Deep KRACKs found in WiFi security

By now you’ve probably heard about a fundamental flaw in WiFi security that’s been sending waves of panic around the Internet, dubbed KRACKs by the man who discovered it, researcher Mathy Vanhoef.

Vanhoef recently publicised the existence of serious weaknesses in WPA2 (a protocol that secures all modern protected wireless networks) that potentially allows hackers to intercept the encrypted connection between a router and a WiFi device.

This means that wireless-enabled networks and devices (including desktop computers, laptops, tablets, printers, smartphones and other smart devices, even security cameras) can no longer be presumed secure.  As Vanhoef states, “If your device supports Wi-Fi, it is most likely affected.” Android 6.0 is said to be particularly at risk.

“This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on,” Vanhoef goes on to explain. “Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.”

“If your device supports Wi-Fi, it is most likely affected.”

This obviously has serious ramifications for businesses and organisations, especially if they were to wrongly assume their local WiFi network is secure – some environments, for example, don’t require authentication to access documents on the network, which exposes them to potential attacks.

It’s worth noting that apart from Vanhoef’s findings there have been no known reports of “KRACK attacks” in the wild (so far), plus there are certain limitations. For example, an attacker needs to be physically in range of a WiFi network in order to infiltrate it.

Nonetheless the vulnerabilities are very real and the implications enormous – KRACKs work against both old and new WPA standards, as well as networks that use advanced encryption (AES), making the number of affected personal and enterprise networks and client devices worldwide untold.

Fortunately there are measures that businesses and organisations should take to protect themselves against KRACKs.

What to do

  1. Perform an audit: Make an inventory of connected devices (computers, phones, tablets, etc) and consider replacing any WiFi device that uses outdated technology or isn’t patchable — it could pose a risk to your network in the future.
  2. Update your devices: Install security updates on all affected devices as soon as they become available. This is an absolute must. Some companies like Microsoft have been quick to roll out updates, while others will be releasing theirs in the coming weeks – check with the individual vendor or stay informed via CERT.
  3. Update the firmware of your router:  If you’ve sourced your own router, contact the manufacturer for details.  If your router has been supplied by an ISP, check with the relevant provider. Some Australian ISPs have indicated that where possible (and if necessary) they will update routers remotely to fix the security vulnerability. However Vanhoef states that KRACKs targets clients, not the access points, so your router may not require a security update.

Still waiting for updates?

  1. Use a Virtual Private Network (VPN): VPN software can offer some protection, as it will encrypt all traffic. There are however some caveats that businesses should consider before implementing a VPN.
  2. Use only secure websites: Many websites (such as banking apps) use HTTPS as an additional layer of protection. You can see if a website is using HTTPS by checking the prefix at the left of the website address bar.
  3. Disable WiFi on your device: Where practicable, disable WiFi on devices and use cellular data instead.

If you’re concerned about the KRACK WiFi vulnerability and are unsure if your organisation’s WiFi network and devices are protected, talk to us today. Ascend Business Technology’s experience in security implementations can help you mitigate present and future risks.