Seeing through the KRACK(s)
Recently a Belgian security researcher at KU Leuven University revealed a serious flaw in the WPA2 security protocol, used to secure virtually all modern Wi-Fi networks, potentially putting millions of devices at risk.
The WPA2 fault is all encompassing and not restricted to any individual product or particular installation. During connection, attackers initiate a ‘key re-installation attack’ (KRACK), allowing them to capture part of the encryption keys used in the protocol’s ‘secure’ handshake. The original keys are then modified by tricking the device into installing a blank encryption key, rendering the traffic passing through the connection vulnerable.
So how did this go undetected for 14 years after the protocol was written?
Well, the source code of IEEE standard upon which WPA2 is based was hidden behind a paywall, meaning only those who paid had access to it, in contrast with open source software, which is being adopted by an ever growing number of businesses. Open source doesn’t only mean “freely available”, it also means “open to inspection”, ensuring that security weaknesses (and potentially any other errors) are quickly detected and rectified.
This recently discovered vulnerability affecting Wi-Fi networks has serious implications for the security sector. When you combine the recent increase in wireless security technology with the growing number of integrated systems featuring IoT devices and the now common ‘BYOD’ (Bring Your Own Device) culture in our workplaces, this creates a huge attack surface which must be protected.
Wherever possible, a separate dedicated network should be used for physical security devices, such as CCTV and access control. To be really secure, it may be worth using ethernet connections instead of Wi-Fi, when practical. Additionally, organisations, where security systems are being installed, must be encouraged to adopt a vigilant network security policies themselves. And of course, as always, ensure all software updates and patches are installed as soon as they become available.
As of writing this article, Apple and Google have announced they are releasing patches (although with all the various Android devices and manufacturers this will take some time before all devices are).
What lessons can we take from this?
In our increasingly interconnected world, perhaps we need to revisit this possibility of opening up standards and code of this nature to greater outside inspection. By being less proprietary and more collaborative in our approach towards security, we can all work towards the common goal of keeping our networks and our systems safe.
While none of these attacks have been recorded “in the wild” (as of date of publishing), this represents a threat to the integrity of Wi-Fi, which we all use in some form. From enterprise installations utilising the technology to the exponentially increasing number of IoT devices, smart buildings and cities, and industrial automation, a huge amount of technology is connected wirelessly at any one time, making the threat to ourselves and our organisations, real and present.
For more technical information , Vanhoef and co-researcher Frank Pissens have authored a paper on this attack which was recently presented at the 2017 Computer and Communications Security Conference (CCS) in Dallas, Texas, and a detailed article on the well known ArsTechnica site has a video demonstration of the exploit on Android and Linux systems.