Wireless encryption showing signs of KRACKing?
What is KRACK, and what can you do to counter it?
This Monday, at 8am EST, the cybersecurity industry received its latest shot of adrenaline as researchers revealed high-severity vulnerabilities in the Wi-Fi Protected Access II (WPA2) protocol: vulnerabilities so severe that attackers can eavesdrop on Wi-Fi traffic passing between computers and access points. This is not the first time Wi-Fi connections have been found wanting, and it will not be the last.
History repeating itself?
In 2001, two researchers published a cryptanalysis of Wireless Equivalent Privacy (WEP) - the protocol that, until then, had kept Wi-Fi connections secure. The analysis was refined over the following years with additional vulnerabilities exploited to decrypt WEP keys within minutes. By 2008, WEP had been banned by the Payments Card Industry (PCI) as an encryption standard.
WPA2 has become the de-facto standard for wireless encryption for home and business networks. This protocol has been relatively difficult to decrypt, with attacks requiring a large amount of computing power or prior knowledge of the WPA Pre- Shared Key structure - but attacks have happened.
A vulnerability which cuts deep
Today, researchers from Belgium released an attack that will change the prevailing dynamic. Rather than using mathematically difficult attacks that rely on guessing passwords, their research explains how to reinstall an already in-use key. The method has been termed Key Reinstallation AttaCK, or KRACK.
The reinstallations works by exploiting vulnerabilities in the design or implementation flaws. This allows decryption of communications that were previously assumed to be secure, such as passwords and cookies. Furthermore, attackers can now add additional data, such as a ransomware payload, to HTTP requests.
There are limitations in the scope of the vulnerability, but the research has already been proven to affect most clients tested, including iOS, Android and Windows. It also affects other variations of WPA such as GCMP, which is expected to be widely adopted in the coming years.
The seriousness of this bug is demonstrated by the United States Computer Emergency Readiness Team (CERT) issuing a warning last night in response to the vulnerability. The danger is compounded by the fact that vendors are slow to patch, and the user community is unwilling to patch or change. For example 10 per cent networks worldwide still use WEP, despite the insecure issues.
What can I do?
For now, not a lot, but here are a few mitigations.
- Are you a target? Unlikely if you are using a home network, since corporate and high-value networks present a much better target. The attacks at present are difficult and no tools have been released to allow widespread adoption - yet. These will come quickly.
- Use TLS. Most of your connections will rely on WPA to secure the network, but websites and transactions will be secured using additional protocols such as HTTPS/TLS. While additional attacks exist against these protocols they offer a relatively reliable level of security.
- Use a virtual private network (VPN). If you are in real doubt, a VPN will essentially wrap your traffic inside another secured network, allowing you to break out in a separate location.
- Patch when possible. This is a client-level issue so ensure that your clients are updated as soon as possible. Vendors have been aware of this issue for a few weeks so should be pushing updates shortly.
While this continues an alarming trend in the security issues related to Wi-Fi, it could be used as a catalyst for rapid adoption of a more secure protocol. The Wi-Fi Alliance has already summarised a plan of action and vendors are working hard to address the issue as soon as possible.
Graeme is an IT security professional with over eight years' experience in IT delivery, information assurance and cybersecurity in a high-profile and fluid MoD environment. He now works as a senior consultant at Mason Advisory.