Yesterday, the media exploded with news of the new Krack attack against WPA2. What’s Krack? While it sounds like a new designer drug, it’s short for – Key Reinstallation Attacks.
What’s that mean in English? Due to a flaw in the WPA2 protocol, a determined attacker can target and break the 4-way handshake and compromise the unique session keys. They can force reuse of a key, and intercept (as well as potentially modify) unencrypted traffic. The full whitepaper is here.
The good news, such as it is:
- This is not a remote attack – the attacker needs to be in range of the affected Wifi connection
- At this point, there is no evidence of these attacks in the wild. Caveat, at this point.
There have been a couple of reports suggesting that WPA2 should be disabled in lieu of WPA or (ack) WEP. These are not better options, as a general rule. WEP in particular is vulnerable far beyond the WPA2 protocol issues.
What can we do, and what should our user base do?
- As soon as there’s a patch available, take advantage of it.
- Watch your vendors – who is patching quickly, and who is not? If your vendor is months behind the curve, why? It may be time to look at other options.
- Wired connections are immune. This should go without saying – this includes tethering directly to mobile devices, not tethering via WiFi.
- You’re already horribly suspicious of free public WiFi, right? Double that paranoia.
- If you must use a public WiFi, do not do so without using a VPN or other traffic encryption mechanism. Split tunnel VPN is not your friend here – configure a full tunnel VPN connection
- Bring your physical security staff into the conversation. They will be integral in observation of potential attackers in the sphere of your physical presence. (Have you checked how far your WiFi signal is traveling lately? Consider checking…)
CERT has a complete list of vendors and their known status here.
Questions, comments, things I haven’t thought about? Reach out, I’d love to hear from you. Twitter @TheTokenFemale at any time.