Android exposed by KRACK in WPA2 wifi security

The latest cyber security crisis concerns a vulnerability in the Wifi Protected Access II security protocol and seems to be especially problematic for Android devices.

In time-honoured fashion the first priority was to find a nice acronym for it, and little time was wasted in agreeing on KRACK as a sort of abbreviation of Key Reinstallation Attacks. We have the people who discovered the vulnerability to thank for that as well as the website krackattacks.com, which explains how it works in the video below, and also proposes an alternative definition for the word ‘nonce’.

There are some good top-tips in the Q&A section, where we’re told that changing your wifi password won’t help and that the target of the vulnerability is the device anyway, so the most important remedial step is for operating systems to be patched, rather than routers.

The Verge reports that Microsoft had already patched Windows a week ago, but kept quiet about it to let everyone else get their act together. Linux-based OSs such as Android appear to be most vulnerable, but it doesn’t look like Google is in any great hurry to address the matter, with even its own Pixel devices not expected to receive a patch until 6 November. Apple appears to be quicker off the mark, according to MacRumors.

Responsibility for this vulnerability presumably lies with the organizations in charge of the WPA2 standard. Cryptographer Matthew Green reckons the blame lies with the IEEE and at time of writing its website appeared to make not reference whatsoever to the matter and was instead focused on revenue generation. The Wi-Fi Alliance has managed to find a moment to address the crisis, but its announcement is largely defensive in tone and content.

This could just end up being one of those cyber security issues that gets quickly resolved and serves mainly to give security software companies something to issue one of their ‘this just goes to show that you should buy more security software’ press releases. Then again, especially since it doesn’t look like Android will be protected for a few weeks, this could yet snowball.