KRACK Vulnerability: Details and Moving Forward

KRACK or Key Reinstallation Attack is a vulnerability in the WPA2 wireless security protocol. The majority of wi-fi network implementations at this time are vulnerable to this attack as it exploits the protocol itself and not any specific brand or solution. As a whole, KRACK is focused around clients more than it is on APs, however, both need to be appropriately updated to avoid the vulnerabilities that make up KRACK. Do not change to different encryption schemes as opposed to maintaining an already stable implementation of WPA2, as it is still more secure than WEP or WPA despite this vulnerability.During a successful attack the malicious attacker would need to be physically present in the enterprise and located between a vulnerable client and AP. An evil twin AP (an access point with the same SSID as your own) is required to force a client to access it so it can man-in-the-middle the traffic. It is important to keep in mind that traffic cannot be decrypted at the application level, only at the network level (WPA2). Therefore, all HTTPS sites are safe to use and a VPN will allow secure networking for clients. Only network level unencrypted data would be at riskIn regard to the prevention of KRACK, we strongly recommend updating all clients (phones, tablets, IoT devices), APs, and drivers on endpoints as soon as possible. In some cases such as up-to-date iPhones and some Windows wireless chipsets, clients are already safe from KRACK. Android phones are particularly susceptible to KRACK and we still are awaiting patching news, therefore, all Android 6.0+ phones should have their WiFi disabled in sensitive use-case situations, or use a VPN at all times. Other preventative steps would be network segmentation between wifi and protected networks and educating users to report suspicious behavior.We recommend taking a look at https://github.com/kristate/krackinfo or http://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=228519&SearchOrder=4 for further information in regard to the current status of updates and patches as well as a list of vendor statements.We have internally discussed the detection of KRACK and have determined that it is likely that Rogue AP and DeAuth attack detection within wireless platforms that support these detections, e.g., Meraki, Aruba, Xirrus. They would not necessarily detect KRACK specifically, but, would detect a threat to your wireless network, one of which could be KRACK.If your organization has any more questions as more information comes out, please let Networks Group know!