Detecting KRACK Man in the Middle Attacks
What is KRACK?
KRACK (Key Reinstallation attaCKs, KRACKs) is a serious weakness in the WPA2 protocol. WPA2 secures all modern protected Wi-Fi networks including those used by smartphones. Attackers within physical range of a Wi-Fi network can exploit protocol weaknesses by using key reinstallation attacks. The attack works against all modern protected Wi-Fi networks and can be used to steal sensitive information such as usernames, passwords, messages, emails, photos, calendaring and contacts information.
The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected .
How zIPS Helps
Zimperium’s z9 on-device mobile threat defense engine is trained in a lab using machine learning techniques. These techniques are applied at the device, network, and application threat vectors to specifically look at operating system level statistics. These statistics determine if a threat is occurring on the device. z9 has enabled us to detect 100% of both known and previously unknown attacks. Should an attempt to exploit the device be detected, Zimperium can take action on the device to prevent the exploit from advancing.
zIPS is a mobile security app containing the z9 detection technology. zIPS monitors the entire mobile device for malicious behavior regardless of the attack entry point. The device-wide resident approach does not rely on external IDs or malware signatures. This makes zIPS immune to evasion techniques such as polymorphic malware, virtual machine awareness, download and execute techniques or binary obfuscation.
Zimperium customers can detect MITMs like KRACK through various detection techniques. With zIPS on your Android and iOS devices, you will be notified if an attacker intercepts your Wi-Fi traffic in order to read traffic. If an attacker inserts himself between your device and your access point and attempts to decrypt your traffic, zIPs will alert you via standard MITM detection. Standard MITM detection in zIPS that apply to KRACK include but are not limited to:
- Fake SSL Certificate MiTM – Attack using a fake certificate where an attacker can hijack traffic and steal credentials or deliver malware to the device.
- SSL Strip – Man-in-the-Middle attack using SSL stripping allowing a malicious attacker to change HTTPS traffic to HTTP to hijack traffic, steal data or deliver malware to the device.
- Traffic Tampering – Man-in-the-Middle attack allowing a malicious attacker to change the content of the network traffic and deliver malware to the device.
Additional Recommended Actions
We recommend utilizing a mobile threat defense app like zIPS to detect MITM, traffic tampering or yet to be disclosed or zero-day mobile device threats. You can install zIPS from Google Play or Apple App Store. After installation, please contact Zimperium for an evaluation license and administration console.
Zimperium also advises you to update your devices with the most up to date operating system and security patches available. Apple confirmed it has a fix in beta, regarding this Wi-Fi threat, for iOS, MacOS, WatchOS and TVOS, and will be rolling it out in a software update in a few weeks. Google is aware of the issue, and we will be patching affected devices in the coming weeks. 
If you have additional questions on this threat or others that may be affecting your users, please contact us so we may answer your specific questions.