KRACK WiFi Vulnerability

As reported on TechCrunch:

Security researcher Mathy Vanhoef publicly disclosed a serious vulnerability in the WPA2 encryption protocol today. Most devices and routers currently rely on WPA2 to encrypt your WiFi traffic, so chances are you’re affected.

But first, let’s clarify what an attacker can and cannot do using the KRACKvulnerability. The attacker can intercept some of the traffic between your device and your router. If traffic is encrypted properly using HTTPS, an attacker can’t look at this traffic. Attackers can’t obtain your Wi-Fi password using this vulnerability. They can just look at your unencrypted traffic if they know what they’re doing. With some devices, attackers can also perform packet injection and do some nasty things. This vulnerability is like sharing the same WiFi network in a coffee shop or airport.

The attacker needs to be in range of your WiFi network. They can’t attack you from miles and miles away. The attacker could also take control of a zombie computer near you, but this is already a much more sophisticated attack. That’s why companies should release patches as soon as possible because chances are most attackers just learned about this vulnerability today.

There’s at least a theoretical possibility that this vulnerability could be exploited by hackers to make it more scalable as an attack vector in future — thinking of, for example, how worms have been developed and released that spread from one insecure IoT device to another to build a zombie botnet. But currently this is not the case.

So here’s what to do now that the WPA2 protocol is vulnerable…

Update all the wireless things you own

Good news! Your devices can be updated to prevent the KRACK vulnerability. Updated devices and non-updated devices can co-exist on the same network as the fix is backward compatible.

So you should update all your routers and Wi-Fi devices (laptops, phones, tablets…) with the latest security patches. You can also consider turning on auto-updates for future vulnerabilities as this won’t be the last one. Modern operating systems have become quite good at auto-updates. Some devices (ahem Android) don’t receive a lot of updates and could continue to pose risks.

The key point is that both clients and routers need to be fixed against KRACK so there are lots of potential attack vectors to consider.

Look to your router

Your router’s firmware absolutely needs updating. If the router has been supplied by your ISP, ask the company when their branded kit will be patched. If they don’t have an answer, keep asking. You can make sure your router is up-to-date by browsing the administration panel. Find the user guide for your ISP-branded router and follow the instructions to connect to the admin pages.

If your ISP is not quickly putting out a firmware update to fix KRACK, it may be time to consider switching your ISP. A less drastic option would be to buy a WiFi access point from a responsible company that has already issued a patch. Plugging a WiFi access point into your ISP router and disabling WiFi on your ISP junk is a good alternative.

Here’s a list of some of the router makers that have already put out fixes (Ubiquiti, Microtik, Meraki, Aruba, FortiNet…).

Use Ethernet

If your router doesn’t yet have a fix, and you don’t have a patched WiFi access point that could be used for wireless instead, you could Ethernet into your router and turn off its wireless function until it’s patched (assuming WiFi can be disabled on your router). Turn off WiFi on your device as well so that you’re sure all traffic goes through that sweet Ethernet cable.

If you still want to keep WiFi for some devices, consider switching to Ethernet for your essential devices. For instance, if you spend hours every day on a computer and use a ton of internet traffic from this computer, buy an Ethernet cable.

Consider using cellular data on your phone

Your phones and tablets don’t have an Ethernet port. If you want to make sure nobody is watching your traffic, disable WiFi on your device and use cellular data instead. This isn’t ideal if you live somewhere with a spotty network, pay extra for mobile data, or if you don’t trust your telecom provider.

Devices running Android 6.0 and later are more vulnerable than other devices. It is trivially easy to perform a key reinstallation attack because of a bad implementation of the handshake mechanism in the WiFi stack. So Android users do need to be more careful.

What about Internet-of-Things devices?

If you own a lot of IoT devices, consider which of those devices pose the most serious risk if unencrypted traffic is intercepted. Say, for example, you own a connected security camera that doesn’t encrypt traffic when you’re on the same WiFi network — well, that could allow attackers to snoop on raw video footage inside your home. Erk!

Take action accordingly — e.g. by pulling the most risky devices off your network until their makers issue patches. And be sure to keep an eye on the kinds of devices your kids might be connecting to your home network.

At the same time, if an attacker can intercept traffic between your smart lightbulbs and your router, it’s probably fine. What are they going to do with this information anyway? It’s fair to say that Edward Snowden wouldn’t want even info about how his lightbulbs are being turned on and off getting into the hands of a hacker, and with good reason. But most people aren’t at risk of such an extreme level of state-sponsored surveillance. So you should determine your own level of risk and act accordingly.

That said, the Internet of Things does have a horrible reputation when it comes to security. So this could be a good moment to audit your connected device collection and consider junking any WiFi device whose makers don’t quickly issue a patch — they could pose some form of long term risk to your network.

Install the HTTPS Everywhere extension

As mentioned above, you can mitigate risks by prioritizing encrypted internet traffic over unencrypted traffic. The EFF has released a neat browser extension called HTTPS Everywhere. If you’re using Google Chrome, Firefox or Opera, you should considering installing the extension. There’s no need to configure it, so anybody can do it.

