After rumors hit the wire over the weekend (possibly even Friday night), Dan Goodin for ArsTechnica broke a story about a flaw in the core Wi-Fi Protected Access II (WPA2) protocol that allows bad actors within physical range of a vulnerable device to intercept and read passwords and, as a consequence, intercept and read information crossing the Wi-Fi channel. Sample information could be e-mails, files shared, and other data transferred to and from a variety of online (a.k.a. “cloud”) services.
Mathy Vanhoef of imec-DistriNet, KU Leuven, disclosed the vulnerability along with a proof of concept called KRACK—short for Key Reinstallation Attacks. The vulnerability spans what seems to be pretty much every device we use for business and consumer use to connect to, and transmit data across, the Internet. Here’s what the researcher team said:
“During our initial research, we discovered ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attacks. For more information about specific products, consult the database of CERT/CC, or contact your vendor.”
Rodney Joffe, Senior VP, Senior Technologist, and Fellow, Neustar, Inc. offered a statement regarding Cisco’s warning about some of the Cisco devices that are vulnerable to this attack.
“Even though this vulnerability followed the appropriate guidelines for responsible disclosure, few manufacturers have yet been able to develop a patch or even a workaround,” said Joffe.
As captured from the Cisco notification:
“Multiple Cisco wireless products are affected by these vulnerabilities. Cisco will release software updates that address these vulnerabilities. There is a workaround that addresses the vulnerability in CVE-2017-13082. There are no workarounds that address the other vulnerabilities described in this advisory.”
Adding salt to the wound, most companies may not even know which devices introduce this risk to their environment. This could prove challenging as the industry braces itself for an attack (if/when it comes).
“Unfortunately, we know that companies can’t even see 40% of the connected devices in their environment,” said Nadir Izrael, CTO and co-founder of Armis. “This is why IoT and all these connected devices are a big security concern. It’s a huge security blind spot for organizations, with serious consequences.”
“This is the second time in two months that we’ve seen all connected devices being vulnerable to widespread airborne vulnerabilities; we recently discovered vulnerabilities in Bluetooth and the BlueBorne threat,” said Izrael. “The difference is that with KRACK we can’t tell people to just turn off Wi-Fi. The majority of all traffic is now wireless. It’s how we connect, communicate, and live.”
Just How Bad Is The Vulnerability?
“First off, this isn't the WPA2 crypto being cracked,” said Bobby Kuzma, Systems Engineer, Core Security. “This is a case of taking advantage of a logic error in the protocol that's used as a handshake to establish the connection. An attacker must first be in range of the connection, and disrupt an existing client, initiating a man in the middle attack.”
One perspective is that some of the protocols we rely on don’t change much over the years while the environments in which they operate do. Couple this with the fact that cybercrime continues to grow as a business, and we see more and more investments being made to find holes in this protocol and others.
“Attacks against the cryptographic algorithms and protocols that underpin secure communication only get better over time,” said Frederik Mennes, manager of the Security Competence Center at VASCO. “The plethora of attacks against SSL/TLS in recent years, and the novel KRACK attack against WPA2, illustrate this.”
“It’s important to remember, the KRACK vulnerability only weakens the encryption between your computer and the Wi-Fi access point, so end-to-end encryption between the computer and the website you access remains secure,” added Dr. Steven Murdoch, Innovation Security Architect, VASCO Data Security, and Principal Research Fellow at University College London. “Well configured secure websites will automatically ensure that end-to-end encryption is enabled—normally indicated by a padlock next to the address. You can check for this before entering sensitive information.”
For the consumers and business users out there who use their phone as a hotspot, they need to be aware of the risk as well.
“Mobile hotspots act as Wi-Fi access points so are also likely vulnerable to the KRACK attack,” added Murdoch. “However, their range is far less that a normal Wi-Fi access point so the attacker would need to be very close to the victim to do their dirty work. For most people, the risk is consequently low, but it is always prudent to install software updates to reduce the risk of this and other attacks.”
While the impact of an exploit is bad, the likelihood of attack is still low given that we only have a proof of concept publicly disclosed.
“The risk of becoming victim of this attack is currently rather low,” said Mennes. “There is currently no publicly available code available to launch the attack. Additionally, the adversary needs to be able to capture the Wi-Fi network signal, so he needs to be in the vicinity of the targeted network. Finally, the attack does not realistically work against Windows or iOS."
It’s also worth noting that this vulnerability has little effect on already insecure networks, such as those found in your local coffee shop.
“Public Wi-Fi access points are typically not encrypted, so the KRACK vulnerability has no effect,” added Murdoch.
These facts, of course, don’t mean that an insecure or unpatched system are safe. Quite the contrary is true.
It’s A Race To Prevent An Exploit
With so many devices needing updates, clearly it is going to take a long time to get things back into safe and sound order. First, the vendors need to understand that their devices are vulnerable (presumably, some, but not all, have already been notified). Then, they need to develop, test, and release the patch. Once the patch is in place, the users of all of these devices need to know that the patch is needed, find it, and deploy it.
“As patches are now being released, the hope is that it will not be exploited in the wild, but it’s likely that criminals will try,” added Izrael.
Until then, the industry needs to keep on top of its game to prevent businesses and citizens alike from being compromised. Perhaps one option is to update the protocol itself to fix this issue for everyone, in one fell swoop. From the sounds of things, however, there is no quick fix and this path could actually take a while.
“This is going to be a significant exploit as it will take years for the WPA2 protocol to be fixed and even then, much longer for devices to be updated with newer versions.” stated Brian Knopf, Senior Director of Security Research, IoT Architect, Red Team, at Neustar.
