Event: Ticket Reference: T20171020.0005
Event Date: 2017-10-16
Severity Level: S3-Medium
Systems Impacted: Most Wi-Fi systems (client and server side) are impacted
The KRACK vulnerability allow attackers to intercept sensitive data being transmitted between a Wi-Fi access point and a computer or mobile device, even if that data is encrypted. The flaw affects WPA2, a security protocol widely used in most modern Wi-Fi devices. In some cases, a hacker could exploit KRACK to inject malware such as ransomware into websites. Any device that supports Wi-Fi is likely affected by KRACK.
KRACK is an acronym for Key Reinstallation Attack. It involves an attacker reusing a one-time key that’s provided when a client device attempts to join a Wi-Fi network. Doing so could enable the hacker to decrypt information being exchanged between the access point and the client device, which could leave personal details like credit card numbers, messages and passwords exposed.
When a device joins a protected Wi-Fi network, a process known as a four-way handshake takes place. This handshake ensures that the client and access point both have the correct login credentials for the network, and generates a new encryption key for protecting web traffic. That encryption key is installed during step three of the four-way handshake, but the access point will sometimes resend the same key if it believes that message may have been lost or dropped. Attackers can essentially force the access point to install the same encryption key, which the intruder can then use to attack the encryption protocol and decrypt data.
The attack can generally only be performed locally at the victim’s nearby location, and they cannot intercept traffic that is encrypted on another layer (HTTPS, VPN). It is recommended to use HTTPS and VPN protocols if there is an identified risk that cannot be mitigated by the patching (described below).
Microsoft has already released security patches for Windows 7, Windows 10, and Windows Server editions, most which were released Oct 5th. Please be sure your internal patching processes utilize these updates.
Patches for Mac (iOS and macOS) and Android are still pending. However, even with patches available, Android devices will remain the top risk as the environments though various vendors are highly segmented. Some particular cases of risk:
- Employee personal Android phones being used for business purposes
- Employee personal Android phones being used on the internal corporate network
The recommendations for these two cases are:
- Enforce/review conduct policies for business on personal devices. Restrict business application usage on non-corporate devices.
- Enforce/review conduct policies for business on personal devices. Restrict personal device access onto the internal corporate network.
All access points and wireless LAN controllers (if applicable) should be patched through the recommendations of the vendor. For Cisco products specifically,
they have released a bulletin outlining which devices/versions are impacted, and some quick configuration checks to confirm if vulnerable:
If you have any other questions or emergencies, or would like assistance in doing a deeper assessment and remediation with 5thColumn, please contact our Service Desk at firstname.lastname@example.org