Out this morning is word of a major vulnerability in WiFi security called KRACK Attacks. It allows a nearby attacker to watch traffic on your WiFi networks, steal information, and potentially add information (such as malware attacks). This standard, WPA2, is what homes and businesss everywhere use to protect their information.
So, what to do about it? First, don’t throw away your router. There is already a lot of misinformation flying around that we need to wait for router vendors to update their firmware to be safe again. In most instances this isn’t the case.
Most WiFi access points operate in “AP” mode. This means that there are many wireless devices that connect to one or more access points that are each, in turn, connected to a wired ethernet connection (either to a network switch or directly to a Cable/DSL modem). If this is your configuration, you do not need to do a firmware upgrade on the access point. If you have a less common configuration where you have WiFi access points in “client mode” or a “WiFi repeater”, then, yes, check for an update for your vendor as soon as possible. These are much less common in business settings but “repeaters” do show up in big houses (pro-tip: they’re always slow – run an ethernet cable whenever possible to an additional access point). We updated our in-house network to the latest Ubiquiti release this morning, just to check out stability (no client mode in use here) and it all looks good. We are very pleased with Ubiquiti’s responsiveness and we’re glad we have their gear here and also that we choose to deploy it for our clients. Aruba also has updates out today – kudos to these two companies for protecting their users.
That said, there is one thing you can do with your router to lessen the impact – set the WPA2 settings (usually in “WiFi Security”) to use AES-CCMP (“AES” / “AES Only” / etc.). Using AES instead of TKIP prevents the active injection of harmful content onto the WiFi network. It does not eliminate the snooping, but it could help prevent active infection attacks. Regardless, there are other security reasons to not use TKIP, so switching to AES-only is the smart thing to do. If you’re a BFC Computing client for whom we installed a WiFi network, you already are on AES-only.
So, now that you’re not throwing away your router, what’s the deal? KRACK is an attack on the WPA2 key exchange process, which is initiated by the client device. You will have to wait for and apply a patch from your device vendor (desktops, laptops, phones, tablets, industrial gear) to not be vulnerable. That’s where this gets tricky.
We all know how quickly Android phones get abandoned by their manufacturers (Google’s Android O is a start on tackling this problem, but it’s in the future) so many of them will never get this patch. Many users will never run the updates on their devices. Corporate IT can push out updates to some types of devices (e.g. Windows desktops) but not everything (iOS devices are OK). Some people may have, say, an old Mac that can’t be upgraded but works fine otherwise. What to do about this?
Luckily, our old friend “Defense in Depth” is a help here. If you’re using a VPN already, you’re probably fine. If you’re using encrypted email, you’re probably fine. If you’re visiting websites that have encryption properly enabled, then you’re probably fine. Terminal-jockeys running ssh are fine. It’s the traffic that is being sent unencrypted over an internet already that is going to have a problem here, which just teaches us (yet again) to never rely on only one layer of encryption. If you absolutely cannot upgrade and you have high security needs, you will need to switch to a wired ethernet connection, either directly or to a wireless bridge device (when those get updated).
In the end, all we can do is: don’t panic, apply updates as soon as they’re available, and always opt for encryption whenever and wherever possible.
Nerd vittle: why the heck are we still allowing unsigned/unauthenticated CSA beacons?
As always, if you’re in the Northern New England area and you need help designing, testing, or configuring secure systems onsite (or remotely anywhere), please contact us – we’d be happy to help.
UPDATE: Most linux distros have updates out, Microsoft is pushing a patch, Google devices will first receive the fix on November 6th, Apple is currently testing iOS (but not MacOS?) patches, and then other Android vendors will update as they see fit or not.
UPDATE 2: there’s a maintained operating system list at Bleeping Computer.