On Monday Mathy Vanhoef and Frank Piessens, from the University of Leuven, published a paper disclosing a series of vulnerabilities that affect the Wi-Fi Protected Access (WPA) and the Wi-Fi Protected Access II (WPA2) protocols. These vulnerabilities described a set of scenarios where a malicious user can perform a man-in-the-middle replay attack on wireless users connected to the network using the WPA and WPA2 wireless protocols. By spoofing the address of an access point and replaying the authentication 4-way handshake the malicious user can force the supplicant end device to reinstall an old key-pair, which is why it is being referred to as “KRACK” (Key Reinstallation AttaCK).
What does this mean?
So what does this mean for our wireless networks? Well, on one hand this vulnerability was found by researchers and has yet to be put into use by hackers, it requires the attacker to be physically on the wireless network to perform the attack decreasing the reach hackers have to use this attack vector. The chance your secure wireless network is compromised by these vulnerability is slim. However, on the other hand this set of vulnerabilities poses a new attack vector that can be used to attack your network if a hacker were to find their way on to your network, and like all vulnerabilities should be taken seriously. The last thing a company wants is to know they are vulnerable and do nothing about it until it becomes a problem.
KRACK Attack is a vulnerability in the WPA and WPA2 protocols itself, which means this affects any device that supports those protocols across all vendors. As the researchers put it, “if your device supports Wi-Fi, it is most likely affected” (https://www.krackattacks.com). The vulnerability affects both the authenticator and the supplicant, meaning both the wireless infrastructure and the client machines are affected. According to the researchers they found Android and Linux users were the most vulnerable because Android and Linux can be tricked into (re)installing an all-zero encryption key. See more about bypassing WPA2 against Android and Linux in this YouTube video published by Mathy Vanhoef.
What should I do?
Now that we have an idea of the scale of the vulnerability, how do we mitigate this attack vector? As stated earlier, the vulnerability affects both the authenticator and the supplicant, which means both the wireless infrastructure and the client machines need to be patched. As Omar Santos from Cisco said,
“It is important to note both affected access points and the associated clients must be patched in order to fully remediate this issue. Installing the patches only in infrastructure wireless devices will not be sufficient in order to address all of the vulnerabilities. Similarly, fixing only the client will address nine (9) of the ten (10) vulnerabilities; however, it will not fix the vulnerability documented at CVE-2017-13082.” (https://blogs.cisco.com/security/wpa-vulns)
Both Cisco and Meraki are working on creating patches for their wireless devices (APs, WLCs, wireless routers, wireless firewalls). You can check the devices that are known to be vulnerable and the appropriate patch to use here!
On the client side, Microsoft has already released their patch for windows clients on October 10th, while Apple said the exploit have been addressed in the iOS, tvOS, watchOS, and macOS betas that are currently available to developers and will be rolling out to consumers soon. Check the vendor of any other client device to see if a patch is available.
If your end points are being updated regularly this vulnerability should fix itself from the client’s perspective, however as wireless network administrators, we need to do our part and fix the issue from the wireless infrastructure’s perspective. Note that at the time of writing this blog only a few Cisco devices had patches available.
What can I do in the mean time?
An attacker can use KRACK Attack in two ways:
- Spoof the address of an AP: The attacker connects to the network and broadcasts the BSSID of another AP. This is easy to detect as the attacker shows up as a rouge AP on the network. To solve this issue configure the network to quarantine rouge APs. Create a rule in the Cisco WLC to flag “managed SSIDs” from Rouge APs as malicious (see the lower section of https://blogs.cisco.com/security/wpa-vulns for details).
- Injecting frames into a valid connection, forcing the client to react: The attacker will inject the frames into an existing connection between a valid AP and the client causing the keys to change allowing the attacker to decrypt the message. This is harder to detect as the APs will need to know it did not send the frames that were injected into the conversation. Currently there are no fixes for this type of attack, Cisco’s internal SMEs are working on a workaround for this issue.
Finally, Cisco suggests disabling FAST-Roaming (802.11r) could also help mitigate the vulnerability until a true patch fixes the issue with the protocol. Please note that this can have an impact to wireless performance in congested networks so this suggestion is not for every network.
KRACK Attack is the latest widespread vulnerability we as network and security administrators must deal with to keep our network safe. We are lucky this vulnerability was found before it was exploited by hackers. Our infrastructure and end point vendors are working to fix the issue, but it is still up to us to administer the necessary patches and configure any workarounds. If you have questions or need help feel free to contact LookingPoint.
Written By: Trevor Butler, LookingPoint Network Engineer - CCNP CMNA