Enough press has been generated over the Wi-Fi WPA2-defeating Key Reinsertion Attack (KRACK), that we don’t need to re-cover that ground. The original discoverer’s site is a good place to review the issues and link to the detailed research paper. This may be the most attention paid to a core communications security failing since the Heartbleed attack. In that earlier attack, a patched version of the vulnerable OpenSSL code was released on the same day as the public disclosure. In this new KRACK attack, similar responsible disclosure guidelines were followed, and patches were either already released or soon to follow. Both wireless endpoints and wireless network devices should be appropriately patched. Oh, and good luck getting that Chinese knockoff wireless security cam bought off eBay patched anytime soon.
Here we will just make a few points:
- Take inventory of your wireless devices and follow up to ensure proper patching. (Ziften can perform passive network inventory, including wireless networks. For Ziften-monitored endpoints, the available network interfaces as well as applied patches are reported.) For enterprise IT staff, it is patch, patch, patch every day anyway, so nothing new here. But any unmanaged wireless devices should be located and vetted.
- Windows and iOS endpoints are less susceptible, while unpatched Linux and Android endpoints are highly susceptible. Most Linux endpoints will be servers without wireless networking, so not as much exposure there. But Android is another story, especially given the balkanized state of Android updating across device manufacturers. Most likely your enterprise’s greatest exposure will be Android and IoT devices, so do your risk analysis.
- Avoid wireless access via unencrypted protocols such as HTTP. Stick to HTTPS or other encrypted protocols or use a secure VPN, but be aware some default HTTPS sites allow compromised devices to force downgrade to HTTP. (Note that Ziften network monitoring reports IP addresses and ports used, so check out any wireless port 80 traffic on unpatched endpoints.)
- Continue whatever wireless network hygiene practices you have been employing to identify and silence rogue access points, unapproved wireless devices, etc. Grooming access point placement and transmission zones to minimize signal spillage outside your physical boundaries is also wise practice, since KRACK attackers must be present locally within the wireless network. Don’t give them advantaged placement opportunities within or near your environment.
For a more broad discussion around the KRACK vulnerability, check out our recent video on the topic:
Hope this helps. Practice secure networking and stay safe out there.