The KRACK Attack — Have your WiFi’s back
Hivint No Bullshit(TM) Briefing, aka the TLDR version:
Yes, this is an issue, and you should patch it when you can. But, it’s not an extinction level event because:
1. It requires physical proximity. You’re not defending against every bad guy on the Internet. Just the ones next door.
2. It is probably less likely than things like Evil Twin attacks which have been available for quite a while
3. Given other problems you probably have in your environment, it’s quite probably not your biggest issue
4. It’s imperfect — an attacker in the right conditions can target your device to potentially decrypt, and in best case scenario modify traffic
So what we recommend is:
1. Don’t panic
2. Patch the devices when you can
3. To be clear: It is not required to disable your WiFi, but ideally, consider using a VPN and/or properly implemented secure protocols such as SSH or TLS to secure any sensitive content being transmitted over wi-fi networks.
4. Add this to the list of stuff you need to patch/fix. If you’ve still got Internet facing XP boxes, probably fix that first. Just because this is shiny and new doesn’t make it your highest priority.
5. If you see guys hanging around outside your office in black hoodies with large wireless antennas, ask them what they’re doing
Quick Timeline Overview
Releasing a research paper on Monday, 16th of October 2017, Mathy Vanhoef and Frank Piessens publicly disclosed the theory behind a new WPA2 exploit, named Key Reinstallation Attack (known as KRACK). Some vendors have already started to develop, test and release patches for the issue, where other companies have not taken any public actions. Microsoft, Apple, Ubiquity, Amazon, Netgear, Intel, and many others have commenced the necessary processes for patching this vulnerability.
How Does KRACK Work?
Wireless access points (hereon known as WAP) use the 4-way handshake within the WPA2 encryption protocol to ensure data being sent to the client is encrypted. The handshake contains the sending of a nonce token from the access point to the client, which then replies with a signed nonce. Then a signed key is installed within the client and the client acknowledges the installation and transaction. KRACK uses a flaw within the 802.11 standard, which states that until acknowledgement is received, the message that triggers the key to be installed will be retransmitted.
Using this knowledge an attacker can jam the acknowledgement of the installation in order to assist with decrypting all encrypted content sent from that client to the WAP. This can further continue with the retransmission of the signed keys. A visual representation of the attack workflow discussed can be seen in the image below:
How Does this Affect Businesses Using Wi-Fi Networks, and does using a VPN / TLS make a difference?
Provided the attacker is within appropriate physical range of the client and the access point, the attacker could decrypt the communications between the client and the WAP. This potentially means traffic being sent over the network to the client can be read by the attacker.
However, provided the content is encrypted using TLS — eg via HTTPS or an encrypted VPN session, the traffic cannot be read by the attacker, even if they have successfully used KRACK to gain access to the wi-fi session between the client and the WAP.
To be clear: It is not required to disable your WiFi, but ideally, consider using a VPN and/or properly implemented secure protocols such as SSH or TLS to secure any sensitive content being transmitted over wi-fi networks.
What Versions of WPA are Vulnerable?
Considering this issue is caused due to the 802.11 standards specified, all version of WPA are actually vulnerable (including WPA2 enterprise).
What Else Should We Do?
As mentioned above, many vendors have started patching the issue, so stay tuned for any updates (both client updates and WAP updates) and apply patches promptly. If you have any issues or queries regarding your devices and their current susceptibility to KRACK, contact the vendor and they should be able to assist further.
