NetDiligence® Security Advisory – October 17th, 2017
KRACK WPA2 Wi-Fi Exploit Status and Protection Tips
This NetDiligence Security Advisory is published for the benefit of our cyber insurance carrier/broker clients and their insureds. We urge clients to take special note of the details included in this Advisory and take preventative/remedial action on a timely basis. Clients are welcomed to distribute this Advisory to their colleagues and others as they see fit, provided it is distributed without modification of its contents.
Ah, cyber security exploit researchers… what would life be without the benefit of their wisdom? We’ll let you try to answer that in your own way. That having been said, we have an important message to share with you regarding a dangerous vulnerability and our suggested steps forward in addressing it….
Earlier this week, the world became aware of a paper published by Mathy Vanhoef of the imec-DistriNet Research Group, which is part of the Department of Computer Science at KU Leuven in Belgium. The paper describes a recently discovered weakness – named KRACK – in the venerable WPA2 encryption solution that has helped secure public and private Wi-Fi networks for the past decade. The scientific paper can be found at:
https://papers.mathyvanhoef.com/ccs2017.pdf.
In an effort to better distribute this paper and overall information relating to the KRACK exploit, imec-DistriNet has published a custom Web site URL:
https://www.krackattacks.com/.
While the in-depth explanation for the weakness can be found at the imec-DistriNet site, we would offer the following heavily summarized version: An inherent weakness in the WPA2 protocol itself – not limited to any particular vendor’s branded solution – allows for something called a “key reinstallation attack”. When WPA2 encryption is established as part of a secure session, a secure key is generated that permits end-to-end transmission of sensitive content within a scrambled format that is unreadable to any “man-in-the-middle” who might capture the traffic via a packet sniffer – while still allowing the properly authorized end-point recipients to decrypt and read the content.
Several “handshakes” have to take place between the sender and recipient systems to establish and manage this key. The exploit, when successfully carried out, turns this key into all zeros, which then allows for easy uptake by the bad guys and subsequent review of your content.
A short video demonstration of the exploit can be found at Belgium-based version of YouTube at the following location: https://youtu.be/Oh4WURZoR98
As this advisory goes to press, a broad variety of vendors are working feverishly to create, test, and publish updates/patches to their respective products. These products are in broad use not just by organizations, but also by consumers who maintain their own home-based Wi-Fi routers and their own smart devices (phones, pads, laptops, etc.) that make use of Wi-Fi networks anywhere in the world.
A complicating factor in the present case is that both endpoint (i.e., user) devices and network management devices (Wi-Fi routers) need to be updated to resolve this particular threat in its entirety. In the longer-run, it is entirely possible that a next-generation replacement for WPA2 may need to be developed.
We have attempted to gather here a brief set of public advisories on the availability of patches for various platforms. The content available at these locations will likely be updated in real-time, so please check back frequently:
From Cisco (evaluation appears to be a work in-progress):
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa
From Microsoft:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-13080
An organization called Android Central is maintaining a greater list:
https://www.androidcentral.com/these-are-router-makers-have-patched-krack-wpa2-wi-fi-flaws
Special Note: Both Apple and Google advise that fixes are in process and will be made available as soon as possible.
As of the date of this NetDiligence Security Advisory – and while vendors continue their efforts to deliver effective fixes over the next several weeks – the following public advice appears to be timely for the near-term:
- Avoid using public Wi-Fi services for the time-being.
- Wherever available, use the HTTPS service (rather than regular HTTP) for connecting to Web sites. If you are connecting with a particularly sensitive function (e.g., banking), inquire as to whether the site is making use of TLS v1.2 for their session transport.
- Continue to use trusted and paid VPN services, but do not assume that new or “free” VPN services will avail you of any additional protection.
- If you have ready access to traditional “wired” LAN access via an Ethernet cable, use it instead of Wi-Fi.
Please stay tuned for available updates from NetDiligence as updated information on the KRACK exploit and industry-wide response/resolution efforts becomes available.
Thank you very much for your attention to this NetDiligence Security Advisory, and please do not hesitate to reach out to us (at [email protected]) for further advice and assistance with your cyber risk management efforts!