By Michael Marriott,
Digital Shadows security expert
Today, a series of high-severity vulnerabilities affecting the
WiFi Protected Access II (WPA2) protocol were disclosed. Security researchers
have developed a proof of concept (POC) demonstration, dubbed
"KRACK", and a dedicated website through which further details are
likely to be released.
An advisory was distributed
by the US CERT to a
select number of unidentified organizations stating the following malicious
activities could occur should an attacker successfully exploit the
vulnerabilities: decryption, packet relay, TCP connection hijacking, and HTTP
content injection attacks.
What we know about KRACK Attacks
It’s likely that a large number of
devices which use WiFi are exposed to this vulnerability, but only works
if the attacker is within the victim’s network range. However, an attack requires the
physical presence of an attacker to the victims’ network.
Researchers have demonstrated a proof of concept (POC) attack,
dubbed “Krack attack”, targeting an Android smartphone; a video for which
showed how all the data transmitted by the victim could be decrypted. The video
showed a plaintext downgrade attack against TLS/SSL via sslstrip Details of
this are available on a dedicated website; hxxps://www[.]krackattacks[.]com/.
Linux and Android versions 6.0 and above are particularly effected, though the
list of vulnerable devices is extensive.
Some wireless manufacturers have already developed patches to
mitigate against this threat, with Bleeping Computer and US CERT having published useful lists on the latest firmware and driver
updates.
What we do not know about KRACK Attacks
While there is a proof of concept demonstration, there was no
proof of concept code released, and no public indication these vulnerabilities
had been exploited in the wild. Although the POC video gave a good overview of
the exploit, the exact technical knowledge required to successfully conduct
this type of attack is unknown.
We have not yet observed the vulnerability exploited in the wild.
criminals have showed an interest. This is confirmed by conversations on
criminal forums, with users interested – yet skeptical – of finding a quick
exploit.
What you can do about it
The US CERT reiterates that the vulnerabilities could potentially
be used to conduct arbitrary packet decryption and injection, TCP connection
hijacking, HTTP content injection, or the replay of unicast, broadcast, and
multicast frames by conducting a man-in-the-middle (MiTM) style attack. Of
course, not all devices are equally affected, but the research paper outlines these
differences.
In order to manage the risk, here’s five steps
organizations can take:
1. Enumerate connected devices. Use your wireless control software to enumerate all connected devices
and create an inventory. The connected devices will give an indication of the
risk posed. Look out for internet of things, such as printers, and any Android
or embedded Linux devices.
2.
Patch
your vulnerable connected devices. The first priority is,
predictably, to patch vulnerable devices. More patches are expected over the
next 24 hours, so monitor for updates. As mentioned earlier in the blog, Bleeping
Computer and US
CERT have both provided good updates on this.
3.
Adopt a second layer
of security. Despite well-known issues with some VPNs, having
non-wired internet users connected by VPN is a good interim measure. Adopting
cryptographic protocols, such as Transport Layer Security (TLS/SSL), is another
option.
4.
Consider a wired
connection. Based on the extent to which your connected
devices are vulnerable, consider switching to an Ethernet connection. While
this might not be scalable for an enterprise campus, it is a consideration
should the severity increase over the upcoming days.
5.
Stay up-to-date on
the latest KRACK news. There will be more to come, so stayed tuned for
further updates.