Akamai Diversity

The Akamai Blog

KRACK Vulnerability in WiFi WPA2

Akamai is aware of a family of vulnerabilities known as the Key Reinstallation Attack or KRACK.  These vulnerabilities abuse implementation flaws found in all modern wireless networks using WPA2. The KRACK attack is effective at the protocol level and therefore affects all systems using current WiFi encryption, including iOS, Linux, Windows and Android.  The vulnerabilities allow the attacker to reinstall a previously used cryptographic key. This would allow for the decryption, injection, or forging of traffic on the affected network, depending on which vulnerability is used.

The KRACK vulnerabilities work by exploiting a weakness in the way the WPA2 protocol negotiates the encryption of traffic on the network.  They allow the attacker to reset and control portions of the handshake, which opens up the network to having its traffic intercepted and spoofed.  Because this attack is happening at the protocol level, it affects all systems using WPA2 to secure their wireless network and applies to most operating systems.

Akamai does not allow the use of wireless access within the networks that provide services to its customers or their end-users. Akamai security teams are aware of the vulnerability and have evaluated the potential impact on other wireless networks within the organization.  The bulk of our corporate wireless traffic access occurs over VPN and the vast majority of the VPN traffic has additional transport layer encryption.

The appropriate use of Transport Layer Security (TLS) or Virtual Private Networks (VPNs) can limit the impact of local wireless network attacks. Protocols designed so that they remain secure even if an adversary can read, modify, block, or insert messages remain secure in the face of KRACK.

Our recommendation to customers:

  • Patch systems as soon as a patch becomes available for affected systems.  This vulnerability affects networking equipment as well as end points, meaning desktops, laptops, and phones will be affected.

  • Review all wireless networks and disable sensitive networks until a patch is available.

  • Continue to work with security vendors, local ISACs and other security partners to gather as much information as possible.