Early this week, researchers revealed a vulnerability, called “KRACK” which is a flaw present in nearly all Wi-Fi networks. An attacker could use this vulnerability to completely defeat the most common Wi-Fi protection, WPA2, allowing them to read encrypted traffic or pretend to be a web site. This attack does not affect secured applications or web sites that use trusted encryption, such as any HTTPS site that shows a closed padlock in the address bar. But, because it can expose other security problems on your network and with your internal applications, Atomic Data advises everyone to apply patches that fix the issue to both Wi-Fi access points and Wi-Fi clients as soon as they are available.
How should we proceed? Because so many manufacturers are involved, it may take weeks or months for fixes to appear for all Wi-Fi clients. Wi-Fi access points are expected to be fixed more quickly, so Atomic Data advises a prioritized approach:
- First, secure your home and office Wi-Fi networks first by updating your access points with recent firmware updates that include the fix.
- Then, diligently secure your Wi-Fi clients over time by patching all of your Wi-Fi devices as soon as the manufacturer releases final versions of the fix.
- Microsoft’s Windows October Update is available now and includes the fix. Apple’s fixes for macOS and iOS are nearing release. Google will have a fix for affected Android versions soon.
- It is possible that certain older and unsupported devices cannot be fixed, and you will want to disable them or replace these with newer models, or ensure adequate device restrictions to sensitive data.
- If you transmit sensitive information over your wireless network without application encryption, you may want to consider enhancing application security, using a VPN for sensitive applications and data, or moving to wired-only communications until fixes are applied.
- WEP and WPA are not suitable protocols to use as stopgaps until WPA2 is fixed, since both are already known to be insecure, easily exploitable, and unfixable.
Technically, what’s going on? Researchers discovered flaws in the 4-way handshake of the WPA2 key exchange process, which is used by both WPA2 Personal and Enterprise. They developed a proof-of-concept exploit called KRACK (Key Reinstallation Attacks), which works against WPA2 using all encryption methods. The handshake process can be interrupted at step 3, at which point a Wi-Fi client can be tricked into installing a previously-used, supposedly temporary encryption key (“reinstallation”). This re-use allows encrypted traffic to be manipulated and eventually decrypted.
Well, are wireless networks safe at all? Yes! This exploit does not allow a successful attacker to break other forms of encryption that you might be using with applications or through your web browser via HTTPS. However, if you use applications or web sites that do not use encryption or that display certificate errors or other warnings about being insecure, there is an opening for an attacker to be a “man-in-the-middle” and intercept anything transmitted in the session. Until fixes are installed on all Wi-Fi clients, you should consider your WPA2 wireless network to be similar to an open, password-less network, like what you might find at your favorite coffee shop.
What are manufacturers doing? Manufacturers are currently working to create patches to resolve the vulnerabilities. Microsoft addressed the vulnerabilities in their October Security Update; customers running supported versions of Windows can look for that specific update to ensure their system is patched. Apple says that it has released patches in previous developer beta releases, which will be published to all users soon. Aruba Networks, Meraki, Aerohive, and Ubiquiti have already released software patches. Cisco, Ruckus, Extreme Networks and others have published security advisories and will be releasing software updates as well.
Atomic Data will be pushing available patches to Atomic Data managed systems as they become available. Not a client and want to learn more about Atomic Data Patch Management? Contact us today and we can help secure your network and devices.
Check out the first Atomic Data Video Blog about the Wi-Fi Vulnerability here.