Earlier this week, alarm bells rang around the infosec world after Belgian security researcher Mathy Vanhoef went public with a novel exploit he had identified called a key reinstallation attack – Krack for short – that could enable a hacker to read encrypted user data transiting a Wi-Fi network.
The Krack exploit – extensive technical details of which can be found on Vanhoef’s website – is particularly dangerous because it affects not end-user routers or devices, but WPA2, the security standard that underpins every Wi-Fi network in the world.
“The Krack problem is unfortunately a prime example of a design flaw as opposed to an implementation bug – that’s why Krack is so pervasive,” said Gary McGraw, vice-president of security technology at Synopsys. “Generally speaking, flaws have a much greater impact than bugs and are harder to fix.”
The immediate concern arising from the discovery of Krack is that there is a possibility that every Wi-Fi network in the world could be breached. But will they be? In practice, it may not be that likely, according to the Wi-Fi Alliance, the industry body representing the wireless sector.
“There is no evidence that the vulnerability has been exploited maliciously, and Wi-Fi Alliance has taken immediate steps to ensure users can continue to count on Wi-Fi to deliver strong security protections,” the organisation said in a statement.
“Wi-Fi Alliance now requires testing for this vulnerability within our global certification lab network and has provided a vulnerability detection tool for use by any Wi-Fi Alliance member. Wi-Fi Alliance is also broadly communicating details on this vulnerability and remedies to device vendors and encouraging them to work with their solution providers to rapidly integrate any necessary patches. As always, Wi-Fi users should ensure they have installed the latest recommended updates from device manufacturers.”
In its statement, Microsoft said multiple specific conditions would have to be met for a malicious actor to take advantage of the Krack exploit – not least, they would have to be physically close to the targeted user in order to execute a man-in-the-middle attack, and the targeted device would have to have wireless networking enabled.
Writing on his blog, Nicholas Weaver, a senior staff researcher focusing on computer security at the International Computer Science Institute in Berkeley, California, and a lecturer in computer science at UC Berkeley, said that although Krack was a novel vulnerability, it did not allow attackers to join the network and relied too much on physical proximity.
Weaver said the exploit was a problem only for IT managers with secure and “substantially” trusted Wi-Fi networks that attackers could get physically close to, and where more easily exploitable avenues of attack were closed off. “For everybody else, it is a non-issue,” he added.
This would seem to suggest that any Krack attacks taking place in the wild will probably be opportunistic, not planned, although it is still important to note that this is not necessarily the case.
Time to patch
It is also important to note that key players in the industry were first notified about the vulnerability in August 2017, which means companies such as Apple and Microsoft have had well over a month to get to grips with it.
Apple is already understood to have confirmed that the exploit has been patched in betas of its iOS, tvOS, watchOS and macOS beta operating systems.
Microsoft, meanwhile, said it had addressed the vulnerability in its most recent round of patches by “changing how Windows verifies wireless group key handshakes”.
So what steps can users take to protect themselves in the short term? Many of the options available are well-known and obvious ones, and are probably standard practice for many IT departments.
Given the potential for opportunistic rather than targeted exploitation of the Krack vulnerability, one of the most likely vectors for an attack will be over public Wi-Fi networks at transport hubs, cafes, and so on. Mobile workers should therefore stop using such networks.
If the ability to use a wired connection is available, users may also want to consider plugging back into the network using an Ethernet cable – if ports are available on both the device and the router.
Wi-Fi users should also consider their browsing habits, and ensure they are using web pages with HTTPS features enabled.
For those prepared to spend some of the IT budget on shoring up network defences, acquiring and using a virtual private network (VPN) to add an additional layer of security may be worthwhile. VPNs are widely used by remote workers at distributed enterprises to enable secure access to business systems. Fundamentally, they work by rerouting encrypted data through a secured tunnel to ensure it cannot be read by a third party.
According to Marty Kamden, chief marketing officer at VPN supplier NordVPN, such wide-ranging vulnerabilities are not easily fixed, particularly for smaller businesses and consumers that rely on hardware that internet service providers (ISPs) may take years to switch out.
“That is another situation where users should take their internet security into their own hands,” said Kamden. “Everyone should assume that their network is now vulnerable, and take precautions. VPNs remain the strongest defence from these types of vulnerabilities.”
However, users should still be wary, particularly those using Android devices, which are at heightened risk of a Krack attack. Earlier this year, researchers at CSIRO and the universities of Berkeley and New South Wales found that 84% of 283 VPN apps available on the Google Play Store leaked data, 80% wanted access to sensitive device data, 38% contained links to malware, and 18% did not actually encrypt any traffic.
Also, VPNs will not help users if they are configured on a router – users must take care to ensure their devices are connected to a VPN from within the network.
Patrick Clover, founder and CEO of BlackBX, a supplier of guest Wi-Fi services, said businesses should use Krack as an opportunity to invest in more secure networking equipment, such as secure point-of-sale devices and more reliable APs.
“It is also important to make use of ongoing services, such as guest Wi-Fi management software and trustworthy IT service providers who can take charge and help in these situations,” said Clover.
“This means that businesses have someone who can take responsibility for ensuring that their Wi-Fi is secure if or when breaches occur.”
Opportunities for improvement
In the long term, enterprises are also advised to use Krack as an opportunity to address other aspects of their security posture, said Matt Walmsley, Emea director at Vectra.ai.
“Enterprises need to increase their visibility inside the network to automatically detect, analyse and respond to nefarious behaviours before they have time to escalate into critical security incidents,” he said. “Using artificial intelligence provides an added layer of protection and ensures a more holistic coverage across the entire network. It significantly improves accuracy of threat detection and enables faster incident response to mitigate risks before they cost the organisation dearly.”
Mark Orlando, CTO of cyber services at Raytheon, called for more transparency to be brought to the standards and protocols around any technology – not just Wi-Fi – so that developers who depend on it can understand where risks reside. For Wi-Fi, this was particularly important when considering the oncoming impact of large-scale internet of things (IoT) deployments, he said.
“The future viability of the IoT will be determined by how seriously industry takes issues like this,” he added. “Speed to market has driven most of the development and deployment of wireless devices that make up the IoT, rather than security.
“These devices are cheap and small and almost forgettable as millions of them feed data into our new cyber ecosystem. Updating them to keep up with cyber threats and new vulnerabilities was never part of the equation for many of their developers.”