Today, a series of high-severity vulnerabilities affecting the WiFi Protected Access II (WPA2) protocol were disclosed. Security researchers have developed a proof of concept (POC) demonstration, dubbed “KRACK”, and a dedicated website through which further details are likely to be released.
An advisory was distributed by the US CERT to a select number of unidentified organizations stating the following malicious activities could occur should an attacker successfully exploit the vulnerabilities: decryption, packet relay, TCP connection hijacking, and HTTP content injection attacks.
Here’s what we know – and do not yet know – so far.
What we know about KRACK Attacks
It’s likely that a large number of devices which use WiFi are exposed to this vulnerability, but only works if the attacker is within the victim’s network range. However, an attack requires the physical presence of an attacker to the victims’ network.
Fig 1 – A screenshot of a POC demonstration for KRACK. Source: hxxps://www[.]youtube[.]com/watch?time_continue=13&v=Oh4WURZoR98
Researchers have demonstrated a proof of concept (POC) attack, dubbed “Krack attack”, targeting an Android smartphone; a video for which showed how all the data transmitted by the victim could be decrypted. The video showed a plaintext downgrade attack against TLS/SSL via sslstrip Details of this are available on a dedicated website; hxxps://www[.]krackattacks[.]com/. Linux and Android versions 6.0 and above are particularly effected, though the list of vulnerable devices is extensive.
What we do not know about KRACK Attacks
While there is a proof of concept demonstration, there was no proof of concept code released, and no public indication these vulnerabilities had been exploited in the wild. Although the POC video gave a good overview of the exploit, the exact technical knowledge required to successfully conduct this type of attack is unknown.
We have not yet observed the vulnerability exploited in the wild. criminals have showed an interest. This is confirmed by conversations on criminal forums, with users interested – yet skeptical – of finding a quick exploit.
Fig 2 – Discussion of KRAK on a criminal forum
What you can do about it
The US CERT reiterates that the vulnerabilities could potentially be used to conduct arbitrary packet decryption and injection, TCP connection hijacking, HTTP content injection, or the replay of unicast, broadcast, and multicast frames by conducting a man-in-the-middle (MiTM) style attack. Of course, not all devices are equally affected, but the research paper outlines these differences.
In order to manage the risk, here’s five steps organizations can take:
- Enumerate connected devices. Use your wireless control software to enumerate all connected devices and create an inventory. The connected devices will give an indication of the risk posed. Look out for internet of things, such as printers, and any Android or embedded Linux devices.
- Patch your vulnerable connected devices. The first priority is, predictably, to patch vulnerable devices. More patches are expected over the next 24 hours, so monitor for updates. As mentioned earlier in the blog, Bleeping Computer and US CERT have both provided good updates on this.
- Adopt a second layer of security. Despite well-known issues with some VPNs, having non-wired internet users connected by VPN is a good interim measure. Adopting cryptographic protocols, such as Transport Layer Security (TLS/SSL), is another option.
- Consider a wired connection. Based on the extent to which your connected devices are vulnerable, consider switching to an Ethernet connection. While this might not be scalable for an enterprise campus, it is a consideration should the severity increase over the upcoming days.
- Stay up-to-date on the latest KRACK news. There will be more to come, so stayed tuned for further updates.
By Michael Marriott, Digital Shadows security expert