenna of your Laptop of Cellphone to the Antenna of your Wifi router.
Security critical applications actually use end-to-end encryption of the connection, called TLS (previously: SSL). That is the distance from your browser, over the over-the-air part of the connection, though your DSL to your provider, to your banks provider to your banks web server. For this security protocol it is irrelevant if some small part on the way is insecure.
In fact, TLS was designed to exactly handle problems like the one we have now with WPA2. That means you can happily use your cellphone or Laptop as before – with the flaw it’s not any more or less secure than without the flaw.