On Monday, a serious weakness was discovered in WPA2, a protocol that secures all modern protected Wi-Fi networks. The flaw allows potential attackers to leverage this vulnerability to break into the WPA2 security model and steal data flowing between wireless devices and the targeted Wi-Fi network. What’s so concerning about this particular attack—dubbed “KRACK,” which is short for key reinstallation attack—is that it works against all modern protected Wi-Fi networks, allowing attackers to not only read and steal information transmitted across Wi-Fi, but also potentially manipulate the data or insert malware.
So, what exactly is this KRACK attack and why is it so threatening? Considering that it is National Cyber Security Awareness Month, it’s even more critical that IT service providers understand what’s at stake given this newfound vulnerability. Here’s everything you need to know about the recent KRACK attack news, who’s most at-risk from this vulnerability, and the steps providers can take to mitigate these risks.
Examining the Vulnerability and How KRACK Attacks Work
The WPA2 vulnerability isn't a problem with the encryption itself, but rather an architecture problem—it lies within the "handshake process" and the way the device connects to the access point.
KRACK attacks work by leveraging the four-way handshake that is part of the WPA2 protocol process, which allows users to connect to a network and then confirm their credentials for access. However, this is a process used by all modern Wi-Fi networks, meaning any correct implementation of WPA2 is likely affected. Attackers can leverage this process by manipulating and replaying handshake messages, essentially tricking victims into reinstalling an already-in-use key. This then forces the reset of the incremental transmit packet number (nonce) to zero, which allows for the same encryption key to be used with previous nonce values. By forcing nonce reuse in this manner, the data-confidentiality protocol can be attacked—allowing for attackers to replay, decrypt or forge packets.
Who Is at Risk?
Unfortunately, every Wi-Fi connection is vulnerable, including any devices that support Wi-Fi. Research has discovered that the vulnerability potentially impacts a wide range of devices including those running operating systems from Android, Apple, Linux, OpenBSD, Windows, and others in some variant.
Here is a running list of hardware vendors that are known to be affected by this vulnerability, as well as links to available advisories and patches.
3 Steps to Mitigate Risk
As daunting as the KRACK attack sounds, there are some steps MSPs and IT service providers can take to mitigate the associated risks.
As with any cyber threat or attack, the first step is to always maintain open communication with your clients. Talk with them and explain that you are aware of this vulnerability and will to everything you can to figure out if, how, and why they were affected.
2. Know the Facts and Take Proper Precaution
It’s important to note that KRACK is not an attack that can be pulled off remotely; essentially, it’s a proximity-based attack. This means that in order to exploit the weakness, an attacker would have to be within range of the wireless environment or signal between a device and a nearby wireless access point. Nonetheless, you are encouraged to install updates to affected products and hosts as they become available. In fact, CERT/CC is hosting a webpage with links to security advisory and patch information for each affected vendor. This page will be updated over time as new patches are released, so be sure to keep a close watch.
Additionally, it’s never a bad idea to deploy a second layer of encryption within client environments—acting as a useful mitigation while patches become available. The simplest way to achieve this is to require users on Wi-Fi networks to employ their corporate virtual private network (VPN) while connected to Wi-Fi. Also, an access control list or firewall rule could be used to block traffic directed from the Wi-Fi network to every destination other than the VPN.
Lastly, you need to offer clients with a solution that is not only focused on protection, but also detection. Should future vulnerabilities arise or cybercriminals attempt to penetrate your client’s system, a comprehensive security solution can help you detect and act against attacks and prevent your clients from falling victim. With the unveiling of Continuum Security, Continuum’s new cybersecurity offering, this type of solution is very attainable for IT service providers. By monitoring, analyzing, detecting and responding to attacks, Continuum Security’s Detect & Respond solution expands IT service provider capabilities beyond simple protection. The solution also monitors for indicators of compromise, separates false positives from actual malicious events and drives remediation actions to prevent harm and reduce ‘dwell time’ from months to minutes.
3. Be Proactive
Even if you have clients that are not yet affected by this vulnerability, this might serve as a good time to go on-site and check their routers. As we’re all aware, not all routers are created equal. Clients may seek to have their Wi-Fi routers updated in order to increase security, especially as the fixes to this vulnerability roll in.
Overall, while news of this attack has stuck a chord of fear within many people and organizations, it does present an opportunity to have a conversation about IT security with clients and be proactive about their strategy going forward.
By Gretchen Hoffman