The news of the Key Reinstallation Attack (KRACK) was publicized in October of 2017. Since that time, Apple and Google have published software fixes for their end user devices, as have the majority of the wireless hardware manufacturers. But how can a user protect their Wi-Fi network from a KRACK attack in the future?
What is the Krack attack?
First, let’s look at what caused this vulnerability. The weakness exists within the Wi-Fi standard of WPA2 itself and how the client devices will accept a manipulated and replayed (reused) cryptographic handshake message. Read about WPA3 and increased Wi-Fi security here. WPA2 has been a feature available on all certified Wi-Fi hardware since 2006 and this encryption method is based on the Institute of Electrical and Electronics Engineers (IEEE) 802.11i technology standard for data encryption. In essence, any wireless network utilizing WPA2 is vulnerable in this scenario.
The vulnerability was found and reported to manufacturers in July 2017 and many manufacturers had software patches available on Day Zero (October 16, 2017). Keep in mind, WPA2 encryption is not “broken”. Attackers cannot decrypt all wireless traffic, with a major exception for Android, Linux and other client devices using the open-source wpa_supplicant software library. These devices can be compromised by using an all-zero encryption key (meaning no encryption at all). The Pixel/Nexus devices are awaiting a software fix to be released in December of 2017. Device manufacturers Essential and OnePlus both shipped a patch for KRACK the first week of November 2017.
How can an attack like this happen?
For an attack like this to occur, the wireless attacker must be in physical proximity of a wireless network. They must be close enough to a wireless network to capture unicast frames transmitted by the client after the 4-way handshake when the attacker’s rogue access point is initiated. This attack cannot be launched if the attacker is remote. The attacker must utilize a rogue access point to trick the client device into connecting to the attacker’s access point (“man in the middle” attack).
How big of a problem is this?
When the vulnerability was announced, there were nine client vulnerabilities and one vulnerability for infrastructure wireless devices. Seven of the nine client vulnerabilities are related to the 4-way handshake and Group Handshake.
The one critical vulnerability for infrastructure wireless hardware is related to 802.11r Fast Transition. If customers have enabled 802.11r Fast Transition capabilities in their wireless infrastructures, they should install software patches from their wireless hardware vendor ASAP or disable 802.11r until software patches become available for all client and infrastructure devices.
At the time of the attack, some held the opinion that the KRACK attack was not newsworthy because it was in essence a “man in the middle” attack. Others quickly made moves to disable use of 802.11r while they waited for the hardware manufacturers to release software patches to secure the vulnerability. The discovery of this vulnerability was far reaching in its implications, but it remains to be seen how many networks are still vulnerable or are unaware they’ve been exposed.
At this time, the majority of hardware vendors and end user device manufacturers have created software patches to remedy the KRACK vulnerability and as such, wireless infrastructures deployed in the enterprise will experience less difficulty in patching the vulnerability.
How to protect against future attacks
Mobile Device Management (MDM) solutions will aide agencies and enterprise customers in ensuring mobile devices are running a specific OS version before allowing the device to associate to an infrastructure SSID. Small wireless deployments without MDM solutions or IT staff to manage the wireless network will see more problems around finding updated software images, applying the software updates and managing end user software versions.
If there are other vulnerabilities like the KRACK attack in the IEEE standards, they have yet to be discovered.
It’s unknown how many wireless networks will experience a KRACK attack. Chances are the wireless breach won’t be noticed immediately, or if it is discovered the breach wouldn’t be announced publicly. In past wireless security breaches, they only became newsworthy once the vast scope of the breach was discovered. Either way, knowing what to do in the wake of a breach is always necessary.