Android exposed by KRACK in WPA2 wifi security

The latest cyber security crisis concerns a vulnerability in the Wifi Protected Access II security protocol and seems to be especially problematic for Android devices.

Scott Bicheno

October 17, 2017

2 Min Read
Android exposed by KRACK in WPA2 wifi security

The latest cyber security crisis concerns a vulnerability in the Wifi Protected Access II security protocol and seems to be especially problematic for Android devices.

In time-honoured fashion the first priority was to find a nice acronym for it, and little time was wasted in agreeing on KRACK as a sort of abbreviation of Key Reinstallation Attacks. We have the people who discovered the vulnerability to thank for that as well as the website krackattacks.com, which explains how it works in the video below, and also proposes an alternative definition for the word ‘nonce’.

There are some good top-tips in the Q&A section, where we’re told that changing your wifi password won’t help and that the target of the vulnerability is the device anyway, so the most important remedial step is for operating systems to be patched, rather than routers.

The Verge reports that Microsoft had already patched Windows a week ago, but kept quiet about it to let everyone else get their act together. Linux-based OSs such as Android appear to be most vulnerable, but it doesn’t look like Google is in any great hurry to address the matter, with even its own Pixel devices not expected to receive a patch until 6 November. Apple appears to be quicker off the mark, according to MacRumors.

Responsibility for this vulnerability presumably lies with the organizations in charge of the WPA2 standard. Cryptographer Matthew Green reckons the blame lies with the IEEE and at time of writing its website appeared to make not reference whatsoever to the matter and was instead focused on revenue generation. The Wi-Fi Alliance has managed to find a moment to address the crisis, but its announcement is largely defensive in tone and content.

This could just end up being one of those cyber security issues that gets quickly resolved and serves mainly to give security software companies something to issue one of their ‘this just goes to show that you should buy more security software’ press releases. Then again, especially since it doesn’t look like Android will be protected for a few weeks, this could yet snowball.

 

About the Author

Scott Bicheno

As the Editorial Director of Telecoms.com, Scott oversees all editorial activity on the site and also manages the Telecoms.com Intelligence arm, which focuses on analysis and bespoke content.
Scott has been covering the mobile phone and broader technology industries for over ten years. Prior to Telecoms.com Scott was the primary smartphone specialist at industry analyst Strategy Analytics’. Before that Scott was a technology journalist, covering the PC and telecoms sectors from a business perspective.
Follow him @scottbicheno

Subscribe and receive the latest news from the industry.
Join 56,000+ members. Yes it's completely free.

You May Also Like