KRACK Attack - What To Communicate

It was just announced this morning (Monday, 16 October, 2017) that the globally used WPA2 Wi-Fi security protocol has been broken. This standard is the most commonly used security standard used by Wi-Fi networks around the world. The attack targets (and breaks) the 4-way handshake that establishes the use of the unique encryption keys for that session. The attack is called KRACK by it's author Mathy Vanhoef. The security community is still learning the details and understanding it's impact, so if you can hold off on communicating about it, we would recommend it until everyone has a more complete picture. Long story short, no need to panic. However, if you need to communicate something, here are some basics.

THE BAD

• The vulnerability impacts any device that uses WPA2 to connect to a Wi-Fi network, which today is about all of them. This does not impact just smartphones, laptops and tablets, but our favorite friend IoT.
• There currently is no patch for this attack, however patches are being developed.
• This is not just a confidentiality issue. If you have any HTTP (non-encrypted) traffic on the network, not only can an attacker read that traffic but launch attacks. As per the KRACK site - "As a result, even though WPA2 is used, the adversary can now perform one of the most common attacks against open Wi-Fi networks: injecting malicious data into unencrypted HTTP connections. For example, an attacker can abuse this to inject ransomware or malware into websites that the victim is visiting."

THE GOOD

• There are no reports of this being actively exploited in the wild - yet.
• This is not a remote attack. A cyber criminal in one country cannot remotely hack into the Wi-Fi network of another country. The bad guy (or at least his device) has to be close enough to the targeted Wi-Fi network to connect to that network. This requirement will help limit how fast this attack can scale.
• If your online connections are fully encrypted (such as over HTTPS) then you are protected against this attack. For example, browsers sessions that are using HTTPS for all connections or an email client using SSL to connect to your email server. Unfortunately, the attack can work if any of these sessions have a single, non-encrypted packet.

WHAT DO I TELL MY WORKFORCE?

• Tether: If you have reason to be concerned about this vulnerability, the simplest way to protect yourself is simply don't use Wi-Fi. Don't use Wi-Fi you say, how can I work?! Easy, tether off of your mobile device, especially in higher-risk situations such as when traveling or working away from the office.
• Corporate VPN: If you have a corporate VPN, ensure all staff are using the VPN for any WI-FI connections. You may want to take the opportunity to encourage people to use a personal VPN for their own personal use.
• Encrypted Sessions: If people cannot tether or do not have a VPN, then ensure any activity they are doing online is natively encrypted. This step is more limited as some encrypted sessions (such as browsing) may also include unencrypted traffic.
• Keep Systems Updated: As soon as a patch is released, ensure any device that connect to a Wi-Fi network is updated. This is a great opportunity to remind others why updating is so important. Perhaps even have people subscribe to the OUCH newsletter to learn more about the basics.

We will keep you updated here on the latest findings and what you can communicate to others.