It’s likely that you’ve already heard about KRACK in the last few days. KRACK is a new and somewhat alarming vulnerability recently disclosed in the Wi-Fi Protected Access 2 (WPA2) wireless networking standard. As has been the case for many recently discovered vulnerabilities, the party that discovered this branded it, and the media then latched on and made a bigger deal out of it than they probably should.
However, that does not mean this threat should be completely dismissed – it provides a perfect vehicle to ensure the other risks that come along with wireless networking have been researched and addressed. There are plenty of issues with wireless networking that are all too often ignored or considered “acceptable risks,” when many can be easily remediated.
So Hopeless – SOHO Access Points
First and foremost, if your organization’s internal network has any small-office/home-office (SOHO) wireless access points on it, these should be removed immediately. These are consumer-grade devices and should never be allowed to provide any sort of access into an enterprise network. The recently publicized KRACK vulnerability does affect most consumer-grade access points, as does a bevy of other vulnerabilities, such as those found during the SOHOplessly broken contest they hold each year at DEF CON. This contest is held at multiple security-focused conferences, and the below chart shows the issues exploited in just 10 of the routers that were assessed:
Table Source: http://securityevaluators.com/knowledge/case_studies/routers/soho_service_hacks.php
These are just the known vulnerabilities on 10 popular SOHO wireless access points. More issues like this are being found every day, and there’s little chance it will get any better. These consumer-grade devices do not belong on any enterprise network for any reason. If you use one of these models at home, make sure you upgrade the firmware and configure the router to be secure by disabling unnecessary ports and protocols. This link also shows some remediation efforts you can take to be safer at home.
But, What About KRACK?
The vulnerability announced that prompted this post is called the WPS KRACK (Key Reinstallation AttaCKs) vulnerability. It can expose the traffic on vulnerable wireless routers to an attacker. However, the most sensitive data that is transmitted on a compromised network remains protected (e.g. VPN and encrypted connections are still protected regardless). This means that an attacker can read any traffic on a compromised router that is not additionally protected by another protocol.
This vulnerability is not exclusive to SOHO routers, but if an enterprise wireless router is properly configured and does not rely on the WPA2 standard for protecting information then there should be no issues. If you have any consumer-grade wireless access points anywhere in your enterprise and they cannot be removed (which is not advised), then this link will lead you to a listing of vulnerable devices and whether there are patches available: http://www.zdnet.com/article/here-is-every-patch-for-krack-wi-fi-attack-available-right-now/
If you watch the videos on YouTube about this vulnerability, many of them showing this vulnerability go on to show how to use Man-in-the-Middle (MitM) attacks and SSLStrip attacks. Both of these attacks can allow an attacker with access to a wireless network the ability to read HTTPS encrypted traffic. This is a vulnerability that has existed in wireless networks for as long as they have existed.
Wireless networks are “broadcast” networks, meaning every packet they send out is sent to all nodes on the network. Any system on the network can capture and read any unencrypted traffic and can use tools like SSLStrip to remove those protections. An attacker that can gain access to any wireless network, regardless of how its access is protected, can capture and often read any traffic. There are numerous other vulnerabilities and weaknesses in the Wi-Fi protocol that are also risks once an attacker has gained access, whether with the KRACK vulnerability or another method.
If you would like to learn more about the existing wireless risks and vulnerabilities, here are a few links to tools and blogs on the subject:
Finally, for those of you that would like to dive deeper into the technical specifics of the KRACK vulnerability, as usual Brian Krebs has put a very comprehensive write-up on his blog. As always CynergisTek’s team of experts is available to answer any further questions.