A flaw in the WPA2 protocol — a protocol that secures wireless networks — was recently discovered by a researcher at the University of Leuven in Belgium, CNN reported.

This flaw, called Key Reinstallation Attack, or KRACK, gives a hacker access to a range of devices to break encryption and steal or manipulate data.

Operating systems at risk of the KRACK flaw include Google Android, Linux, Apple MacOS, Microsoft Windows, Linksys and more, per CNN.

The Daily Orange spoke with Radhika Garg and David Molta, professors at Syracuse University’s School of Information Studies, about the security flaw and why it will, most likely, not affect SU’s wireless infrastructure.

The Daily Orange: How does the KRACK flaw make it easier for hackers to infiltrate secure devices?

Radhika Garg: There is a flaw in WPA2 protocols, where a hacker could read or steal the data that was supposed to be protected. Recently, a research paper was presented by Mathy Vanhoef.

What he showed in his paper was that usually there is a four-way handshake by which you share an encrypted key to secure the data that you are sending on the internet … if somebody with malicious temptations tries to hack or tamper, he can replay the third handshake. This enables the hacker to decrypt the data.

David Molta: It basically breaks the encryption on Wi-Fi. It is what we call a “man in the middle attack,” where an intruder would sit between you and the connection to the access point. By leveraging some obscure implementation errors in the WPA2 standard, the experts have figured out a way to crack the encryption.

The D.O.: What can hackers do with this stolen information?

R.G.: They can reuse the data or pretend to be you. Imagine if you are doing online banking. You send your password to your banking system, then a hacker can replay and decrypt the data and they now have your password and can do anything with your bank account.

D.M.: I think the biggest concern is that hackers could intercept login credentials. Once they are able to compromise your login information, they would then use that information to attack your resources on other sites … once one of your accounts get compromised, all of your accounts can get compromised. You wouldn’t even know that it’s happened. It’s a silent attack.

The D.O.: Why are hackers targeting Wi-Fi systems, instead of directly targeting personal devices?

R.G.: It’s not something that the hackers are intending to do, but rather the flaw in the protocol itself. It is the flaw which creates a vulnerability that hackers can exploit.

The D.O.: How can the KRACK flaw be fixed?

R.G.: It can be fixed by software patches. The good news is, it was an implementation bug rather than a fundamental design bug in the standard itself.

D.M.: There are a lot of patches. As of nine or 10 days ago, Apple (said) they had already patched the vulnerabilities. However, these patches are still largely only available to developers. They are saying that they should be able to roll it out to consumers sometime soon, like early November.

The D.O.: Are SU students at risk? If so, how can they protect themselves?

R.G.: According to the university’s wireless engineer, the protocol that enables this vulnerability is not used on the Syracuse campus. So the AirOrangeX network provides a level of safety, but as soon as the student walks off campus, it’s a different story.

Students should research their particular wireless device to learn about the status of patching. As soon as the patches are available, the students should install them on their devices.

D.M.: For the most part, they are not at risk. There are no known exploits that have been developed yet.

In fact … the infrastructure vulnerability is irrelevant to the university. The feature that KRACK exploits is not a feature that we implement here at Syracuse University.

Unlike a lot of hacking — where you’re vulnerable to anyone on the internet — for this particular problem, the person needs to be in your wireless cell … like a few rooms over. If you’re a hacker, that’s risky. I don’t want to underemphasize the severity. This is a significant, nasty attack. But, I don’t think from an individual user standpoint, it would result in significant loss.

Published on October 31, 2017 at 9:01 pm

Contact Olivia: olcole@syr.edu