Skip to main content

Critical Vulnerability in WiFi Encryption Protocols

ISC has notified us about an existing vulnerability in current wireless encryption protocol standards (WPA1/WPA2).

An attacker within range of a victim can exploit these weaknesses using Key Re-installation Attacks (“KRACKs”).  These attacks can be used to read Wi-Fi network traffic that was previously assumed to be encrypted. This can be abused to reveal sensitive information transmitted through unencrypted protocols, like standard (HTTP) web browsing, FTP, and other unencrypted communications. Additionally, this attack can be used to spoof website responses (such as redirecting you to a fake or malicious website).

The vulnerabilities are in the Wi-Fi standard itself, and not in individual products or implementations.  To prevent the attack, users must update affected products as soon as security updates become available.  Researchers discovered that Android, Linux, macOS/iOS, Windows, OpenBSD, MediaTek, Linksys, and other operating systems/devices are all currently affected by some variant of the attack[2].

Remediation and mitigation:

  • Operating systems should be patched as soon as patches are available including: Windows, macOS, iOS, and Android.  We will send additional notices as patches are available.
  • WPA1 and WEP should NOT be used instead of WPA2 – even with this new attack, WPA1/WEP are still considered much less secure than WPA2.
  • This attack does not break HTTPS/SSL connections – however, in certain scenarios, downgrade attacks may be possible.  To reduce this risk, we recommend the following:
    • Using a VPN service whenever connected to a Wi-Fi access point.
    • Using the “HTTPS Everywhere” browser plugin[3] to prevent downgrade attacks for HTTPS (secure) websites.
    • Ensuring any website you are about to enter sensitive information into is SSL secured (with the padlock icon) and displays the correct URL.

 Additional points and takeaways:

  • It is unknown if this vulnerability is currently being exploited in the wild, but as the research for this attack has been published, it is anticipated that it soon will be.
  • Both WPA2 Personal & Enterprise are affected.
  • This is the first workable attack against WPA2 that does not use password guessing – incidentally, the WPA2 password itself is not exposed to the attacker.

For further information, please see the following reference links:

[1] https://www.krackattacks.com

[2] https://papers.mathyvanhoef.com/ccs2017.pdf

[3] https://www.eff.org/https-everywhere

 

Additionally, below are links/references to some of the major vendors who have released patches for the vulnerabilities discussed above:

Windows 7, 8, 8.1, 10: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-13080

Intel Wi-Fi: https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00101&languageid=en-fr

Aruba: http://support.arubanetworks.com/LifetimeWarrantySoftware/tabid/121/DMXModule/661/EntryId/27269/Default.aspx

Debian: https://www.debian.org/security/2017/dsa-3999

Red Hat: https://access.redhat.com/security/vulnerabilities/kracks

Cisco: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa

Fortinet: http://docs.fortinet.com/uploaded/files/3961/fortiap-v5.6.1-release-notes.pdf

Linksys: https://www.linksys.com/us/support-article?articleNum=246427

Netgear: https://kb.netgear.com/000049498/Security-Advisory-for-WPA-2-Vulnerabilities-PSV-2017-2826-PSV-2017-2836-PSV-2017-2837

Ubiquiti: https://community.ubnt.com/t5/UniFi-Updates-Blog/FIRMWARE-3-9-3-7537-for-UAP-USW-has-been-released/ba-p/2099365

Raspberry Pi: https://raspberrypi.stackexchange.com/questions/73879/rpi-vulnerable-for-wi-fi-wpa2-krack-attack/73908#73908

It is recommended to apply the patches referenced above for all affected equipment.