By Channel Partners Staff
As if the past several weeks haven’t been exciting enough in security news with the announcement of the mega-breach at credit bureau Equifax, now everything we thought we knew about the state of Wi-Fi security has changed with the discovery of a Wi-Fi vulnerability that impacts Wi-Fi Protected Access 2, or WPA2.
The vulnerability, discovered by Mathy Vanhoef, a security researcher at Belgium’s KU Leuven University, is known as KRACK, which stands for key reinstallation attacks. According to a site setup by Vanhoef, the vulnerability stems from “serious weaknesses in WPA2, a protocol that secures all modern protected Wi-Fi networks. An attacker within range of a victim can exploit these weaknesses using KRACKs.” The attack exploits the four-way handshake of the WPA2 protocol, which is executed when a user attempts to join a protected Wi-Fi network.
Vanhoef warns this means attackers can use KRACKs to read information that was previously assumed to be safely encrypted — and thus to steal sensitive information, such as credit card numbers, passwords, chat messages, emails and photos.
“Any data or information that the victim transmits can be decrypted,” said Vanhoef in his write-up of the vulnerability. He has published the details in a research paper titled Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2, and will present the findings at Black Hat Europe in December, as well as the Computer and Communications Security conference in Dallas next month.
What does this mean for you and your customers? Just about every device that uses Wi-Fi is impacted and will need patching. Most personal and business networks are run on WPA2, so it is a concern for anyone worried about privacy and security in web-based communications. Vanhoef says that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys and others are all affected by some variant of the attack and suggests contacting vendors directly for information about specific products.
But most of the analysis out there on KRACK adds up to: Don’t panic. For starters, it is a complicated attack to pull off. And it is important to note that an attacker needs to be in range of the Wi-Fi network in order to intercept information. KRACK can’t be exploited from afar. Vendors are already coming out with responses and patches; that includes Microsoft, which issued a security patch for Windows 7, Windows 8, Windows 8.1 and Windows 10. Apple and Google are currently working on fixes.
There are also options for mitigating the risk associated with this vulnerability. One is to disable Wi-Fi and use only 4G in devices that are 4G-enabled, for now. Other options include Ethernet use instead of Wi-Fi when possible.
Ultimately, though, it is important to be in communication with customers on where suppliers are with fixes. Some patches will come quickly. Others may take months or longer. Both access points and Wi-Fi-enabled devices will need updating, so stay on top of customer hardware and deploy patches as soon as possible.