But not every company takes these things seriously, so don’t expect to see that patch straight away. This could take some time, and in some cases may never even happen.
“Affected manufacturers were notified of the vulnerability in August to give them an opportunity to fix the flaw before the public disclosure today,” said Murdoch. “Unfortunately, manufacturers often do not fix vulnerabilities in older products, particularly those that aren’t being actively promoted. It is likely that the vulnerability will persist for years, through to end-of-life in some products, such as Android smartphones and Wi-Fi routers,” added Murdoch.
When we say never, we really mean never. We’re talking about devices that can’t be patched.
“I'm also deeply concerned about the huge numbers of ‘orphaned’ and ignored Wi-Fi capable devices out there that won't receive patches,” added Kuzma. “The underlying research that identified the state machine flaws is innovative. These won't be the last findings from that group.”
As you can imagine, if the researchers continue to dig around looking for stuff, so will the bad actors looking to take advantage of this in other ways, via other means. Lisa Baergen, APR, MCC, Marketing Director, NuData Security Inc., a Mastercard Company, confirms this notion.
“The security industry will chase vulnerabilities for the foreseeable future, and bad actors will continue to find and exploit new ones,” Baergen said.
And, as we have seen many times, a single vulnerability is often combined with other exploits in order to complete a successful full-scale compromise.
“We have seen in cases like the hack of TJX that criminals will likely exploit such vulnerabilities to gain access to business networks, and then exploit other vulnerabilities to steal sensitive data,” said Murdoch.
There Is A Silver Lining If You Take Action Now
While the only way to fully mitigate the WPA2 vulnerability is to wait for the device manufacturers to provide patches and firmware updates, in order to provide some initial guidance around how to get ahead of this threat, the following tips are provided by some of the experts that contributed to this article.
IMMEDIATE: Disable Wi-Fi and Hard Wire / Tether Your Devices
“The most drastic protection consists of avoiding Wi-Fi (and using Ethernet or 4G instead),” added Mennes.
This, of course, may not be a viable business option.
More feasible, added Izrael, “for devices they don’t control or can’t update, businesses need to ensure these devices can’t connect to a critical network.”
IMMEDIATE: Use Cryptographic Protocols at the Transport and Application Layer
“An alternative solution consists of using cryptographic protocols that provide encryption at the network, transport or application layer (e.g. IPsec, TLS, SSH, PGP), and making sure these are properly configured,” said Mennes. “In this regard, HTTPS Everywhere from the Electronic Frontier Foundation (EFF) and the Brave Browser for iOS devices might help individuals.”
IMMEDIATE: Use a Virtual Private Network
“A virtual private network (VPN) may help in some cases, but there are even exploits for VPNs that could be chained together with KRACK,” recommended Knopf.
SHORT-TERM: Fine-Tune Your Routers and Access Points
“Companies can try to mitigate attacks against routers and access points by disabling client functionality (which is, for example, used in repeater modes) and disabling 802.11r (fast roaming),” said Mennes. “Companies should certainly not go back to WEP to protect their Wi-Fi networks, as this comes with more severe flaws than WPA2.”
ONGOING: Patch, Patch, Patch
No. We're not talking pumpkins here. This seems to be the main reason behind a number of the breaches to hit the news. Don't let this one be same.
“Companies and households should be on the lookout for security patches of their wireless access points and endpoint devices like laptops, desktops and mobile devices,” said Mennes.
ONGOING: Don’t Forget Mobile!
“The KRACK attack especially impacts mobile devices using Android 6.0 and above, because these devices are subject to a particularly dangerous variant of the attack,” added Mennes. “This applies to over 41% of Android devices. Also, security patches for Android devices usually spread slowly, which further exacerbates the issue on Android. The attack does not realistically work against iOS, and furthermore Apple has already issued a security patch.”
“Some mobile devices, particularly Android smartphones, do not receive prompt updates from their manufacturer and so present a risk to the owner,” added Murdoch. “Companies should mitigate the risk by ensuring that either mobile devices are well maintained or if this is not possible, isolate them from sensitive systems and data.”
LONG-TERM: Start Re-Designing the Protocols
“In cryptographic protocols, a nonce (Number used ONCE) should never be repeated, but often design flaws are introduced, when the protocol is implemented in software, that allow this to happen,” added Murdoch. “Therefore, I think a better approach is to re-design protocols to be more resistant to nonce-reuse, which we know how to do, albeit with a slight loss of efficiency.
LONG-TERM: Devalue Data
One interesting concept that has surfaced recently in some of our conversations is promoting devaluing information, making it useless to a would-be thief.
“Ultimately, the only way to break this otherwise endless cycle is for organizations to fundamentally de-value stolen consumer data by stripping it of its usability,” added Baergen.
This vulnerability and the state of in-the-wild attacks will certainly change over time. It’s important to stay alert and take action when and where necessary.
To summarize the current state of affairs, we turn once again to Mr. Murdoch. As he said, “The KRACK vulnerability is very widespread, but is also difficult to exploit because the attacker needs to be physically close to the victim. Consequently, this vulnerability is unlikely to be the most serious one facing the average person or organization. It may, however, act as a helpful reminder that Wi-Fi encryption is not perfect, and end-to-end encryption should be used whenever possible.”
Feel free to check back with us here at ITSPmagazine for updates as we get them. However, we would strongly encourage you to stay focused on the patches your vendors and suppliers are providing as they will be the most important things to apply once they are released.