Monday, October 16, a serious weakness was discovered called KRACK. KRACK is an attack on the WPA2 protocol that works against all modern protected Wi-Fi networks. This update informs you about KRACK and the security risks. It also gives hands on advice to prevent your organization from becoming a victim.
Key Reinstallation Attack (KRACK) is a new type of attack on WPA and WPA2 secured Wi-Fi networks. This attack focuses on communication between the client, for instance a smartphone, and an access point or router. When the client connects to a wireless network, a so-called 4-way handshake is executed. This way, it is determined that both the client and the access point have the correct credentials, i.e. the shared password, to access the network. At the same time, an encryption key is agreed between the client and the access point that encrypts all communication. With KRACK, an attacker tricks the client and access point by reinstalling an encryption key already in use. This is done by manipulating and replaying the messages sent to set up the secure wireless connection. See also https://www.krackattacks.
The consequences of KRACK are that all data that runs over WPA / WPA2-protected Wi-Fi networks can be intercepted and / or modified. Almost all wireless networks, both home and office, use WPA / WPA2. This risk therefore actually applies to everyone. The attack can be used to steal sensitive information such as passwords and creditcard numbers. In some cases it is even possible to inject malware and manipulate data, for example.
When using WPA-TKIP or the GCMP encryption protocol, instead of AES-CCMP, the impact is particularly high. In these cases, it is not only possible to intercept data, but also to manipulate and inject it. Note that the AES-CCMP encryption protocol is also vulnerable. The impact is less because, as far as we know, it can only be intercepted. The attack has the most impact on version 2.4 or higher of wpa_supplicant, a Wi-Fi client typically used by Linux systems. For example, Android version 6.0 and higher uses this client. How the attack works on an Android smartphone can be seen here.
Microsoft already has released a security patch for Windows 7, 8, 8.1 and 10. These can simply be downloaded and installed through the update feature. Apple already has a security patch. This will be released at the next update round, 10.13.1 for OS X and 11.1 for iOS devices. Probably this month. If you want to know if a specific product (yet) is vulnerable, you can consult the CERT / CC database or contact the vendor.
• Always use encrypted connections as much as possible. For example, HTTPS or a VPN. Using an encrypted tunnel makes it impossible for an attacker to see or manipulate traffic.
• Fortunately, more and more websites are already provided with HTTPS. For users, it is even more important to keep a close eye on the certificate (the lock) of a website, and not to ignore the web browser’s warnings.
• Depending on the risk, use other communication channels such as a wired connection, 3G / 4G instead of Wi-Fi.
• Make sure encrypted services such as HTTPS and VPNs are hardened from attacks and do not use vulnerable encryption protocols. With freely available tools like testssl, this last one can be checked.
• Monitor vendors for providing patches for clients such as smartphones, laptops, computers, and other devices. Install patches as soon as they become available.
ITsec can check whether the used systems are provided with the relevant updates. In addition, we advise in designing and setting up your own encryption, eg via VPN, to avoid KRACK. Ofcourse we are ready to assist you in turning the risks into opportunities!
We advise on sharing this information with everybody in your organisation that is responsible voor information security. If you have any questions regarding this subject, please don’t hesitate to contact us through firstname.lastname@example.org.