A vulnerability has been disclosed in the most popular and recommended security protocol for WiFi networks: WPA2. The weaknesses, discovered and documented by Mathy Vanhoef, may change the way your organization uses wireless until vendor patches are available. The purpose of this post is to discuss the potential impact on your organization and discuss how you can layer security around protocol weaknesses such as this one.
The weakness in WPA2, “KRACK” (Key Reinstallation AttaCK), allows an attacker to force the use of weak encryption keys in wireless devices. This would allow the attacker to view the content of otherwise-encrypted wireless traffic, and, under some circumstances, allow the attacker to insert their own malicious data into the traffic. Attackers must physically be in proximity of wireless users, or already have control of devices that are within range.
This attack targets devices, not necessarily infrastructure. While more complex wireless networks that involve your wireless routers acting as clients or repeaters may require some attention. Your end users and road warriors are at the highest amount of risk and will require patching. If you are already implementing best practices for using wireless networks and working remotely, however, your exposure is limited.
You can take measures to secure the traffic of employees working from home or on the road using company-managed equipment. Best practices for secure wireless communications has always involved layers. The ability of an attacker to decrypt WPA2 traffic does not automatically give them visibility into traffic that is encrypted by other protocols, so if you are already requiring the use of an encrypted VPN by remote users to access company resources, you’re in good shape for now. When patches are available for the operating systems and devices that you manage, test the patches to ensure they do not negatively impact your ability to connect to your wireless infrastructure and deploy them quickly.
Your policies for access to your organization’s networks using personal equipment should address the need for that equipment to be kept up-to-date with vendor patches. An employee’s personal laptop or phone should only be allowed to interact with your network in very limited ways, if you allow that access at all. WiFi access for personal equipment should be limited to Internet access only, with no permission to connect to internal company resources.
Unlike the weaknesses in the WEP encryption standard for WiFi that required users to migrate to more secure alternatives, this vulnerability in WPA2 can be patched in a backward-compatible manner--in software--on devices that are impacted. This is a lucky break, as there is no “WPA3” or more-secure alternative waiting to be adopted. Unfortunately, many devices that can operate as clients, such as some infrastructure (repeaters) and phones (that are subject to carrier and manufacturer support), may not ever receive patches. If such devices are mission-critical, it’s important to ensure that there is some layer of encryption being used to mitigate the impact of the attack, and supported replacements should be sought out.
Until patches are available and deployed for this vulnerability, it is our advice that all traffic on affected devices be further encrypted through a VPN connection. Some organizations, including many of our clients (on our recommendation), already require this, as it reduces the local attack surface for road warriors. Some organizations configure VPNs for “split tunnel” access, only routing internal company traffic over the VPN. While this can save the organization’s bandwidth and provide some separation for personal traffic, it leaves a portion network traffic unencrypted may provide an attacker with the opportunity to use KRACK to inject malware into the user’s browsing session.
Offense-oriented testing of your network should include a look at your wireless network infrastructure, the client systems that are allowed to connect to it, and should focus on ensuring that network segmentation restricts a wireless compromise from impacting the rest of the organization’s network. Layering security, reducing attack surface, effective policies, and timely patching are key measures that can reduce the operational impact of “big news” vulnerabilities such as this one.