Google plugs KRACK wifi security flaw in November Android patch

Google has released the November Android patch update bring with it a fix for the widespread KRACK flaw that undermined the WPA2 wi-fi security protocol. 

The key reinstallation attacks (KRACKS) flaws were revealed last month and affected a range of devices, including smartphones, computers, and IoT devices. The flaw affected Android 6.0 and above, which meant that around 820 million Android devices were impacted. 

KRACK took advantage of a flaw that appeared in WPA2’s four-way handshake, which allowed keys that should only be used once to be used again by manipulating and replaying handshake messages. 

The flaws affected Windows, iOS, macOS, Android, and Linux, but had a bigger impact on Android and Linux because these two OSes could be tricked into reinstalling an an “all-zero encryption key”, or a key consisting of all zeros, which is predictable and allows an attacker to decrypt all encrypted packets.

Apple patched KRACK flaws in iOS 11.1 and macOS earlier this month and now Google is finally rolling out its fix in the November patch update under the 2017-11-06 security patch level. 

Google says in its November Android security bulletin that the update includes three rather than two patch levels to cater for the KRACK flaws. The other two patch levels include 2017-11-01 and 2017-11-05. 

Google says Android partners were notified of all issues in the 2017-11-06 patch level “within the last month”, and the issues in the earlier two patch levels at least a month before the November bulletin was published.  

"The most severe vulnerability in this section could enable a proximate attacker to bypass user interaction requirements before joining an unsecured Wi-Fi network," Google says of the KRACK flaws. 

The flaws will likely take time to patch given historical challenges in delivering updates to thousands of different devices models from hundreds of Android vendors. 

It may be even more difficult to fix than other bugs Android itself. Google notes Android handset makers may need to get fixes from wi-fi chipset manufacturers to fix the nine bugs in the 2017-11-06 patch level, which all concern fixes for the “wpa_supplicant” -- the Linux daemon at the root of KRACK flaws affecting Android. 

The 2017-11-01 patch level contains fixes for Android, the Android Media framework, and system flaws. The 2017-11-05 patch level contains fixes for components of the Linux kernel, MediaTek components, Nvidia components, and Qualcomm components.