By Rodney Joffe, Senior VP, Senior Technologist, and Fellow, Neustar, Inc
The recently identified KRACK (Key Reinstallation Attacks) vulnerabilities have shown clearly that the Wi-Fi we trust is not as secure as we once thought. KRACK exploits vulnerabilities in Wi-Fi security that could allow bad actors to eavesdrop on traffic between computers and wireless access points. While several articles have been written explaining the technical details of the vulnerabilities, I wanted to provide a simpler overview of the vulnerability, and three takeaways that will help you prepare before the next exploit is released.
The WPA2 Vulnerabilities Timeline
On Friday, October 13th, before the rest of the world found out, there were discussions and rumors amongst security industry groups that something was brewing with the WPA2 wireless protocol.
On Sunday, October 15th, a discussion started based on a tweet from Kenn White, a security researcher and co-director of the Open Crypto Audit Project.
This is a core protocol-level flaw in WPA2 wi-fi and it looks bad. Possible impact: wi-fi decrypt, connection hijacking, content injection. https://t.co/FikjrK4T4v
— Kenn White (@kennwhite) October 15, 2017
The thread mentioned a group of 10 reserved CVEs (Common Vulnerabilities and Exposures):
The CVE system provides a repository of validated vulnerabilities and is universally utilized as the most authoritative source of information. It is used by both organizations and developers to inform the security industry at large, and in general, CVEs are not published until they also contain details of patches or workarounds. This list was relatively big, but also notable was that there were the gaps in the CVE numbers (i.e. 13083, 13085), possibly indicating that the discovery of additional issues was occurring over time even as the reports were being prepared.
CVE numbers are reserved when a vulnerability is identified, but details are either not complete, or all vulnerable software or hardware vendors have not yet developed patches. In almost all cases, the reports are delayed until such patches are available based on a generally accepted philosophy of responsible disclosure.
On Monday, October 16th, two well-respected researchers, Mathy Vanhoef and Frank Piessens of KU Leuven released a research paper called “Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2” disclosing the fundamental core protocol flaw in the Wi-Fi Protected Access (WPA) and the Wi-Fi Protected Access II (WPA2) protocols.
The Decision Was Made To Release The Information
Given the fact that a number of manufacturers had not been able to develop stable patches or workarounds as of the release date, it appears that the manufacturers and the relevant security community believed that waiting for patches posed a greater risk than publishing the details. This is most common when there is evidence that attacks based on the vulnerability are imminent, or already underway, or “in the wild”. In any case, the decision was likely made so that organizations could make educated independent decisions on how to respond. In this case, the most radical response would be to immediately remove wireless systems from the organization’s operating infrastructure.
These Vulnerabilities Are Difficult To Fix On Some Devices
The vulnerabilities identified by Vanhoef and Piessens are relatively obscure and clearly required deep insight into the fundamental protocols involved. Unfortunately, this also means that, as is evident in responses from manufacturers, patches or even workarounds are proving challenging. For example. according to an update to the Cisco Security Advisory, as of the date of this article, Cisco indicates that one of the fixes they released had an issue itself:
“Additional testing performed on October 20th, 2017 resulted in the discovery that the software fixes for CVE-2017-13082 on Cisco Access Points running Cisco IOS software may not provide complete protection.”
Is This The First Flaw In The WPA Protocol Suite?
This isn’t the first flaw to be found in the WPA protocol, but it is one of the worst. Prior vulnerabilities were found and patched effectively in a short period of time. This time, they are really deep in the protocol, and I believe that it is a good indicator that more exist. So when the patches are finally available, two challenges will remain; 1) As a result of apathy and ignorance, or poor process, many users will not have deployed the patches, and 2) When will the next WPA2 shoe drop?.
In addition, given the apparent difficulty some major manufacturers are having, there will likely be a group of devices and software that may remain vulnerable permanently.
Are These Vulnerabilities In The Wild?
I haven’t seen any reports of these vulnerabilities being targeted in the wild. That does not mean it hasn’t happened. It may have occurred, but victims are unaware. Or they are aware and have been too busy dealing with the responsibility to report it or have made a decision to not share the information publicly – either due to embarrassment, or fear of the political/legal fallout.
1. These vulnerabilities are serious and significant, probably the most significant vulnerabilities found this year, but it is not a “hair on fire” event or the end of the world. Deal with it. But don’t ignore it.
2. Technology advances allowed migration from WEP to WPA to WPA2 as a reaction to vulnerabilities that were identified. Clearly, we need to rethink the whole way we do key exchange within the wireless encryption protocols. So make sure you watch this space.
3. From the technical side, patches will be coming and you need to be aware of which devices you have that are affected. Once you have this list, you need a plan in place for implementing the patches or workarounds as they need to be applied. But DO NOT ignore this, or take too much time. Some equipment or software will not be patchable. Be prepared to replace if you can’t patch. Don’t risk leaving vulnerable systems in place. There is NO DOUBT that bad actors who were not involved before made good use of the CVE information, and they are now developing exploit kits. So you ARE already in a race.
Finally, Re-think Your Organization’s Vulnerability Management Plan
At a higher level, organizations need to do more “what if” planning in the current world. This wasn’t a big deal 15 years ago, but now timeframes to mitigate threats have shrunk. With modern vulnerabilities, you need to respond faster than the bad guy. That may have been weeks or months ten years ago. Today it could be hours. If your organization isn’t already plugged into the research community and you have to rely on the media to tell you there’s a problem, then you’re doing yourself a disservice.
When the CVEs were announced on Monday, companies that were well prepared implemented the patches/workarounds and mitigated the risks the same day. Did you? Do you have a “doomsday” plan in place that allowed you to disable all devices that could not be patched or protected? Did you have plans in place that allowed your organization to continue functioning without wireless connectivity? What about other potential threats? What if your payment systems are targeted, and not your wireless systems? Your manufacturing and production systems? Do you have the equivalent of “old school” pen and paper backups?
These days the bad guys are as small and agile as the good guys. They have built an ecosystem that allows them to act quickly. You don’t have two or three weeks to solve the problem. You need a plan that guides your response if you have to modify your normal business operations until it can be resolved.
Or are you going to be the next “Front Page” story?
About the Author
Rodney Joffe is Senior VP, Fellow, and National Security Executive at information services provider Neustar, Inc. He is a sought-after cybersecurity expert who, among other notable accomplishments, lead the Conficker Working Group in response to the Conficker worm. Providing guidance and knowledge to organizations, from the United States Government and Congress to the Internet Corporation of Assigned Names and Numbers (ICANN), and Fortune 10 companies, Mr. Joffe is a pioneer in the domain name system (DNS) and cybersecurity world. He is the holder of 6 issued and a number of submitted patents in those fields.