Wi-Fi on KRACK

The InfoSec community held its breath as we were promised the end of days; an attack on Wi-Fi was promised to show fundamental flaws. I had visions of Wi-Fi routers melting and things being as bad as the Heartbleed attack of 2014.

Monday came, and a wall of tweets about the attack appeared on my timeline, including this from The Independent:

Global KRACK WPA2 security issue explained in Independent UK Breaking News. Apple claims all their OS’s are already…https://lnkd.in/gp24R_i

— Søren Ilsøe (@sorenilsoe) October 16, 2017

Then this:

The enormity of this cannot be overstated. Level of disruption equates to an EMP or a monetary collapse: https://t.co/GaMlD9aEfJ

— Michael (@md_device) October 16, 2017

In the meantime, I read through the Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 research paper and attempted to digest the catastrophe. The vulnerability has been titled KRACK; this stands for Key Reinstallation Attacks.

Years ago, when we first started using wireless, we probably had ‘open’ wireless access points. Then as we started doing more sensitive things on the Internet, we moved to encrypted Wi-Fi where we have a wireless password. This started out using an old protocol called WEP, which was broken in 2001.

WPA was created to mitigate the problems with WEP, but still only made it harder to break. The came along WPA2 with AES which was considered virtually uncrackable and adequate for most people’s and business’s security needs.

Read more on the difference between WPA and WPA2.

KRACK is a flaw in the WPA2 protocol. In essence, the flaw allows an attacker to see the traffic going from your device to your wireless access point.

This blog post is aimed as a high-level overview so I won’t go into full detail about the technical aspects of how or why. But if an attacker is successful, it allows them to see websites you are browsing and even allows them to insert their own malicious code.

Should you panic?

No, we believe that this issue has been general over hyped by the media.

By its very nature, the Wi-Fi hack means that the attacker must be in the local proximity. A common attack in cybersecurity is the ‘man-in-the-middle’ (MITM) attack; this is what we’re referring to here. The attacker must physically be located near your Wi-Fi to attack it.

Even if an attacker can perform such a man-in-the-middle attack, using this vulnerability they still cannot access information sent to or from secure websites protected by HTTPS. Similarly, they also cannot access the information sent over your corporate VPN.

So, what should you do?

There are two elements of the attack which can look to be compromised, the wireless access point (AP) or the client device (mobile phone, PC etc).

In the coming hours/days/weeks vendors will be shipping out software updates and patches to fix this vulnerability.

Apple have said they have already patched the vulnerability and will be issuing updates to consumers soon. This applies to mobile devices – including watches, tablets, phones as well as laptops and Apple TV. Although the researchers confirmed an attack on iOS version 11 was ‘difficult to execute’ anyway.

For Microsoft a patch for Windows was released on October 10th, so anyone with automatic updates enabled should be protected from this update.

Things now start getting a bit trickier. For Android devices; Google have the patch ready and will be deployed in their monthly cycle from 6th November.

However, one of the problems with Android devices is their slow security updates and researchers have said that all versions of Android 6.0 are affected by this flaw. That’s currently 32% of Android devices, so approximately 640 million devices.

Also, companies like Netgear, Cisco and other manufacturers of wireless access points have announced they’ll be issuing firmware updates to resolve this issue, but these can be a little trickier to apply depending on your hardware.

If you are concerned about the implications for your business, ensure your IT department upgrade your wireless access points, laptops and mobile devices. In the meantime, ensure your staff take reasonable precautions, like using VPN and HTTPS where possible when using Wi-Fi.

Do not go back to WEP, this will not fix the WPA2 issue, WEP has been broken since around 2001!