You may have heard some buzz about a vulnerability in the Wi-Fi protocol WPA2. Of course, it’s got a cute, marketable name (Key Reinstallation AttaCK, or KRACK). It’s fairly serious, despite the clever title – the researchers that discovered and published the details of the vulnerability say in their paper:
“An attacker within range of a victim can exploit these weaknesses using key reinstallation attacks (KRACKs). Concretely, attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted.”
Mathy Vanhoef & Frank Piessens
imec-DistriNet, KU Leuven
The security community is alarmed, and rightfully so: every wireless access point and client device, including laptops, phones, tablets, and so-called smart devices, is vulnerable to this attack, if they support WPA2. The details of the attack vector are heavily technical and require an understanding of how wireless cryptography works. Briefly, an attacker uses a previously unknown weakness in the WPA2 protocol to force a Wi-Fi client to reinstall a key used to encrypt its wireless network traffic. In the process of doing this, some of the cryptographic data used to calculate the key are reset to a value that’s known by the attacker. The attacker can then decrypt the client’s wireless session data going forward, exposing the contents of the session to the attacker.
While we haven’t seen attacks demonstrated against every client or network device platform yet, we feel the attack is fundamentally sound and is likely to be exploited widely in the years to come.
The CBTS security team has been in the game for years. We’ve got recommendations to ensure your wireless communications are safe going forward – a step-by-step booklet, as it were.
- Patch your workstations. Ensure Windows, Mac, Linux, and ChromeOS machines are updated as soon as the operating system vendors issue security updates, and keep them up to date regularly.
- Patch your smartphones and tablets – any device with iOS, Android, or Windows / Blackberry. Watch out for Android, especially, as the WPA2 implementation in some Android versions (specifically Android 6.0) have been shown to allow not just traffic decryption, but actual crafting of traffic from the attacker.
- Patch your access points. This one’s a little tougher; you will need to log into your access points / routers regularly to see if there are updates from the vendor and apply them, which will likely require you to reboot the device.
- Use caution connecting to suspicious wireless networks. If your client warns you when you connect to a network you’ve never used – or one that you typically do not have any problems connecting to – make sure you ask the owner of the network if everything’s kosher.
- Beware of devices that might not get updates for this vulnerability, such as so-called “smart devices” or “internet of things/IOT” devices. More and more devices are shipping with “connected” capabilities, and while these features are sometimes useful, some devices may eventually be abandoned by their manufacturer. That may mean that they aren’t updated when serious issues like this come up, and they become unsafe to use.
- Always VPN if you can. Even if your Wi-Fi session – between your device and the wireless access point – becomes compromised, if you send your traffic in a VPN session over top of the wireless connection, you will continue to protect some of your data. Use your company VPN if you’re logging on using a company asset.
- Don’t conduct sensitive business over public Wi-Fi. This means online banking, shopping, stock trading, etc. If you or your company do not own or operate the wireless network, stick to the unimportant stuff. Never let no one know how much dough you hold!
- Report any funny business. Getting strange errors using your company wireless network? Abnormally slow traffic? Warnings going to websites that are typically fine? Let your IT department know.
- For IT Teams: Look for rogue wireless access points. Set up a wireless IDS to identify access points that are using the same MAC address/BSSID as yours, possibly trying to spoof your APs.
- For IT Teams: Force clients to use only trusted WLANs. You can configure most client OS’s to only allow connections to WLANs and SSIDs you trust, in case your users are apt to hop onto whatever open public wireless networks are around them.
Follow these rules and… you’ll be much safer surfing on Wi-Fi. Good luck, and spread love, it’s the Brooklyn way!
Related Articles
Is SMS-based Multi Factor Authentication Secure?