Today researchers have disclosed major weaknesses in WPA2. Called a Krack attack (key reinstallation attacks), itcan allow an attacker to decrypt WPA2 traffic and in some cases inject or tamper with data. The attack targets the 4-way handshake that establishes encryption between a client device and the access point. As a result, virtually all WiFi client devices are impacted today.
So what are the impacts? First, and most obviously, data sent over encrypted channels will be potentially visible to attackers. In the case of Linux and Android devices, attackers can force the device to install an all 0 encryption key, putting all the device' traffic in the clear. Devices using TKIP and GCMP are additionally susceptible to having the traffic they send modified or code injected into their transmissions. In the case FT handshakes, traffic can be potentially forged and injected going TO the client. All told, this means that:
- Data is at risk for all devices.
- Applications can potentially be attacked by affected clients by injecting malicious traffic from the client side.
- Clients can potentially be attacked and man-in-the-middled by injecting traffic to the client.
Krack Attack - Patching and Going Back to the Future
The good news is that unlike WEP, which was fundamentally broken, WPA2 devices simply need a patch to protect against Krack attacks. However, since the weakness primarily exists on the client side, essentially every wireless device will need to be updated.
As was the case with the recently disclosed BlueBorne vulnerabilities, this is easier said than done. Updates for smartphones can take a while to be delivered by the carrier and even longer for users to apply those updates. SOHO and IoT devices rarely receive updates and at all and are hard to update even in the best of cases.
If you worked in IT security in the early 2000s, this can feel a bit familiar. We knew that WEP was broken, but there were plenty of devices in the field that just couldn't support WPA yet. They were effectively unpatchable. As mentioned above with a Krack attack, WPA2 is not broken in the way WEP was, but there are exponentially more devices now that are effectively unpatchable. In the case of WPA2, illness is not terminal, but there is a much larger population that we don't know how to treat.
Advice For Armis Customers
It will likely be a long few weeks and months for IT as there will be a very large number of devices to be updated. There is also the possibility of active attacks against devices and the network that will need to be mitigated, and Armis can help in both cases.
Armis already senses and alerts on this kind of behavior. Customers receive notifications of any such High Risk Activity of this kind - even prior to the discovery of KRACK. Moving forward, Armis will include a specific warning of "KRACK attack attempt detected." Customers can investigate these alerts or set a policy to actively block and mitigate.
Other recommendations include:
- Know Your Wireless Attack Surface - Before you can patch all your wireless devices, you have to know about them all. Use Armis to provide a full inventory of all wireless devices including unmanaged and IoT devices in your environment even if they aren't yet connected to your enterprise network.
- Monitor for Abnormal Client Behavior - Krack attacks can allow an attacker to act similarly to a WiFi pineapple and to man-in-the-middle an affected client. Armis identifies and alerts this device behavior. When devices are trying to connect to other devices or malicious devices acting as a pineapple, Armis will alert in our console under Alerts.
- Monitor for Exposed Traffic - When possible, it is much easier for an attacker to use an all 0 encryption key to see traffic. Set Armis policies to alert on exposed data.
- Disable and Monitor for FT (Fast Transmission) - The use of FT opens clients where means traffic can be forged to the client and opens up a variety of client side attacks.
- Closely Monitor for Repeated Disconnects and Initial Associations - Since the attack targets the initial handshake, attackers may attempt to disassociate clients in order to trigger a new handshake to attack. Use Armis to track abnormal amounts of associations and disassociations.
- Block Suspicious Connections and Isolate Suspicious Devices - Since attackers can lure vulnerable devices into malicious connections, it is not enough to simply deny access to the corporate network. Use Armis to break malicious WiFi connections and to isolate potentially compromised devices.
- Switch to AES-CCMP - Given the exposure of TKIP and GCMP, consider switching to using AES-CCMP as your encryption scheme for WiFi if you are not already on it.
For additional question, please contact firstname.lastname@example.org.