What is KRACK?
Welcome to another manic Monday! Some might say, "welcome to the next dumpster fire." In any case, if you follow InfoSec security news feeds, you have probably heard of a newly released set of vulnerabilities in the WPA2 wireless authentication protocol. These collectively are know as the Key Reinstallation Attack vulnerabilities or KRACK vulnerabilities. Steve Ragan (@SteveD3) broke the details this morning in his CSO Online post which describes the vulnerabilities. This type of attack has been "branded" with the name Krack Attacks and the latest details can be found here.
How Do I Determine My Risk?
If you are managing any sort of Wi-Fi network, it would be prudent to take some time to understand how this attack works and then determine your risk profile. If you are using wireless in your work environment, you should evaluate the following immediately:
- Is the wireless network connected to the corporate network? We hope the answer is a resounding "No!" but if you have not separated your wireless from your wired network, stop what you are doing and fix that issue ASAP. If you don't know how, seek outside help immediately.
- What wireless authentication protocol is in play on your wireless network? This should be WPA2 - not WEP and not WPA. Make note of the protocol and the encryption method used. You will see either TKIP, TKIP + AES or just AES. More on this later.
- What type of client devices are accessing your wireless network? Get a rough idea of the number of Android, IOS, Windows and other types of devices that are connecting.
- What type of wireless access points are in use? Get a list of the make, model and firmware version of the devices used.
Gathering this information will be helpful in determining the risk level present on your wireless network.
Mitigating the Vulnerabilities
So how do we mitigate this set of vulnerabilities? Unfortunately, we are at the mercy of the client device and access-point manufacturers. Some manufacturers already have issued updated firmware as most major vendors previously were notified of this risk. Here is an up-to-date list of available patches by vendor. I suggest your keep an eye on this listing.
At this point, it will be more likely that access-point firmware will be updated before most clients. Google has issued a statement regarding Android patching but this is a lengthy process as unless you have a Google phone, you will have to wait for your phone manufacturer to work with your cellular provider to issue patches. This will take weeks so these clients will remain vulnerable for the near future.
Apple devices are vulnerable to attack when connecting to an unpatched access point. As of the writing of this post, Apple has not released a statement regarding a fix. Based upon their past performance, I would imagine a patch will be released and available within the next 72 hours.
If you are using Meraki devices in your network, Meraki has already issued a firmware patch. Just be sure your devices are set to automatically update.
If your access-point vendor is not listed in the Bleeping Computer post, I suggest that you contact them immediately and stay in touch until you are sure the issues are patched.
Immediate Action to Reduce Exposure
Aside from waiting on vendors, what can you do right now to minimize the possibility of compromise? First, know that you cannot eliminate the risk of exploit until devices are patched. Since this is a protocol level flaw, it will take firmware updates to completely mitigate.
Here are some steps you can take to minimize the likelihood that your network devices fall victim to this attack.
- Separate your wireless network from your corporate LAN & production networks. This will prevent the leakage of corporate data if a client device is compromised.
- Check your wireless access points and enforce WPA2 w/ AES only. This will make the attack more time consuming for the attacker. A side benefit is increased wireless speed when TKIP is removed.
- If you are able, block http and allow only https connections on the wireless network. That way, even if the network traffic from a device is compromised, the web data is encrypted via TLS and useless.
- Make sure all email clients are using the TLS enabled protocols within their email client software for sending and receiving data. If your email client software is not using TLS, everything on your wireless network that is email related will be sent unencrypted and therefore readable if any device is compromised.
- Require that all users connected to ANY wireless network utilize a VPN for all traffic. Using a VPN forces all traffic through an encrypted tunnel from the client device through the access point and out to an end point via the Internet. This makes it impossible for any traffic to be captured between the device and the end point.
- If you control your wireless network, you can enforce MAC address filtering. This means that you have to inventory the MAC address of every device that should be allowed to connect to your wireless network and grant only those MAC addresses access to your wireless network. Doing this will prevent rogue devices from connecting to your network and sending management packets which is a requirement for the exploit.
- If your wireless network is meshed, you can temporarily disable 802.11r, the protocol that allows fast roaming on wireless networks. you can re-enable this after your access points are patched.
- Lastly, if your wireless network supports 801.11w (Management Frame Protection), you should enable this feature. This prevents unauthorized devices from sending management frames to your access points. This should remain enabled.
While you cannot completely mitigate the KRACK vulnerabilities without vendor intervention, you can take specific steps to better secure your networks and greatly diminish the likelihood that your network and data will be compromised. Stay safe our there!