Blog / WIFI Vulnerability (KRACK)
By now, most of you should have heard about KRACK, or at least that there is a serious vulnerability that exists in WIFI devices around the world.
The news articles have been showing up since the weekend. Here are a few:
The problem is that isn’t an easy fix. The weakness exists in the WPA2 standard itself.
For those who aren’t aware, WPA2 is an international standard used for connecting devices to WIFI networks. Previous standards include WEP and WPA. These standards are weak and should never be used. WPA2 is a definite improvement over those standards, but (as this weakness illustrates), it is not perfect. WPA2 includes a 4-way handshake when a device connects to a network. This handshake masks the pre-shared key used to authenticate and sets up communication between the two devices, so that traffic is encrypted.
How KRACK works
WIFI communications are not perfect, and designers know this. Wireless communications can be interrupted for any number of reasons. Unlike traditional wired connection, no physical link exists between the 2 devices. Therefore, as part of wireless communications, there’s a standard signal that can be sent, which signals a disconnection and prompts 2 devices to reconnect with each other. This process happens automatically in the background all the time. It is part of standard communications, so there’s no warning/prompt to user, no log message, etc. Also keep in mind that wireless communications are not directional (unless you have special antennae.) When you send a signal over a Wireless connection, you are broadcasting that signal in all directions.
The way KRACK works is relatively simple: An attacker sets up a monitoring station to listen for the connection handshake between a device and the WPA2 network it’s connected to. They then send a standard disconnect signal, which causes the device to reconnect. The 4-way handshake is then captured. This is done a lot (we’re talking thousands of times) and once they have a large enough sample of handshake traffic, they can then use some tools to discover the network’s pre-shared key.
Fixing the Vulnerability
Unfortunately, there’s nothing that can be done to prevent vulnerability directly, other than waiting for equipment manufacturers (WatchGuard, Cisco, Netgear etc.) to provide a software update for their WIFI devices. Now this isn’t as bad as it sounds. This vulnerability was discovered about 6 months ago and the announcement of it was delayed, giving equipment manufacturers a chance to release patches to fix the vulnerability, and many of them already have.
TRINUS clients who have purchased wireless access points or combo firewall and access point devices will receive managed updates from TRINUS’ technical support, as they become available from equipment manufacturers. This process will be ordered in accordance with TRINUS’ Tier agreement (Tier 4 clients first, Tier 3 clients second and so on), and will be done at the earliest possible opportunity (pending manufacturer updates.) Please note that some manufacturer updates may take up to one month to release. These updates will be done on TRINUS-supplied devices for no charge. Equipment purchased by other means may be subject to pre-approved chargeable services (in this case TRINUS will contact for authorization before proceeding.) If you have any questions regarding this vulnerability and its’ impact on your network, please contact a TRINUS technician for clarification.
Mitigation options to prevent impact
While very rare vulnerabilities of this magnitude are bound to pop up in the future, as new discoveries are made in the WIFI protocol, if you are stuck waiting for vendor updates to this particular breach and to prevent the impact on another such vulnerability, we have listed a few methods below that can mitigate the impact of such a vulnerability being exploited. Mitigation DOES NOT fix the vulnerability; it provides some defense against it causing damage. If you have any questions regarding the mitigation methods discussed below, please reach out to TRINUS for further assistance.
1) Have an intrusion vulnerability scan run from a WIFI device on your network
The attack allows someone to connect to your WIFI, so running a vulnerability scan from there can tell you what type of information or access an individual would have if they did manage to compromise your network.
2) Set up intrusion prevention services on your WIFI network(s)
If an attacker connects to your wireless network, they will likely start trying to scan your devices looking for holes. Intrusion-prevention systems can be configured to send alerts, if someone is trying to probe your network once connected. Some systems can even block such attempts entirely.
3) Reduce the number of devices connected to WIFI and the time devices spend connected to the network (if possible)
The idea here is to reduce your overall attack surface. If there are fewer devices connected to the WIFI for long periods of time, it will make an attacker’s life more difficult. They will take longer to obtain enough useful handshake data to accurately figure out the network’s pre-shared key. This is not a fix, but it will give you extra time to apply the necessary patch(s).
4) Reduce WIFI access and setup WIFI network segregation (if possible)
TRINUS recommends that WIFI networks be segregated, based on required access to a network as a whole. For example, a company laptop may require access to a WIFI network that is linked to other wired devices and potentially even critical servers on the network. These networks can often be referred to as “private networks.” On the other hand an employee’s personal Smart Phone does not need the same level of network access, and instead only requires access to the greater internet. These devices should instead be connected to a “public” WIFI network that if compromised, does not impact any other computers or sensitive data (servers etc.) In some cases, there may be no need to have a “private” network at all, in which case the threat of data loss if someone access your WIFI network, is almost non-existent. In other cases it may be possible to temporarily disable a “private” network, until a manufacture fix can be applied to ensure network Security.