Earlier this year, wireless geeks celebrated the 20th birthday of Wi-Fi, the mobile networking technology we rely on every day for work and play. Whether you’re connected to Syracuse University’s AirOrange, your home network, or public hotspots, Wi-Fi is a mission-critical service, most of us can’t live without it.
Until last week, we all thought Wi-Fi was adequately protected by a smartly-designed, albeit complex, security architecture standardized by the IEEE in 2004. Most of you know this security system as WPA2 (Wi-Fi Protected Access, Version2), the brand name for the IEEE 802.11i standard that was adopted by the Wi-Fi Alliance industry consortium.
WPA2 security was the featured technology story on October 14 when news of the KRACK vulnerability was first publicized. Short for key reinstallation attack, KRACK was discovered and named by Mathy Venhoef, a postdoctoral researcher in computer security at KU Leuven, Belgium’s largest University.
If you are reading this article wondering whether you should stop using Wi-Fi networks, my advice would be to relax – but don’t relax too much. The vulnerability involves a rather complex attack known as a man-in-the-middle exploit, not easy to execute, at least as of this date.
Most notably, the attacker needs to be physically present in your Wi-Fi cell to mount such an attack. In other words, you don’t need to worry about hackers half-way around the world, at least for this particular security vulnerability. And that’s part of the point, there are thousands of documented computer security vulnerabilities, this is just one more to add to the list. It’s not my intent to minimize the severity, but it is not cause for panic.
The good news is that Vanhoef acted professionally when he discovered this vulnerability, which is actually a suite of 10 unique vulnerabilities, one impacting Wi-Fi access points and the other 9 impacting Wi-Fi client devices. That means vendors in the Wi-Fi industry ecosystem have known about the vulnerability since July and many had already released patches by the time it was publicly disclosed.
However, some systems have not yet been patched, and some legacy Wi-Fi products may never receive patches, especially those produced by companies that are no longer in business.
Am I Impacted by the KRACK Attack?
Since 9 of the 10 vulnerabilities impact Wi-Fi client devices, patching client operating systems and associated network software is the highest priority.
If you use Windows with automatic updates, you have already received the patch, which was quietly delivered by Microsoft earlier this month.
Apple has a patch in beta-testing and will push a new update for Mac OS-X and iPhone iOS in the next few weeks.
Android users are in a more awkward position. While Google intends to push out a security update on November 6, when it will reach your phone is dependent on your specific phone and wireless carrier.
Home Wireless Routers
Home wireless routers are only vulnerable under limited circumstances. On the vast majority of home networks, no immediate action will be necessary to fix your router, though it is still a good idea to install the latest security patches once they become available.
The limited circumstances where you should have some concern involves home networks on which a router is acting as a client bridge (a special mode of operation commonly used to connect devices that only have an Ethernet interface) or when multiple access points (AP) or wireless repeaters are used to extend the coverage of the network. Since these devises act as clients when they connect to your router, they are vulnerable.
Enterprise Wireless Networks
For enterprises like Syracuse University that have tens of thousands of AP’s, the situation is more complex. I exchanged some e-mail with Jameson Blandford ’06 G’08, Senior Technical Marketing Manager in Cisco’s wireless networking group. Blandford acknowledged that this is the biggest Wi-Fi security issue he has seen in many years, and as I expected, he had a good understanding of the vulnerabilities and fixes.
While Cisco had not released a patch at the time we exchanged e-mail, Cisco has provided remediation guidance to its customers. This involves disabling 802.11r fast roaming, a standard designed to speed up transitions as client devices roam between AP’s. This will negatively impact roaming performance for real-time applications like wireless VoIP. iSchool adjunct professor Bruce Boardman, who also works as a network engineer at SU, told me that SU does not have 11r enabled on its infrastructure, so no worries there.
Since this bug can be fixed via software patches, your focus of attention should be on your client operating system. However, there are also some other steps you can take while you are waiting for a client patch to be available.
The first and simplest “fix” is to restrict yourself to using web applications that are protected by HTTPS Transport Layer Security, which provides transparent application encryption services. As long as you are using sites that support HTTPS, your data is encrypted, even to a hacker who exploits the KRACK vulnerabilities.
Alternatively, you can run a VPN (virtual private network), which encrypts the IP packets that are used for all Internet communication. SU provides a free VPN service to its users and there are also a number of low-cost VPN services available on the Internet.
Since many public Wi-Fi hotspots don’t provide encryption services at all, experts have long advised people to use HTTPS or a VPN while connected at these locations. Now you have even more motivation to do so.
The Devil in the Details
KRACK illustrates some very interesting challenges faced by the network industry related to development and implementation of complex standards. These standards are complex for very good reasons, they need to be complex to mitigate security vulnerabilities while also ensuring adequate performance. However, implementing complex security standards is a challenging undertaking, especially if the standard is vague about implementation details, as was the case with WPA2.
The industry will respond to this problem. Vendors will deliver patches and the Wi-Fi Alliance will test for these vulnerabilities in their product certification testing. However, we would be naïve to believe that future vulnerabilities won’t appear.
With complexity comes risk. Think about that reality the next time you envision a world of driverless cars and IoT sensors making our lives better.
KRACK Attack: Lessons for IT Professionals
For enterprise IT professionals, there are other lessons.
First, this incident lends support to a core principle of information security implementation referred to as defense-in-depth. Hackers are least effective when they have to peel away multiple layers of your security onion before they can get to the core.
Second, this incident is a lesson in security incident response, which includes fixing vulnerabilities and informing users. For infrastructure vulnerabilities, network managers need to have confidence in their vendors to quickly release patches or guidance on mitigating damage. But even when vendors respond quickly, there is a certain amount of risk associated with every new patch. Many network managers wait a while to apply patches or they test these patches on a controlled network. However, with security vulnerabilities, this strategy doesn’t work.
At this point, there are no known packaged exploits that target the WPA2 vulnerabilities. Pieces are already out there in the wild, but it will take a talented hacker with significant cryptographic expertise to develop an easy-to-use hacking tool. That day will surely come, but in the meantime, we can continue to use our Wi-Fi networks without undue anxiety, at least until the next security vulnerability appears.