Do you want to know what level of risk your business is at? We have developed a self-assessment to help in identifying your risk in regards to the KRACK Attack vulnerability.
What is happening?
We will keep this at a high level, if you want the technical details please read the well written paper published by the researcher who found the issue (listed in the resources section).
Wireless networks work by broadcasting your network communications openly using radio waves. These radio waves are susceptible to people listening in on them, and even talking over them. Through the years a series of security protocols were developed to help secure this communication. Originally, it was WEP (wired equivalency protocol) which was found to have problems and replaced by WPA (Wi-Fi Protected Access), and then by a second revision called WPA2. Ultimately, WPA2 has been thought of as a secure way of communicating over wireless networks.
This summer a researcher named Mathy Vanhoef, from imec-DistriNet, KU Leuven, discovered the vulnerability while doing some review of code for wireless networking. After realizing the scope of the vulnerability, he chose to do a responsible disclosure and worked with the CERT team to involve the companies that develop wireless products. A timeline was put in place that on October 16 the information would be opened up for public release. This vulnerability utilizes a series of Key Reinstallation AttaCKs, hence the name KRACK Attack.
While historically attacks against the WPA protocol have been focused around attempting to gain access through password guessing, the KRACK attack utilizes a vulnerability in the handshake process of the WPA protocol. Once this vulnerability of the protocol was found, additional research showed that other protocols could be exploited in a similar method.
James, our NOC Manager, does an excellent job of simplifying this down: Wireless is like a bunch of people trying to have private conversations at a big party. They stop annoying eavesdroppers by using special code languages that only the people in their own group of friends can understand. This attack is equivalent to some Jerk at the party tricking people into using code languages that he actually understands. Once they did that, they would not even realize that the Jerk can now understand everything they say. Even worse, because they don't suspect him he can slyly add things to the conversation to make the party-goers do things he wants, or the Jerk can impersonate other people they trust.
How serious is this? Am I at risk?
The difficulty in calculating risk for this attack is that wireless has become a ubiquitous part of our daily lives, and this vulnerability shows how important multiple layers of security are to securing our data.
Here are some of the factors that weigh into your specific risk.
In order to execute KRACK Attack on a wireless network, it is necessary to first create a Man-In-The-Middle (MITM) scenario. This MITM state is created by being close enough to your wireless network to be part of it, and making endpoints believe that the attacker is one of the valid wireless access points. As an attacker must first create this MITM state to successfully use the KRACK Attack, the attacker must be in close proximity to your wireless network and targeting it. For some wireless networks this will be a mitigating factor, but in the case of companies that are in multi-tenant buildings an attacker may be able to attack from nearby offices or floors. Additionally semi-private wireless networks like those used in some hotels, airports, or guest wireless networks are especially vulnerable to attack as their very nature is to be used by unsecured devices.
While this is a big deal, there are several additional factors in deciding how at risk you are. Initially we need to separate the affected devices into two categories. Access Points that are a central hub to the traffic and are usually in a fixed state, and the Endpoints (workstations/phones/tablets) that do more of the roaming.
Due to the nature of the vulnerability, access points have varying levels of risk. Most manufacturers are in the process of developing or have released solutions to the vulnerability. Mytech is monitoring for releases from the manufacturers that impact our clients, and once a release is made we will begin the testing and release planning.
Endpoint devices like laptops, mobile phones, and tablets are an area of greater risk due to the methodology of the attack and their roaming nature. In order to address the vulnerabilities for these devices, a patch or firmware update needs to be released by the manufacturer. For recently purchased devices from major manufacturers this should not be an issue, where the difficulty comes in is with all the other devices that you don’t think about. Wireless functions are getting integrated into all sorts of stuff now. Things like TV’s, thermostats, environmental monitors, security cameras, fridges, and even lightbulbs are getting wireless but will likely be the last to get updates, if at all. Even if the rest of the environment has been updated, those devices will still be at risk.
