Security Awareness Blog

KRACK Attack - What to Communicate

logoEditor's Note: This blog is a work in progress and will be actively updated as new information is released.

It was announced (Monday, 16 October, 2017) that the globally used WPA2 Wi-Fi security protocol has been broken. This standard is the most commonly used security standard used by Wi-Fi networks around the world. The attack targets (and breaks) the 4-way handshake that establishes the use of the unique encryption keys for that session. The attack is called KRACK by it's author Mathy Vanhoef. The security community is still learning the details and understanding it's impact, so if you can hold off on communicating about it, we would recommend it until everyone has a more complete picture. Long story short, no need to panic. However, if you need to communicate something, here are some basics.

THE BAD

  • The vulnerability impacts just about any device that uses WPA2 to connect to a Wi-Fi network, which today is about all of them. This does not impact just smartphones, laptops and tablets, but our favorite friend IoT. The most vulnerable so far appears to be Android devices.
  • Vendors are currently developing patches for this attack. Several, such as Microsoft, have already released patches. ZDNet has a great list of the patch status for the biggest vendors.
  • This is not just a confidentiality issue. If you have any HTTP (non-encrypted) traffic on the network, not only can an attacker read that traffic but launch attacks. As per the KRACK site - "As a result, even though WPA2 is used, the adversary can now perform one of the most common attacks against open Wi-Fi networks: injecting malicious data into unencrypted HTTP connections. For example, an attacker can abuse this to inject ransomware or malware into websites that the victim is visiting."

THE GOOD

  • There are no reports of this being actively exploited in the wild - yet.
  • This is not a remote attack. A cyber criminal in one country cannot remotely hack into the Wi-Fi network of another country. The bad guy (or at least his device) has to be close enough to the targeted Wi-Fi network to connect to that network. This requirement will help limit how fast this attack can scale.
  • If your online connections are fully encrypted (such as over HTTPS) then you are protected against this attack. For example, browsers sessions that are using HTTPS for all connections or an email client using SSL to connect to your email server. Unfortunately, you expose yourself to risk if any of these sessions have a unencrypted packets.

WHAT DO I TELL MY WORKFORCE?

  • Tether: If you have reason to be concerned about this vulnerability, the simplest way to protect yourself is simply don't use Wi-Fi. Don't use Wi-Fi you say, how can I work?! Easy, tether off of your mobile device, especially in higher-risk situations such as when traveling or working away from the office.
  • Corporate VPN: If you have a corporate VPN, ensure all staff are using the VPN for any WI-FI connections. You may want to take the opportunity to encourage people to use a personal VPN for their own personal use.
  • Encrypted Sessions: If people cannot tether or do not have a VPN, then ensure any activity they are doing online is natively encrypted. This step is more limited as some encrypted sessions (such as browsing) may also include unencrypted traffic. Another option is the HTTPS Everywhere plugin for browsers. To be honest, this behavior of always using encrypted sessions should apply regardless if a network is vulnerable to KRACK or not.
  • Keep Systems Updated: As soon as a patch is released, ensure any device that connect to a Wi-Fi network is updated. This is a great opportunity to remind others why updating is so important, to include enabling automatic updating. Perhaps even have people subscribe to the OUCH newsletter to learn more about the basics.

We will keep you updated here on the latest findings and what you can communicate to others.

Updated 17 Oct, 2017: Added information about latest patches available.

 

9 Comments

Posted October 16, 2017 at 6:26 PM | Permalink | Reply

Oyvind Olsen

If our traffic are protected with HTTPS and SSL, but we use plain old DNS, aren't we then vulnerable to all sorts of attacks ?

Posted October 16, 2017 at 7:03 PM | Permalink | Reply

lspitzner

Now you are thinking like a true hacker! There are certain protocols that are not encrypted by default, many of them are UDP like DNS. So you are correct, at the simplest level this could expose DNS traffic to attacks. As such, VPN's are looking even more attractive as a short term (but good long term also) solution.

Posted October 16, 2017 at 9:40 PM | Permalink | Reply

anon

Tethering to a device, wirelessly, is still a wireless LAN (Wi-Fi) connection [ref: https://en.wikipedia.org/wiki/Tethering .
Unless, you're suggesting hard-wiring type-of-tether to a mobile device, in which case you should explicitly state that.

Posted October 16, 2017 at 10:30 PM | Permalink | Reply

lspitzner

That is a good point. There are multiple ways to tether (Bluetooth, WiFi, USB cable etc) and if you tether using WiFi you vulnerable. Best not to tether with that option.

Posted October 16, 2017 at 11:07 PM | Permalink | Reply

Farhan

If you're using the HTTPS Everywhere extension then, even if you're a victim of a DNS spoofing attacks, you will see an certification verification warning. Cert warnings are now more important that ever before. Get into the habit of taking it seriously.
Same goes for other secure services like all protocols that use OpenSSH wrappers. DNS spoofing attacks when using SSH, SCP, and SFTP will result in device fingerprint mistmatch warnings. Take those seriously.
Unfortunately, there may still be hosts out there that do not care about TLS certificate verification out of the box or have verification disabled because someone thought it was a hassle to configure it.

Posted October 16, 2017 at 11:08 PM | Permalink | Reply

lspitzner

Great points!

Posted October 17, 2017 at 12:07 AM | Permalink | Reply

Ed Luck

One more reason why DNSCrypt becomes useful.

Posted October 17, 2017 at 12:40 PM | Permalink | Reply

Randy

Microsoft has patched Windows 10 (all versions) for this vulnerability ''" 2017-10 Cumulative update released Oct 10th.
Patch NOW!

Posted October 20, 2017 at 1:55 PM | Permalink | Reply

gregory

What Exactly is KRACK Wi-Fi Vulnerability?
The WPA2 encryption protocol was previously considered to be fully secure, however, because of the recently discovered KRACK vulnerability, hackers can intercept some of the traffic between your device and the router. Because of this vulnerability, a hacker can:
''" View and store your unencrypted data transmitted via Wi-Fi
''" Manipulate data on a Wi-Fi network
''" Steal your passwords, financial data, and other sensitive information
''" Access and control your IoT devices
Source: https://goo.gl/xcHGxh