'KRACK' Attack - What does it mean for you?
Posted by mbird on Fri, 20/10/2017 - 16:25
The announcement of the WPA2 vulnerability discovery has, unsurprisingly, caused worry among IT professionals. Here, Vanix wi-fi expert Laurence Lowe details what exactly has happened and what actions need to be taken.
What has happened?
WPA2 (Wi-Fi Protected Access II) using CCMP is the industry standard for wireless network security, providing 256-bit encryption which cannot feasibly be broken using today’s computing power.
WPA2 (Wi-Fi Protected Access II) using CCMP is the industry standard for wireless network security, providing 256-bit encryption which cannot feasibly be broken using today’s computing power. You will no doubt be aware that a series of exploits were recently discovered by a Belgian information security researcher, Mathy Vanhoef, which could allow a suitably-equipped hacker to read encrypted data transmitted between the client and the AP. This attack is known as “KRACK” (Key Reinstallation Attack).
What is KRACK?
KRACK relates to the way the WPA/WPA2 protocol handles the exchange of transient encryption keys between the wireless client and a wireless access point (AP). Transient encryption keys are temporary keys used for encrypting client sessions, and are different for each wireless client and session. Please be reassured that KRACK does not reveal your pre-shared key (PSK) or user credentials, so there is no need to change your network passphrase or force users to reset their passwords at this time.
The attack itself is highly sophisticated and quite difficult to perform, requiring a user to have specialised software and scripts on their laptop, and be within range of both your wireless APs and the client they wished to attack. Successfully performing the attack would allow them to replay and decrypt packets, potentially giving access to information sent in plain text. Traffic sent via VPN or websites accessed via HTTPS would still be inaccessible to the attacker in most cases. To date, there are no tools available to perform this attack, so it would require significant effort to carry out.
What is the impact?
While it has been reported that the WPA2 protocol is fundamentally broken, this is incorrect – we do not need a “WPA3” protocol. The vulnerabilities discovered are related to specific implementations of the protocol, both on wireless APs and wireless clients. Vendors have been aware of these vulnerabilities for several months, and, in some cases, have issued patches already. Microsoft released a patch for all supported versions of Windows on October 10th 2017, while Apple and Google are still working on fixes which should be available soon. Similarly, most affected wireless network vendors will be shortly issuing patches if they have not already.
How can I protect my network??
Firstly, ensure you are running the WPA2 protocol on your network. Older implementations of the protocol (WPA-TKIP) are much more vulnerable, allowing a suitably-motivated attacker to forge and inject packets into your network, putting your clients at risk of ransomware attacks.
Ensure that your clients and wireless APs/controllers are fully patched and up to date.
If your vendor has not provided a patch yet, there are other ways to limit the attack surface:
- Some wireless vendors enable wireless links between all APs, to provide redundancy in case an APs wired uplink fails. This is called a “Mesh”. Most Mesh implementations are vulnerable to this attack, so Mesh should be disabled unless it is specifically required for point-to-point links or external wireless coverage.
- 802.11r (Fast BSS Transition) is an extension to the 802.11 standard which provides faster roaming between APs for supported clients. Several vulnerabilities relate specifically to 802.11r, so this should be disabled.
- Any attacker performing this attack would have to be located close to or inside your building, within range of at least one of your APs, and masquerading as one of your APs. Many vendors provide Wireless Intrusion Detection/Prevention systems (WIDS/WIPS) to detect exactly these kinds of attacks. It is highly recommended that you enable and configure WIDS/WIPS in your network.
If you have any further questions about this vulnerability, or any other worries about your IT security, our experts are here to help.