A first reaction to learning about the Key Reinstallation Attack Wi-Fi security flaw, or KRACK, as it has come to be known, might be resignation to the creativity of the hacking community. Security experts and white hat hackers have worked tirelessly over the past several years to make electronic networks safer and more secure for businesses and individuals. Yet every safety and security improvement has been met and even exceeded by hackers, who are as adept as ever in finding flaws that allow them to breach networks and to steal consumer account information.
The KRACK security flaw takes advantage of a weakness in the Wi-Fi Protected Access 2 (WPA2) encryption standard that has been the norm for virtually every secure Wi-Fi network since at least 2004. Network engineers have been trained to utilize the WPA2 standard for the very good reason that, until the discovery of the KRACK flaw, that standard encrypted all traffic over a Wi-Fi network and made that traffic unreadable to hackers. With WPA2 encryption, a Wi-Fi network goes through a four-step verification process to confirm that a party who wants to join the network has the correct credentials to do so. Hackers use KRACK to hijack the third of those four steps and to install their own cryptographic key into the network, which then allows the hackers to decipher and read encrypted network traffic.
Changing passwords or Wi-Fi routers will not deter a KRACK attack. Further, not all networks are vulnerable, and overall vulnerability appears to be limited to a minority of networks and devices. Still, that minority potentially comprises millions of devices that are used on tens of thousands of Wi-Fi networks. Until a solid patch is developed to ward off this vulnerability, security experts recommend that network owners adopt a few protective practices:
One of the more troubling aspects of the KRACK vulnerability is that security experts cannot conclusively determine if it has been used successfully to steal data from a network. The plethora of news stories about the vulnerability that appears in the trade press in October 2017 has raised the profile of the vulnerability, making it more likely that one or more hacker groups will attempt to use it. From a broader perspective, this vulnerability emphasizes the inherent risks that every business exposes itself to when it establishes an electronic network and puts its operations online. Those businesses can implement the strongest network defenses available, but their networks will always be susceptible to newly-discovered flaws which make those defenses ineffective.
The only surefire protection that any business can take is to procure network security insurance that provides a source of reimbursement for direct losses and third-party liabilities arising from a network breach. Hackers have become experts at stealthily accessing a network and stealing small amounts of data over long periods of time. A business might believe that its network is secure, only to discover after many months that it has been leaking data and information and that the cumulative volume of lost data is significant. At that time, network security insurance may well be the only thing that enables the business to recover from its losses and to continue its operations.