KRACK WiFi Vulnerability Poses Serious Security Risk
On Monday, October 16th, 2017, a critical vulnerability in the WPA2 wireless security protocol was published by Dutch researchers. KRACK WiFi Vulnerability — or key re-installation attacks — can theoretically be deployed by attackers to steal sensitive information from unsuspecting wireless users leveraging flaws in the Wi-Fi standard.
According to CERT, the vulnerabilities are in the WPA2 protocol, not within individual WPA2 implementations, which means that all WPA2 wireless networking may be affected. Mitigations include installing updates to affected products and hosts as they become available. US-CERT encourages users and administrators to review CERT/CC's VU #228519.
What can an attacker do using the KRACK WiFi vulnerability? The attacker can intercept some of the traffic between your device and your router. If traffic is encrypted properly using HTTPS, an attacker can't look at this traffic. Attackers can’t obtain your Wi-Fi password using this vulnerability. They can just look at your unencrypted traffic if they know what they're doing. With some devices, attackers can also perform packet injection and do some nasty things. This vulnerability is like sharing the same WiFi network in a coffee shop or airport.
The attacker needs to be within physical range of your WiFi network. They can’t attack you from miles and miles away. The attacker could also take control of a zombie computer near you, but that would be a much more sophisticated attack. That’s why WiFi vendors should release patches and updates as soon as possible because chances are most attackers learned about this vulnerability just this week.
How You Can Protect Yourself and Your Organization
Don’t panic, the sky isn't falling. No, you do not need to shut down your Wi-Fi network. Attacks must happen on-premises. And while the attacker can decrypt client-to-AP traffic, the attacker cannot inject arbitrary traffic into a WPA2-AES session and cannot get any authentication tokens or keys. WiFi with WPA2-AES encryption is mostly still secure, but you should take some precautions.
Android & Linux - Android 6.x and higher as well as Linux devices are extremely vulnerable, so it is recommend to limit the use of these devices on WiFi network until patches are released for these devices, and they are updated.
Update Devices - Update all of your devices with the latest security patches, specifically those that address the KRACK WiFi vulnerability. This means Wireless Access Points (WAPs), Wireless Routers, Firewalls with integrated WAPs, Windows, Mac, and Linux computers, and all mobile devices including phones and tablets. The key here is that both clients AND WAPs/Routers/Firewalls need to be updated with security patches that address the KRACK WiFi vulnerability.
Update or Replace - To restate the above, make sure any WiFi systems you have are patched and updated, whether Wireless Routers, Firewalls with integrated WAPs, stand-alone WAPs, or WiFi systems with a Wireless LAN Controller. If your device vendor doesn't put out an update, it might time to replace it.
Use Wired Connection - To be truly secure against KRACK attacks, use a wired connection. This isn't an option for mobile devices, but could be an option for laptop users. If you want to do this, make sure to turn off WiFi on your Wireless Router or Firewall.
Use Cellular Data - Turn off WiFi on your mobile device and use the cellular network. Of course, this might not work great if you are in an area with spotty coverage or you exceed your data limit.
Internet-of-Things Devices - WiFi cameras and other IoT devices could pose a serious risk from KRACK WiFi vulnerability. Don't forget to update the firmware on these devices with patches or updates that specifically address KRACK WiFi vulnerability. If patches haven't been released, you may want to turn these devices off until patches are available.
Contact Your IT Service Provider - If you're a Fulcrum Group SPOT client, don't worry, we are already formulating a plan to update your affected systems.
Want to know which vendors have patches available? See this list from ZDNet.