KRACKs or Key Reinstallation Attacks
The latest security threat to reach mainstream news are ‘KRACKs’ or key reinstallation attacks.
Although at present the risk of attack is minimal we wanted to make you aware of the situation.
As you will know any private Wi-Fi network will require you to enter a password to join it. This process is secured by a protocol called WPA2 encryption.
However, Mathy Vanhoef, a researcher at the Belgian university KU Leven, has reportedly discovered a serious weakness within the WPA2 protocol. (https://www.krackattacks.com).
Someone within range of a device (for example someone sat in your car park) can exploit these weaknesses using key reinstallation attacks, or KRACKs for short. People can then use this attack method to steal information that was previously assumed to be encrypted. This information can include credit card information, passwords, messages, emails, photos etc.
Although most devices appear to be vulnerable to attacks reading Wi-Fi traffic, the exploit doesn’t target access points. The attack exploits vulnerabilities in the 4-way handshake of the WPA2 protocol, a security handshake that ensures client and access points have the same password when joining a Wi-Fi network.
As this is a client-based attack, expect to see a number of patches for devices, such as wireless access points, in the coming weeks.
Please be aware that KRACKs or key reinstallation attacks cannot recover your Wi-Fi password and that they act as a ‘Man in the Middle’ attack.
For more information on KRACKs please visit https://www.krackattacks.com.
Make sure your connection is secure.
If do not see the green padlock symbol before the website address in the URL bar DO NOT enter any sensitive information – this includes (but is not limited to) usernames, email addresses, passwords, banking information and card details. This is advice that should be followed at all times, as it can protect against a high number of security threats, not just KRACKs.
The green padlock identifies that a site is protected by the HTTPS protocol and that any data that is entered will be encrypted.
It is possible that an attacker who accesses your network using KRACKs can bypass the HTTPS protocol and remove the encryption that protects sensitive information.
The YouTube link below show Mathy Vanhoef demonstrating how a KRACKs can bypass the HTTPS on a website.
Google Chrome Secure Connection Example
Mozilla Firefox Secure Connection Example
Most browsers will allow you to click on the padlock to see that the connection is secure.
There will usually be an icon that you can click to see if the connection is unprotected.
Most modern browsers will make you aware when you are using an insecure connection. The above two examples are from the browser Opera.
How to protect your corporate network.
Although at present the risk of KRACKs affecting your business is minimal we believe that in the coming weeks there will be more online tools appearing that could help attackers attempt to gain access to company networks.
In order to maximise your network security and to minimise the affect a key reinstallation attack could have on your business we recommend that:
- You ensure that your guest Wi-Fi is segregated from your corporate Wi-Fi
- You ensure that your wifi power settings are configured correctly. The range of wireless access points can be limited so they are not accessible from specific locations ie car parks etc. Please speak to us if this of concern to you.
- You confirm that your access point and access controller firmware is up to date. There may be several firmware updates released in the coming weeks and months as manufactured release patches in order to try to combat the risk of KRACKs.
- You adopt a new wireless standard as soon as possible if one is released. It is possible that a WPA3 protocol will be released that does not have the same weakness as WPA2.
- You make sure that any anti-virus or border based protection is up to date.
- You use complex passwords on internal data and change these passwords regularly. A complex password should ideally feature a mix of letters, both upper and lowercase, numbers and special characters and should not form a legible word. For example, lh&!45qpn5% would be considered a complex password.
- You make sure your company has a relevant mobile use policy to ensure that employees own devices, that may be attached to the network, are kept up to date.
- If you use any wireless devices that are out of support and unlikely to be updated you please contact IT3000 as there are options we can put in place to minimise the risk
The above recommendations are good security measures to put in to practice and will help to protect your company against a number of threats, including KRACKs.
IT3000 will obviously keep you informed and up to date with KRACKs and any other possible security issues that may affect your business.
If you have any questions and would like to speak to a member of the IT3000 team then please email us on firstname.lastname@example.org or call 01455 247 830.