fbpx

KRACK attack on all your devices

A significant and critical flaw (KRACK) has been discovered in Wi-Fi Protected Access II (WPA 2) by a researcher in Belgium. This vulnerability potentially leaves users’ devices open to attack when connected to Wi-Fi.

The US Computer Emergency Readiness Team (CERT) said today “several key management vulnerabilities in the four way handshake of WPA 2 security protocol” were discovered.

Patches are being made available for routers and Access Points. Devices using Android 6.0 or above, and Linux are particularly vulnerable to attack.

We are actively looking at patching customer devices and advising on patching clients. However in the meantime we would advise that businesses and consumers adopt the same security stance for private Wi-Fi networks as they would for public Wi-Fi networks. This research has exposed the KRACK flaw that opens up private networks in the same way that public Wi-Fi networks cannot be trusted.

By adopting the following guidance, and training your employees to be vigilant, businesses can help protect their data while fixes are being rolled out.

1. Training

Make your employees aware of this flaw, and soon. Educate them on the risks of connecting their corporate (and own) devices via Wi-Fi, and keep reminding them of the risks involved. Even after patches are installed to protect private Wi-Fi, it’s still critical that employees receive regular training in IT security.

2. Get wired

If practical, make wired connections available for all your staff during this vulnerable period.

3. Don’t auto connect

All devices should be set so they don’t automatically connect to any network, even known “trusted” ones. There is no such thing as a trusted network, now that this flaw has been uncovered. Double check the settings on all devices.

4. Turn off

Turn off Wi-Fi on all devices when not in use. This extra small step will help protect your devices, making them non-discoverable by a “bad actor”.

5. Don’t share

This is a good time to turn off file sharing and AirDrop options and enable built in firewalls. If you have to use Wi-Fi, be careful what you’re accessing. Issue a company-wide policy on file-sharing and set out simple step by step procedures to ensure it is followed.

6. Keep up to date

As part of your internal communications around this issue, you should actively encourage all employees to accept and install updates as soon as they are offered. You should also fully audit your antivirus and anti malware software, to make sure they’re up to date and fit for purpose.

7. Use HTTPS

Train your employees to look out for the green padlock in the browser and to use HTTPS websites, as a reassurance that the website is protected.

8. Use a Virtual Private Network (VPN)

The best protection from an untrusted network is direct, encrypted access to a trusted one. Using a Corporate VPN when you’re out and about will ensure data is encrypted between you and the service provider.

9. 4G access

Another network that helps get around the Wi-Fi vulnerability is the 4G network. If you have coverage, use your mobile network to access the internet. But don’t use your phone as a hotspot – it will create a Wi-Fi connection between devices, which creates the vulnerability we’re trying to avoid.

10. MFA

Multi-factor authentication will help protect devices and data from compromised passwords, especially if the same password has been used across many services. While a “bad actor” might be able to get hold of your password, without the 2nd or 3rd factor, they won’t be able to get access to data.

If you are unsure of how this discovery of KRACK could affect you, and what action you should take, please contact us.

2 Comments

  1. Oliver H 17th October 2017 at 5:44 pm - Reply

    I think a bit of perspective is in order. For all the hype in the press this is a relatively unimportant issue:

    * Windows and iOS clients are almost totally unaffected. Windows already has patches to totally fix (as does Linux, although generally not Android yet).
    * Any attacker has to be physically present on the premises – you can’t attack wifi across the internet
    * There is no ready-made code available publicly to exploit this flaw: it would take very skilled attackers to write anything that could hack your wifi. This is unlikely before patches come out either for your devices or APs.
    * There are probably several dozen easier ways of hacking your organisation – your time would likely be spent more productively auditing to make sure no network equipment has default passwords set, blocking SMB, etc.

    Basically: apply normal security common sense, and don’t panic!

    • Spectrum Internet 7th November 2017 at 2:05 pm - Reply

      Oliver,

      Thanks for your comment. Please find our response to each of your points below.

      “think a bit of perspective is in order. For all the hype in the press this is a relatively unimportant issue:”

      A sense of perspective is indeed always useful in such circumstances, and as our article states, this exploit could mean that trust of Private WiFi networks is compromised, so we advise taking a similar stance, for now, as that you would take on a Public WiFi network. Of Course the risk of using trusted private WiFi networks protected by WPA2 will still be lower than using Public WiFi. We disagree that this is a ‘relatively unimportant issue’. It was important enough for the security community to respond rapidly and for the NCSC to publish specific guidance. https://www.ncsc.gov.uk/krack

      “* Windows and iOS clients are almost totally unaffected. Windows already has patches to totally fix (as does Linux, although generally not Android yet).”

      At the time of writing the full picture with regards to Windows and iOS vulnerability was not clear but the risk related to Android phones was well understood and there were (and still are) no available patches.

      “* Any attacker has to be physically present on the premises – you can’t attack wifi across the internet”
      There are definitely limitations to this type of attack, and proximity to the network is necessary – however you do not need to be on the premises.

      “* There is no ready-made code available publicly to exploit this flaw: it would take very skilled attackers to write anything that could hack your wifi. This is unlikely before patches come out either for your devices or APs.”

      The tools to easily exploit this vulnerability do exist and are going to be released. Also, as with all such matters we make an assumption that they do exist. This exploit is has been in place forever and to assume this is the first time it has been discovered is a risky position to take. Some manufacturers have responded quickly, but the biggest risk is related to Android handsets as these are among if not the most prevalent WiFi clients and compromise of them is ‘trivially easy’. Patches for Android may take weeks to roll out.

      “* There are probably several dozen easier ways of hacking your organisation – your time would likely be spent more productively auditing to make sure no network equipment has default passwords set, blocking SMB, etc.

      Basically: apply normal security common sense, and don’t panic!”

      Don’t Panic is always good advice! Every high-profile security issues is a good reminder to review our general security stance and practices, and time spent doing those things is always well spent. If a business has a sensible ongoing regime in place for addressing Cyber Security, then this risk will be addressed as part of that. However, a sensible security approach addresses all risks as they become known, and this risk, particularly as it applies to Android handsets, is significant enough that every organisation should spend time considering their response.

      Thanks

      Spectrum Internet

Leave A Comment