Wi-Fi Security and KRACK
Posted by Timothy Platt on Oct 18, 2017
Wi-Fi Security – What is the New KRACK Attack and How Serious Is It?
Earlier this week, a security researcher publicly disclosed a serious security vulnerability in the 802.11 WPA2 Wi-Fi protocol – this is the Wi-Fi protocol used by every modern device. The attack methods (there are multiple) used to exploit this vulnerability are being called KRACKs (Key Reinstallation Attacks). Because this is a vulnerability in the underlying protocol, and not just a bug, it means nearly every Wi-Fi device in existence is vulnerable to one or more of these attacks.
How serious is this? It’s serious, because of the broad range of devices that are vulnerable.
What computers or devices are affected?
As mentioned above nearly every device that uses Wi-Fi is vulnerable. This includes: Windows computers, Mac computers, Linux computers, iOS (iPhone, iPad), Android (Phones and tablets), Wi-Fi Access Points and Routers, and IoT (Internet of Things) devices – such as Wi-Fi enabled security cameras and thermostats.
Long story short – if it’s got Wi-Fi in it – it’s probably vulnerable.
What Can an Attacker Achieve with KRACKs?
Firstly, a few caveats. In order to exploit this flaw an attacker would need to be on your Wi-Fi network – so they have to be close. They cannot exploit this from afar over the Internet. Secondly, the code to perform the attack is not publicly released, but now that the information is out, you can expect that the code and attack methods will be re-created and put in use by cyber-criminals. And lastly, devices that don’t have Wi-Fi can’t be directly attacked.
What can an attacker achieve? With the right attack code, an attacker can achieve a “Man In The Middle” (MITM) position and intercept the Wi-Fi traffic from the targeted device. Anything transmitted over the network and not protected by encryption (such as non-HTTPS websites) could then be viewed by the attacker. It’s also possible for an attacker to disable HTTPS for certain websites – where the HTTPS implementation isn’t 100% correct – so ensuring you are only connecting to HTTPS websites isn’t a fix.
Remember this is not just a flaw in your Wi-Fi Access Point (WAP) or Router, it’s a flaw in Windows, Mac, iOS, and Android devices – so an attacker can potentially access information you are typing into your computer or phone, and transmitting over the network.
What Can We Do About This?
Here’s where things start to look a lot less gloomy. Firstly, this is a big problem – and software and hardware vendors are already providing fixes – they just have to be applied.
Ultimately to fix this problem, every device with Wi-Fi is going to need to be updated with a vendor provided fix, or it’s going to have to be taken out of use. You’re going to need to update all your desktops and laptops, your network devices with Wi-Fi, and your IoT devices with Wi-Fi.
For major operating systems, as of Wednesday, Oct 18:
- Windows 7, 8, and 10– The October security updates from Microsoft (released on 10/10/2017) contain a fix.
- macOS – Apple has released macOS 10.13.1 (High Sierra) to fix this issue. Apple has also released security updates for 10.12 (Sierra) and 10.11 (El Capitan).
- iOS – iOS 11.1 has a fix, and has been released by Apple.
- Linux – Fixes for Debian and Ubuntu have been created and are available, expect more to come shortly. Check your distro to find out what’s available.
- Android – There are many, many Android distributions, some specific to the particular model of phone and service provider. We expect that the vendors will be working on patches and updates, but it’s a very complex situation and we can’t possibly advise on the state for every Android device.
For Wi-Fi Access Points and Routers – many vendors have already created fixes and made them available. In many cases there are workarounds as well, such as disabling features like 802.11r (Fast Roaming). WAPs and Routers will only be vulnerable in certain circumstances, so it’s more important to patch everything that acts as a Wi-Fi client first, in my opinion.
For IoT devices – you’ll need to consult with the manufacturer. Hopefully the device will have upgradable firmware. Some of the very cheapest IoT Devices do not, and therefore should probably be taken offline permanently. In general, all hardware and devices have bugs and security fixes, and you should never incorporate something in your network that isn’t upgradable.
Lastly, as with all updates – test on a small group of devices first, and know how you can back out the update – if other problems arise. This is a best practice anytime you update any device.
If I Can’t Update Immediately What Can I Do?
To mitigate the attacks until you can update, do one or more of the following:
- Turn off Wi-Fi. Use a wired Ethernet connection instead (computer) or cellular (LTE) on smartphones.
- Avoid using Wi-Fi in public places (airports, hotels, and coffee shops) where an attacker might be lurking. Free Wi-Fi is convenient, but you can’t control who else is on the network.
- Remove non-essential IoT devices from the network, until they can be patched.
- Disable vulnerable features in Routers and Wi-Fi Access Points, such as 802.11r Fast Roaming. Consult with your vendor first to find out the state of updates and vulnerabilities.
- Make sure your employees know about this issue – and act accordingly. Are smartphones used for business purposes? Do people work remotely at home or in public places? Vulnerable devices will put your business at risk.
Get Help from the Security Experts
We hope this information has been helpful. Your situation and unique requirements will need specific assessment. And remember, we’re here to help. We can assess and advise on your current state of Wi-Fi security, and help close the issues.
IT Support by Virtual Operations
Virtual Operations provides IT support for small businesses in the Orlando and Central Florida area. Our managed IT services offering provides the expertise and quality care your small business needs. Please contact us today to find out how we can help with your computer support and network support needs.
Photos & Graphics
KRACK logo courtesy of krackattacks.com