17

Does using a VPN protect against KRACK? How does this work? How can it be bypassed?

I use a commercial VPN on my laptop and on Android. Is an OpenVPN connection to your home a good way to protect your devices?

Stevoisiak
  • 1,515
  • 1
  • 11
  • 27
SPRBRN
  • 7,379
  • 6
  • 33
  • 37

3 Answers3

13

A (properly configured, secured protocol) VPN connection will not protect you from being "forced" to join the malicious access point, but it will prevent your communications from being eavesdropped on. The same is true for properly configured SSL / TLS.

The attacker in the KRACK attack sets up a malicious access point, which your device connects to as part of the attack (note that your device must have already connected to this device and trust it). Because your VPN tunnel encrypts communications between your device and the tunnel end point, while you may have fallen victim to joining a malicious access point all communications through that tunnel would not be susceptible to MITM attacks.

DKNUCKLES
  • 9,237
  • 2
  • 37
  • 47
  • So if I am away from home, connect to my home OpenVPN, that would make things secure. And if I'm home, I could do the same? Just wondering. – SPRBRN Oct 17 '17 at 08:41
  • 2
    @SPRBRN Yes that's correct. Even if you are forced to joining a malicious access point your communications are protected by the encryption of the tunnel. – DKNUCKLES Oct 17 '17 at 13:27
1

VPNs can provide protection but the protection provided is often rather fragile.

The problem is that many VPN systems only redirect network traffic when the VPN is connected. If the VPN becomes disconnected then direct traffic flow returns. So if the attacker can disrupt the connection to the VPN they can potentially intercept your traffic.

Peter Green
  • 4,918
  • 1
  • 21
  • 26
  • "Often rather fragile" - that's kind of vague. And how does this DOS work? Can the attacker - in this particular attack or otherwise - see that I use VPN, know which VPN it is, and how can the VPN connection be disrupted? – SPRBRN Oct 20 '17 at 07:45
-2

How it work and How can it be bypassed?

https://www.krackattacks.com/ (official website)

In the text it say:

Our attack is not limited to recovering login credentials (i.e. e-mail addresses and passwords). In general, any data or information that the victim transmits can be decrypted. Additionally, depending on the device being used and the network setup, it is also possible to decrypt data sent towards the victim (e.g. the content of a website). Although websites or apps may use HTTPS as an additional layer of protection, we warn that this extra protection can (still) be bypassed in a worrying number of situations. For example, HTTPS was previously bypassed in non-browser software, in Apple's iOS and OS X, in Android apps, in Android apps again, in banking apps, and even in VPN apps.

And the word VPN in this text has this link: https://arstechnica.com/information-technology/2017/01/majority-of-android-vpns-cant-be-trusted-to-make-users-more-secure/

lipesmile
  • 105
  • 1
  • 5
    This doesn't really answer the question. The point of that article was that many "VPN Applications" aren't actually VPN applications, so you need to make sure you actually have a VPN application that works. – AJ Henderson Oct 16 '17 at 20:39