As this vulnerability attacks a specific process in the protocol, a method of correcting the vulnerability has been found with the ability to be backward compatible. Manufacturers are working to test and release relevant updates and patches as soon as possible. As the list of manufacturers is too long to publish and keep up to date here, we are going to reference CERT for additional information:
Protocol - in technology terms, a set of rules or procedures for transmitting data between electronic devices, such as computers. In order for computers to exchange information, there must be a preexisting agreement as to how the information will be structured and how each side will send and receive it. Without a protocol, a transmitting computer, for example, could be sending its data in 8-bit packets while the receiving computer might expect the data in 16-bit packets. Protocols are established by international or industrywide organizations.
Key – in technology terms, a key is a string of numbers that is used in the encryption of the data. A common example of this is the Pre-Shared Key or PSK on wireless networks. It is the password you enter to join the wireless network.
Handshake – in technology terms, is an automated process of negotiation that dynamically sets parameters of a communications channel established between two entities before normal communication over the channel begins. It follows the physical establishment of the channel and precedes normal information transfer.
Man-In-The-Middle attack (MITM) – is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other. One example of man-in-the-middle attacks is active eavesdropping, in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. The attacker must be able to intercept all relevant messages passing between the two victims and inject new ones. This is straightforward in many circumstances; for example, an attacker within reception range of an unencrypted wireless access point (Wi-Fi) can insert himself as a man-in-the-middle.
HTTPS – HTTP over SSL or HTTP Secure is the use of Secure Socket Layer (SSL) or Transport Layer Security (TLS) as a sublayer under regular HTTP application layering. HTTPS encrypts and decrypts user page requests as well as the pages that are returned by the Web server. The use of HTTPS protects against eavesdropping and man-in-the-middle attacks. Use of HTTPS is usually indicated by the identification of a lock symbol.
More Information/ Resources
The KRACK Attack only allows the attacker to view wireless communications that are natively traversing the network and not protected with an additional layer of encryption.
Some examples of communications that are NOT encrypted by default and potentially at risk are:
- File shares (SMB)
- Normal web traffic (HTTP)
- Database applications
- Accounting applications
- ERP/CRM solutions
- Email systems
Mitigating this risk can be as simple as making sure the websites you are using utilize the HTTPS protocol, other cases may require you to have a VPN to encrypt network communications. A good thing to keep in mind is that you may not always have knowledge as to if a wireless network is secure, a good way to keep your data safe is to treat all wireless networks the same as you would at a coffee shop, hotel, or airport. When using wireless at locations like these, it is always best to make sure that your websites are secured by HTTPS, or a VPN to help keep your data secure.
If your wireless network is of high risk to attack, it may be necessary to force all communications across it to utilize a VPN for access to anything. While this may be a minor inconvenience, the level of security it provides is un-matched. This may not be possible for networks that have endpoints that do not run a conventional operating system, like those thermostats and TVs.
What about at home:
Your home is affected by this also, but you may be able to do less than you think about it. All of those streaming video devices, TVs, fridges, and even some coffee makers need to be updated to protect against this vulnerability. The difficult part is that many of those devices will not get the necessary patches to fix the issue for them. So what do you do for your home network? The same things as your office network really, just with less risk of being targeted. A good personal security practice is to check for and utilize HTTPS when visiting websites that have any kind of login or personal information. In the case of Windows, MACs, Android and iOS devices, this should be an easy thing to do, just make sure you install all the available updates to minimize your risk. Those other devices may be more difficult. We recommend looking at the manufacturer’s website and seeing if they are updating to address any vulnerability in the device. Click here for a good resource to help find some of those manufacturers’ updates.
If your router is provided by your Internet service provider, then they will most likely be pushing patches when available. If you own your own wireless router, we recommend you check for updates from the manufacturer and apply them. Click here if you are in need of a good tutorial on how to perform some of these actions on your own router.