Sussex businesses that use wi-fi connections need to act now to guard against a flaw recently uncovered in commonly-used wireless application protocols.
A Belgian researcher from the University of KU Leuven identified the ‘vulnerability’ and called it Key Reinstallation Attacks ¬– aka KRACK. It’s bad news for WPA2 Personal and Enterprise-grade protocols and changing your password won’t solve the problem.
The UK’s National Cyber Security Centre (NCSC) is now investigating KRACK and confirms it could open the door to your encrypted network traffic so that cyber criminals can walk right in. In some cases, criminals may be able to send traffic back to your network.
The only good news is that the attacker would have to be physically close to their target. However, in multi-use office premises and public spaces KRACK still poses a serious threat.
Encryption key codes have to be constantly updated to keep network connections secure. But, as researcher Mathy Vanhoef demonstrated, a KRACK attack compromises the standard four-way encoded ‘handshake’ that all wi-fi network connections make. It tricks the wi-fi into resetting its key code back to one already in use.
Gary Jowett, from Computer & Network Consultants in Brighton, says: “Customers who use our managed wireless solution are already patched and protected against this vulnerability. Typically, a patch is necessary for users of SonicWall, Unifi or Cisco Meraki wi-fi equipment. Microsoft has released an update for Windows which we’ve also deployed. Apple and Android devices are likely to be updated during the normal hardware upgrade cycles and we recommend businesses who use Apple or Android make sure their devices are set to automatically update to take advantage of these fixes as soon as they’re available.”
There are also some wireless devices such as Draytek and Netgear that may need to be checked and fixed manually. It may entail connecting to each device in turn to install a patch.
Wi-fi standards review
The Wi-Fi Alliance, which maintains wi-fi standards and specifications, says it’s working with member companies on integrating test security patches that fix the problem. It’s likely there will be an update to the wi-fi WAP2 protocol standard that all devices will have to comply with.
In the meantime, the NSCS is advising everyone to prioritise deployment of patches that use wireless networks. Laptops, tablets, smartphones and also smart devices used for monitoring, tracking and other tasks – often referred to as Internet of Things (IoT) technology.
NSCS claims sensitive data will be safe if two common encryption technologies are used: Always use HTTPS connections to individual web services and communicate via a virtual private network (VPN).
Is HTTPS totally safe?
Vanhoef disagrees: “Although websites or apps may use HTTPS as an additional layer of protection, we warn that this extra protection can be bypassed in a worrying number of situations. For example, HTTPS was previously bypassed in non-browser software, in Apple’s iOS and OS X, in Android apps in banking apps and even in VPN apps.”
Gary adds: “The Wi-Fi Alliance says there’s no evidence the vulnerability has been exploited maliciously. But it’s still wise to protect all your wi-fi users as soon as possible. There are many places where we work or socialise that could be a hidden minefield and you or your employees could be cyber-mugged without feeling a thing. The threat to your confidential and valuable data from KRACK is more real than some of the experts say it is.”