News and Knowledge

WiFi KRACKED - What does it mean for users of WPA2 wifi security?

There's a lot of noise on the Internet today. 

WPA2 encryption - the encryption that secures most of our WiFi connections - has been broken

This is a BIG   deal. 

Just about every wifi device in use today is using some form of WPA.  The older WEP was cracked many many years ago so we won't go there.  WPA2 is the current standard for securing your wifi and now it's cracked too.  So esentially this affects almost every wifi device on the planet?  Well, kinda yes.
The way this attack works (as I understand it right now and highly simplified!) is that an attacker can 'talk' to a client on wifi (your laptop or phone for example) and eavesdrop on it's communication with a valid wifi network.  The attacker keeps asking the client for some info.  Due to a design flaw, this forces the client to repeat certain data pertaining to the encryption over and over again making it possible for the attacker to 'guess' the security key of your valid wifi connection and then eavesdrop on the whole wifi network.  In some cases they may even be able to insert data and traffic TO the network.
Since this is a flaw in the design of wpa2 this is not restricted to one vendor or another.  This affects every wpa2 client out there no matter who made it.

OK.  now what? 

This is a story that is unfolding as I write. Please be aware:
  • I’m not one of the researchers here: credit for this goes to Mathy Vanhoef and Frank Piessens at KU Leuven, who have a great track record of discovering problems here.   Also credit to Alex Hudson where I read and borrowed much of this. 
  • www.krackattacks.com is now up!  There is a list of vendor announcements being written but remember all vendors are potentially affected.  Few vendors appear to have updates ready.
  • Attacks against Android Phones are very easy!  Best to turn off wifi on these devices until fixes are applied!
  • Apple devices are vulnerable!  Yes, that means your newest iPhones and iPads too!
  • Windows and Mac OS users are much safer. Updates for other OSes will come quite quickly, the big problem is embedded devices for whom updates are slow / never coming
  • For the very technical, the CVE list is at the bottom of this post.
  • The main attack is against clients, not access points. So, updating your router may or may not be necessary: updating your client devices absolutely is! Keep your laptops patched, and particularly get your Android phone updated
  • WPA2-Enterprise is vulnerable.
Information here is good as of 2017-10-16 12:00 EDT.
Step 1 - Keep Calm
Remember, there is a limited amount of physical security already on offer by WiFi: an attack needs to be in proximity (close enough to see your wifi signal). So, you’re not suddenly vulnerable to everyone on the internet. It’s very weak protection, but this is important when reviewing your threat level.
Additionally, it’s likely that you don’t have too many protocols relying on WPA2 security. Every time you access an https site – like your bank or an ecommerce site – your browser is negotiating a separate layer of encryption. Accessing secure websites over WiFi is still totally safe. Hopefully – but there is no guarantee – you don’t have much information going over your network that requires the encryption WPA2 provides.
So we're ok then?

In a word, No. There are plenty of nasty attacks people will be able to do this. They may be able to disrupt existing communications. They may be able to pretend to be other nodes on the network. This could be really bad – again, they won’t be able to pretend to be a secure site like your bank on the wifi, but they can definitely pretend to be non-secure resources. Almost certainly there are other problems that will come up, especially privacy issues with cheaper internet-enabled devices that have poor security.

You can think of this a little bit like your firewall being defeated. WiFi encryption mainly functions to keep other devices from talking on your network (the security otherwise has been a bit suspect for a while). If that no longer works, it makes the devices on your network a lot more vulnerable – attackers in proximity will now be able to talk to and probe them.

If you're a small business or reporting to your boss:
  • this won’t let people who are not physically present into your networks;
  • it’s unlikely any data is protected by the encryption WPA2 provides; in particular, accessing secure websites is still fine;
  • think about increasing the level of security of the nodes on your network if possible – make sure your AV is up-to-date, firewalls turned on, etc.;
  • if you’re paranoid about certain data or systems, turn off WiFi and switch to one of an internal VPN, a wired ethernet connection or mobile data (for WAN access);
Get out ahead and keep on top of the situation and keep monitoring for the best next steps.  
In terms of what to do, in many ways we're at the behest of our vendors.  If you have a high quality vendor (I would include companies like Ruckus/Brocade, Cisco, et al in this bracket) I would expect new firmware to be available shortly.  Remember this will only apply to devices in CLIENT mode.   If you are a PCI-DSS compliant shop, this is HIGH priority.
If you're talking to friends / family:
This is where it gets really sucky. Lots of us have old routers at home, which have no chance of a firmware upgrade, and lots of WiFi equipment that may well not get a protocol upgrade if one is required. Right now, it sounds like all this stuff is going to be worthless from the perspective of encryption.
Reiterate the same points as above:
  • secure websites are still secure, even over Wifi
  • think about setting your computers to “Public Network” mode – that increases the level of security on the device relative to “Private / Home Network” modes.
  • Remember, if third parties can get onto our home networks, they’re no longer any safer than an internet cafe;
  • if you’re paranoid about your mobile, turn off WiFi and use mobile data when necessary;
  • it sounds like no similar attack against ethernet-over-powerline is possible, so home networks based on powerline transmission (eg HomePlug, et al) are probably still ok;
  • keep computers and devices patched and up-to-date.
Technical bits - CVEs involved:
If you don’t know what these are, don’t worry – they are the “official notifications” of a problem, if you like. If you have a vendor of WiFi equipment, you will want to ask them if they’re affected by any of these, and if so, what the solutions are:
  • CWE-323
  • CVE-2017-13077
  • CVE-2017-13078
  • CVE-2017-13079
  • CVE-2017-13080
  • CVE-2017-13081
  • CVE-2017-13082
  • CVE-2017-13083
  • CVE-2017-13084
  • CVE-2017-13085
  • CVE-2017-13086
  • CVE-2017-13087
Other Links: