Editor's Note: This blog post originally appeared on the SANS Security Awareness blog. This blog is a work in progress and will be actively updated as new information is released.
It was announced (Monday, 16 October, 2017) that the globally used WPA2 Wi-Fi security protocol has been broken. This standard is the most commonly used security standard used by Wi-Fi networks around the world. The attack targets (and breaks) the 4-way handshake that establishes the use of the unique encryption keys for that session. The attack is called KRACK by it's author Mathy Vanhoef. The security community is still learning the details and understanding it's impact, so if you can hold off on communicating about it, we would recommend it until everyone has a more complete picture. Long story short, no need to panic. However, if you need to communicate something, here are some basics.
- The vulnerability impacts just about any device that uses WPA2 to connect to a Wi-Fi network, which today is about all of them. This does not impact just smartphones, laptops and tablets, but our favorite friend IoT. The most vulnerable so far appears to be Android devices.
- Vendors are currently developing patches for this attack. Several, such as Microsoft, have already released patches. ZDNet has a great list of the patch status for the biggest vendors.
- This is not just a confidentiality issue. If you have any HTTP (non-encrypted) traffic on the network, not only can an attacker read that traffic but launch attacks. As per the KRACK site - "As a result, even though WPA2 is used, the adversary can now perform one of the most common attacks against open Wi-Fi networks: injecting malicious data into unencrypted HTTP connections. For example, an attacker can abuse this to inject ransomware or malware into websites that the victim is visiting."
- There are no reports of this being actively exploited in the wild - yet.
- This is not a remote attack. A cyber criminal in one country cannot remotely hack into the Wi-Fi network of another country. The bad guy (or at least his device) has to be close enough to the targeted Wi-Fi network to connect to that network. This requirement will help limit how fast this attack can scale.
- If your online connections are fully encrypted (such as over HTTPS) then you are protected against this attack. For example, browsers sessions that are using HTTPS for all connections or an email client using SSL to connect to your email server. Unfortunately, you expose yourself to risk if any of these sessions have a unencrypted packets.
WHAT DO I TELL MY WORKFORCE?
- Tether: If you have reason to be concerned about this vulnerability, the simplest way to protect yourself is simply don't use Wi-Fi. Don't use Wi-Fi you say, how can I work?! Easy, tether off of your mobile device, especially in higher-risk situations such as when traveling or working away from the office.
- Corporate VPN: If you have a corporate VPN, ensure all staff are using the VPN for any WI-FI connections. You may want to take the opportunity to encourage people to use a personal VPN for their own personal use.
- Encrypted Sessions: If people cannot tether or do not have a VPN, then ensure any activity they are doing online is natively encrypted. This step is more limited as some encrypted sessions (such as browsing) may also include unencrypted traffic. Another option is the HTTPS Everywhere plugin for browsers. To be honest, this behavior of always using encrypted sessions should apply regardless if a network is vulnerable to KRACK or not.
- Keep Systems Updated: As soon as a patch is released, ensure any device that connect to a Wi-Fi network is updated. This is a great opportunity to remind others why updating is so important, to include enabling automatic updating. Perhaps even have people subscribe to the OUCH newsletter to learn more about the basics.
We will keep you updated here on the latest findings and what you can communicate to others.
Updated 17 Oct, 2017: Added information about latest patches available.