Today researchers have disclosed major weaknesses in WPA2. Called a Krack attack (key reinstallation attacks), it can allow an attacker to decrypt WPA2 traffic and in some cases inject or tamper with data. The attack targets the 4-way handshake that establishes encryption between a client device and the access point. As a result, virtually all WiFi client devices are impacted today.
So what are the impacts? First, and most obviously, data sent over encrypted channels will be potentially visible to attackers. In the case of Linux and Android devices, attackers can force the device to install an all 0 encryption key, putting all the device’ traffic in the clear. Devices using TKIP and GCMP are additionally susceptible to having the traffic they send modified or code injected into their transmissions. In the case FT handshakes, traffic can be potentially forged and injected going TO the client. All told, this means that:
The good news is that unlike WEP, which was fundamentally broken, WPA2 devices simply need a patch to protect against Krack attacks. However, since the weakness primarily exists on the client side, essentially every wireless device will need to be updated.
As was the case with the recently disclosed BlueBorne vulnerabilities, this is easier said than done. Updates for smartphones can take a while to be delivered by the carrier and even longer for users to apply those updates. SOHO and IoT devices rarely receive updates and at all and are hard to update even in the best of cases.
If you worked in IT security in the early 2000s, this can feel a bit familiar. We knew that WEP was broken, but there were plenty of devices in the field that just couldn’t support WPA yet. They were effectively unpatchable. As mentioned above with a Krack attack, WPA2 is not broken in the way WEP was, but there are exponentially more devices now that are effectively unpatchable. In the case of WPA2, illness is not terminal, but there is a much larger population that we don’t know how to treat.
It will likely be a long few weeks and months for IT as there will be a very large number of devices to be updated. There is also the possibility of active attacks against devices and the network that will need to be mitigated, and Armis can help in both cases.
Armis already senses and alerts on this kind of behavior. Customers receive notifications of any such High Risk Activity of this kind – even prior to the discovery of KRACK. Moving forward, Armis will include a specific warning of “KRACK attack attempt detected.” Customers can investigate these alerts or set a policy to actively block and mitigate.
Other recommendations include:
For additional question, please contact [email protected].
Sign up to receive the latest news