Taking a deeper look at the KRACK Wireless Vulnerability
In May of 2017, security researcher Mathy Vanhoef published a technical paper outlining a potentially catastrophic vulnerability within an encryption protocol used within Wireless Computer Networks. This vulnerability has taken the “protected” out of Wi-Fi Protected Access II (WPA2) Wireless Networks.
Those networks, both corporate and residential, are likely not as safe as you once thought.
The Key Reinitalization Attack, or “KRACK”, exploits a vulnerability in the encryption handshake of the WPA2 protocol, in which an attacker within range of a victim Access Point or Client can exploit these weaknesses.
Attackers can use a KRACK to read information that was previously assumed to be safely encrypted within the wireless data transmission itself. This can be used to steal sensitive information such as credit card numbers, passwords, emails, etc.
It also is possible to inject data into a Wireless network connection.
Misconceptions in the Popular Media
Although the popular media has shared and re-shared this story, there are several key points that are being mis-reported that should be clarified.
First, this attack has been demonstrated and validated by several third-party security researchers.
While the attack is sophisticated (as far as wireless network attacks go), it has found its way into open-source (free) penetration testing tools. This means that both the good guys and bad guys have equal access to the tools needed to easily carry out this attack.
Next, this attack is effective against all modern WiFi networking equipment.
There are several vendors that have reported that they are not vulnerable to the attack, but they have yet to submit any testing and validation of their immunity to the InfoSec community at large (at the time of this publication).
The remainder of vendors on the ‘Not Vulnerable’ list simply don’t make Wireless Networking equipment – like VMWare.
Finally, the attack does not permit the take-over or take-down of affected Wireless Access Points or Wireless Network Controllers directly.
While it is absolutely possible to launch a secondary attack against these devices using a KRACK as an initial attack vector, KRACK itself does not provide unfettered access to all wireless equipment.
Put simply, Wireless Network Equipment manufacturers and Operating System manufacturers must both patch their products.
This vulnerability, while very significant in scale, is not unlike other wide-spread vulnerabilities. Mitigation and remediation of the vulnerability will be provided through a software update from each respective manufacturer.
It is currently considered best practice that both wireless clients (workstations / computers) and network equipment (Access Points / Wireless Controllers) be patched.
Patching a client or Access Point does not mitigate the vulnerability – both must be patched.
Networks which are specifically vulnerable are those utilizing WPA2-TKIP or GCMP encryption protocols.
Networks utilizing WPA2-AES-CCMP encryption will permit decryption of wireless network traffic but will prevent injection of traffic into the previously secured wireless network communication stream.
Most commercial Wireless Networking equipment manufacturers have released patches for this vulnerability. Microsoft has released a patch for Desktop Operating Systems: Windows 7, 8, 8.1, and 10, as well as Server Operating Systems: Windows Server 2008, 2008 R2, 2012, 2012 R2, and 2016. These patches were released between 10/10/17 and 10/16/17.
For those who are not Wireless Network or Windows Systems administrators, here are a few ways you can protect yourself from this attack.
Keep in mind that most attacks are opportunistic in nature – large public gathering spaces, coffee shops, and other areas which would provide an attacker a significant number of potential victims are more likely to be targeted.
- Avoid public Wi-Fi at all costs. This includes Google’s protected Wi-Fi hotspots until Google says otherwise.
- While on any Wireless network, only connect to secured websites – those that use HTTPS or another secure connection will include HTTPS in the URL. You should contact any company whose services you use and ask if the connection is secured using TLS 1.2, and if so your connection with that service is safe for now.
- If you have a corporate or paid personal VPN service that you trust you should enable the connection full-time on all wireless networks until further notice.
- Use a wired network if your router and computer both have a spot to plug in an Ethernet cable. This exploit only affects 802.11 traffic between a Wi-Fi router and a connected device.
- Apply Operating System patches to all relevant devices including mobile phones. Use this list to locate the manufacturer of your device to learn how to go about receiving the applicable patch.
- Apply patches to all Wireless Networking equipment that you own or manage. The above list can also be used to locate the appropriate source for updates to your equipment.
- WiFi is everywhere! Many devices, like medical implants and health monitors, may be very difficult to update. Regardless, they are still vulnerable to this attack. Locate those which transact sensitive information and take action to update them.
- Take this seriously. While there are many acronyms being used in the conversation about this vulnerability, ignorance does not diminish your risk. Take action and update your devices. If you don’t know how to, Contact Us or another trusted computer professional.
For Network and Windows Systems Administrators, there are several steps that you can take to mitigate the impact of this vulnerability within your environment.
- Communicate the risk and actions that your organization is going to take in response to the KRACK vulnerability. Keep your user-base informed that you are aware and are taking action.
- Identify every 802.11 Wireless device within your organization. That may include VoIP phones, printers, copiers, laptops, tablets, etc. WiFi is everywhere. Each one of these devices will require an update to mitigate its exposure to this vulnerability.
- Begin systematically patching your devices. Beginning with the Wireless Network infrastructure, deploy patches using a risk-adjusted model.
- Familiarize yourself with the underlying MITRE CVEs which have resulted from this vulnerability. Many manufacturers are remediating their exposure to some but not all KRACK exploits. Further, these vendors may release subsequent patch(es) to fully remediate the full-set of KRACK CVEs. Track what vendor is patching what CVE(s) as patches are deployed.
- Stay vigilant and abreast of the developments with this vulnerability. US-CERT (link below) is the best source of information relating to the developments surrounding KRACK, also known as VU#228519.
Mathy’s technical paper is linked here for your reference.
You can see the latest authoritative list of vendors and their responses on the U.S. Computer Emergency Response Taskforce (US-CERT) website here: US-CERT Vendor Information
Demonstration of this attack: