KRACK Wi-Fi attack threatens all networks: How to stay safe and what you need to know
The vulnerability that known as "KRACK", short for Key Reinstallation Attack, will target the four-way handshake of the WPA2 protocol. Mathy Vanhoef, who published the flaw, said that the flaw may allow an attacker within the Wi-Fi range to decrypt network traffic from a WPA2-enabled device, hijack connections, and inject content into the traffic stream.
The publisher also points out that, the main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates.
For more details (background info and video demo), please refer to the below article published by Vanhoef:
https://www.krackattacks.com/
Is Wi-Fi security broken?
Yes and no - obviously there are some inherent vulnerabilities in the way the protocol is implemented which need to be addressed. Short term this can be rectified with patches to the client devices and/or the access points; long term though, the way in which wireless security is achieved needs to be addressed.
Keep in mind that for this vulnerability to be exploited, an adversary needs to achieve the following:
- Be within range of a client device at the same time as the 4-way handshake is occurring.
- Spoof the client device MAC address.
- Have a device with dual wireless network cards setup as a MITM (Man In The Middle).
Although tough, the above steps aren’t beyond the realms of possibility for a determined individual. If we take the average wireless network deployment within an enterprise for example, most don’t have a dedicated WIDS/WIPS (Wireless Intrusion Detection/ Prevention Solution) in place which would be required to detect these particular attack vectors (MITM or MAC spoofing). At best they rely on the in-built heuristics based rouge detection systems that are part of the existing wireless solutions functionality. These systems carry out what’s known as background scanning to detect threats but the problem with this is that it isn’t full time monitoring, it is usually only scanning one frequency band at a time in between serving wireless clients and generally won’t detect a MITM or MAC spoofing based attacks. As such this leaves a rather large window of opportunity for an attacker to exploit.
If we then factor in the ever increasing BYOD culture that can be found in around 75% of organisations these days, that window of opportunity grows as there is an increased chance that there will be client devices on the network which haven’t been patched due to lack of user awareness or patch availability from the relevant vendor. Add all of this together and it becomes very clear that full time WIDS/WIPS is a must in the modern day wireless enabled enterprise environment.
Defense in the air is what we need
WIDS/WIPS solutions are equipped with counter measures to neutralise exactly these types of attack vector with little effort. For example, MAC spoofing and MITM based attacks are addressed with ease and require little more than a check box being ticked to mitigate them in wireless security solutions. Once these functions have been enabled, should an instance of MAC spoofing or an MITM attack be detected by the full time sensors, they will automatically defend the network and quarantine the offending devices whilst alerting the network security team of the incident. Also giving location details based on the Rf signature of the devices involved.
Based on this functionality what we have in the case of the WPA2 KRACK vulnerability is zero day protection with no need to rely on patching of devices before the network can be deemed secure again.