We’ve been KRACKed – Insecure Wi-Fi strikes again
So what is Krack?
This week a researcher at the Belgian university KU Leuven revealed that he had discovered a previously unknown vulnerability in the WPA2 Wi-Fi security protocol. The vulnerability, dupped KRACK, would allow a hacker to intercept traffic passing between any device (phone, tablet, laptop, IOT device etc) and a Wi-Fi access point. Even when it is ‘protected’ by the most secure and widely available Wi-Fi encryption protocol, WPA2. Because the vulnerability is in the core WPA2 protocol billions of devices are potentially impacted. Unlike, for example, a vulnerability in a particular manufacturer’s chipset or software component. As a result of the vulnerability, if not addressed, has the potential to undermine the entire Wi-Fi security model.
The vulnerability was confidentially disclosed to the Wi-Fi Alliance some time ago and manufacturers have been quietly releasing or preparing patches. This will work well for end-user equipment such as smartphones and laptops. Infrastructure, such as routers and access points or IOT equipment such as home entertainment systems or security cameras will undoubtedly prove more difficult to update.
The practical significance of the vulnerability is probably less than might appear at first sight. Exploiting the vulnerability requires sophisticated skills and the attacker needs to be in close physical proximity of the target i.e.it’s not an exploit that can be executed remotely. Secondly, and more importantly, the vulnerability only impacts the encryption designed to protect radio transmissions from being snooped upon. Today the vast majority of web communications containing potentially sensitive data (enterprise comms, banking, e-commerce etc) is encrypted using SSL/TLS. This means that it’s difficult, verging on impossible to successfully intercept the underlying data even if the transport link has been compromised.
Encrypt, Encrypt, Encrypt
Corrata’s advice is that enterprises must operate on the assumption that the networks over which their mobile device traffic will travel are not to be trusted. Therefore all sensitive communications (and in an enterprise context, particularly in a world of GDPR it’s hard to identify communications that are not sensitive) should be encrypted. This means securing communications between browsers/apps and web servers with TLS. Critically, don’t just rely on your developers to apply this – you need to monitor the encryption of status of communications coming from your mobile devices to ensure that TLS (and not earlier encryption standards such as SSL) is used at all times. This way you can be confident that your communications will never get Kracked!