Event: Ticket Reference: T20171020.0005

Event Date: 2017-10-16

Severity Level: S3-Medium

Systems Impacted: Most Wi-Fi systems (client and server side) are impacted

Overview

The KRACK vulnerability allow attackers to intercept sensitive data being transmitted between a Wi-Fi access point and a computer or mobile device, even if that data is encrypted. The flaw affects WPA2, a security protocol widely used in most modern Wi-Fi devices. In some cases, a hacker could exploit KRACK to inject malware such as ransomware into websites. Any device that supports Wi-Fi is likely affected by KRACK.

Technical Details

KRACK is an acronym for Key Reinstallation Attack. It involves an attacker reusing a one-time key that’s provided when a client device attempts to join a Wi-Fi network. Doing so could enable the hacker to decrypt information being exchanged between the access point and the client device, which could leave personal details like credit card numbers, messages and passwords exposed.

 

When a device joins a protected Wi-Fi network, a process known as a four-way handshake takes place. This handshake ensures that the client and access point both have the correct login credentials for the network, and generates a new encryption key for protecting web traffic. That encryption key is installed during step three of the four-way handshake, but the access point will sometimes resend the same key if it believes that message may have been lost or dropped. Attackers can essentially force the access point to install the same encryption key, which the intruder can then use to attack the encryption protocol and decrypt data.

 

Recommendations

User Practices

The attack can generally only be performed locally at the victim’s nearby location, and they cannot intercept traffic that is encrypted on another layer (HTTPS, VPN). It is recommended to use HTTPS and VPN protocols if there is an identified risk that cannot be mitigated by the patching (described below).

Client-Side Patching

Microsoft has already released security patches for Windows 7, Windows 10, and Windows Server editions, most which were released Oct 5th. Please be sure your internal patching processes utilize these updates.

Patches for Mac (iOS and macOS) and Android are still pending. However, even with patches available, Android devices will remain the top risk as the environments though various vendors are highly segmented. Some particular cases of risk:

  • Employee personal Android phones being used for business purposes
  • Employee personal Android phones being used on the internal corporate network

The recommendations for these two cases are:

  • Enforce/review conduct policies for business on personal devices. Restrict business application usage on non-corporate devices.
  • Enforce/review conduct policies for business on personal devices. Restrict personal device access onto the internal corporate network.

 

Server-Side Patching

All access points and wireless LAN controllers (if applicable) should be patched through the recommendations of the vendor. For Cisco products specifically,
they have released a bulletin outlining which devices/versions are impacted, and some quick configuration checks to confirm if vulnerable: 
CiscoSecurityAdvisory

 

Contact

If you have any other questions or emergencies, or would like assistance in doing a deeper assessment and remediation with 5thColumn, please contact our Service Desk at servicedesk@5thcolumn.net

 

References

 

CVE’s

CVE-2017-13077
CVE-2017-13078
CVE-2017-13079
CVE-2017-13080
CVE-2017-13081
CVE-2017-13082
CVE-2017-13084
CVE-2017-13086
CVE-2017-13087
CVE-2017-13088

 

Cisco Bug ID’s
CSCvf47808
CSCvf71749
CSCvf71751
CSCvf71754
CSCvf71761
CSCvf96789
CSCvf96814
CSCvf96818
CSCvg10793
CSCvg35287

 

URL’s

CCS 2017

CiscoSecurityAdvisory

wpa2-krack-wifi-hacking

krack-vulnerability-what-you-need-know