If a website offers unencrypted access (HTTP) and encrypted access (HTTPS), the extension automatically tells your browser to use the HTTPS version to encrypt your traffic. If a website still relies exclusively on HTTP, the extension can’t do anything about it. The extension is no use if a company has a poor implementation of HTTPS and your traffic isn’t really encrypted. But HTTPS Everywhere is better than nothing.

Don’t rely on a VPN as a solution

On paper, using a VPN server sounds smart. But we’ve been there already — be careful with VPN services out there. You can’t trust any of them.

When you use a VPN service, you reroute all your internet traffic to a VPN server in a data center somewhere. An attacker can’t see what you’re doing on your WiFi network, but a VPN company can log all your internet traffic and use it against you.

For instance, The Register discovered last week in a legal document that PureVPN shared key information with authorities to track and arrest a man. And yet, the company’s website claims that PureVPN doesn’t keep any log. Again, don’t trust any VPN company. Unless you’re willing to build your own VPN server, a VPN service is not the solution.

Especially paranoid? Move to the woods…

For the most paranoid out there, who don’t want to/can’t stop using WiFi entirely, it may be time to relocate to a remote cabin in the woods far from any neighbors/wardrivers.

Tech CEOs’ version of this privacy preserving strategy is to buy up neighbouring properties and knock them down to minimize the risk of any of their personal data being snooped on. Obviously this strategy is very expensive.

So this is sort of a big deal…here is the current status of patches:

Firmware patch status

DESKTOP

Windows

Microsoft has told some media outlets that it has “issued a patch” and published a security advisory for Windows 7, 8 and 10.

The company doesn’t disclose whether or not it affects older versions like XP or Vista but the updates for newer versions are available now.

For what it’s worth, Microsoft says the exploit is very hard to execute against Windows:

A spoofing vulnerability exists in the Windows implementation of wireless networking. An attacker who successfully exploited this vulnerability could potentially replay broadcast and/or multicast traffic to hosts on a WPA or WPA 2-protected wireless network.

Multiple conditions would need to be met in order for an attacker to exploit the vulnerability – the attacker would need to be within the physical proximity of the targeted user, and the user’s computer would need to have wireless networking enabled. The attacker would then need to execute a man-in-the-middle (MitM) attack to intercept traffic between the target computer and wireless access point.

macOS

No known fix, however Apple has told some members of the media that all the exploit has been patched in iOS, WatchOS, tvOS and macOS beta builds currently available to developers.

More on this when the details emerge.

Linux

A patch is already available upstream and Debian-based builds can install it now. OpenBSD was patched all the way back in July.

Ubuntu has also released individual patches for 14.04 and up.

General hardware

Intel has released a huge swathe of firmware updates for popular WiFi chipsets on the market, many of which are commonly used in laptops. Here’s the advisory and downloads are available immediately.

MOBILE

Android

Android devices running 6.0 and above are affected worst, but almost every Android device on the planet is vulnerable to at least a part of the exploit.

The good news: Google has officially issued a fix and says devices with a security patch level of November 6 2017 or later are protected against these vulnerabilities. That means the update won’t start hitting phones for about two weeks, but then you’ll be set.

The bad news: millions of phones out there don’t receive these updates and vendors have not issued fixes for many of them in a long time. It’s likely millions of unpatched handsets will float around for years to come with their users unaware of what’s going on under the hood.

As of writing Samsung, HTC, Sony, Huawei and many other phone makers have not made their own public statement about their update strategies – it’s going to be an absolute disaster trying to get fixes out to devices which rarely see updates as it stands.

iOS

No known fix, however Apple has told some members of the media that all the exploit has been patched in iOS, WatchOS, tvOS and macOS beta builds currently available to developers (but not the public).

The good news: basically every iOS device on the planet is guaranteed to get this update in the near future, unlike Android. More on this when the details emerge.

WIFI HARDWARE

Google WiFi/OnHub: Updates for OnHub / Google Wifi will install automatically once available, but Google wasn’t clear when this would be.

Apple: Given the Airport Extreme/Express are reportedly no longer under active development, it’s unclear if either device will receive an update in the short term. Apple didn’t include Airport in its statement about iOS and macOS and hasn’t answered any questions about these devices yet.

The last update was released in April 2017 but Apple has been proactive in the past about issuing security updates for these devices.

Netgear: The company is working on fixes, but a final release is not ready yet (a beta build may be available, however).

UbiquitiA fix for UniFi access points and routers hit stable this morning.

Microtik: RouterOS v6.39.3, v6.40.4, v6.41rc onwards address the issue.

Meraki: Fixed with Meraki 24.11 and 25.7.

Aruba: A fix for ArubaOS is already available and Aruba have issued a security bulletin.

FortiNet: FortiAP 5.6.1 addresses the issue.

Cisco: plethora of Cisco’s enterprise WiFi hardware is affected and MR25.7 fixes the issue.

AVM: Aware of the issue but will only issue an update “if necessary.”

DD-WRT: A fix is available and has been merged with the core code base.

The WiFi standard: a fix was issued for vendors to use, but doesn’t apply to end-user devices

IOT devices

Lol, good luck with that. This one might take a long time and the list is going to be far, far too long.

Advertisements

One thought on “KRACK WiFi Vulnerability

  1. Pingback: KRACK WiFi Vulnerability — Scott E’s Blog – Doug Laine – Informal and random thoughts

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s