Every year around this time, since it also happens to be close to the day, a memory from high school pops in my head from my 16th birthday. I was a pretty shy kid, so I loathed anything that made me a) the center of attention or b) divulged something about me that was embarrassing. My older sister, on the other hand, occasionally liked to break me out of my comfort zone in a big way. This particular year took the cake of cold-sweat inducing, mortifying situations because my sister and friends decided I really needed to feel special for my birthday. They found as many old pictures of me they could from birth to that year including several exceptionally anti-photogenic gems. They made posters using all those different pictures that said, “If you see her, wish Little Laura a happy Sweet 16!” I’m pretty sure you can imagine the rest of the story. I still shudder every time I think about that day, so the idea of my personal pictures ever falling in the wrong hands (whoever those hands may belong to) is my idea of tripping through Dante’s ninth circle.
LEARN MORE ABOUT OUR RISK ADVISORY SERVICES
That’s why, when I saw a story in October about the Wi-Fi router device “Krack Attack,” I took even more interest than I normally do in those articles. The article pointed out that one of the pieces of information attackers might be interested in could be photos stored on the mobile device or computer an attack victim is using to connect to the internet via a wireless access router. Attackers would be looking for a whole host of other items too including credit card numbers, passwords to banking sites, or chat messages sent over Wi-Fi.
The premise of the attack (according to the authors of the Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 whitepaper) is based on a classic Man-in-the-Middle attack with a slight twist. A typical MitM attack includes an attacker intercepting information going from Point A to Point B while Point A and Point B believe they’re the only two involved in the data transaction. The “Krack Attack”; however, does this by exploiting vulnerabilities in certain types of encryption used in Wi-Fi router and mobile device authentication that were previously thought to be secure. The attacker has to be within range of the Wi-Fi router they’re setting up the attack on, then they create a cloned Wi-Fi router. The goal of the attack is to interrupt the normal authentication “handshake” that happens between mobile devices and Wi-Fi routers, and to trick the devices into using the cloned router instead of the actual router. Once that happens, the attacker starts intercepting data as it goes from Point A through the cloned router out to the internet towards Point B. The attacker can then use or sell the data they’ve stolen. There are some variations on this attack pointed out in the whitepaper that allow attackers to inject their own malicious data into the data stream that could carry other mal-ware too.
Unfortunately, the authors of the whitepaper who found the issue didn’t offer a quick fix for the vulnerabilities. They provided their findings to the companies that sell wireless routers to do further research and develop their own solutions. Several of those companies released hot fixes for their devices until they can come up with an appropriate firmware update that prevents attackers from exploiting the vulnerabilities. Until that happens, some points to ponder:
- Encourage employees to practice good physical security. This seems simple, but the attacker actually has to be within range of the Wi-Fi router to successfully complete the attack.
- Assess the range of your Wi-Fi router. Is it larger than it could be? Shrink it if you can to make it harder for an attacker to actually be within range to carry out the attack.
- If you’re broadcasting the SSID of your Wi-Fi router, do you need to be? Stop broadcasting the SSID if you can and force users to join manually if possible.
- Use a wired connection in your office if possible.
Also keep in mind, once the firmware updates are released, don’t forget to install them. Sometimes these Wi-Fi seem like “set-it-and-forget-it” types of devices, but they’re not. Companies release firmware updates, and you should be periodically checking to see if one has been released for your device. I’ve included a couple of links below that include the actual whitepaper and a list of vendors that have released hot fixes and those that have yet to do that.
Links
Key Reinstallation Attack Abstract Paper
List of Firmware & Driver Updates for KRACK WPA2 Vulnerability
About the Author
Laura is a Manager with YHB and serves on the Risk Advisory Services Team. Laura focuses on assisting organizations in a variety of industries with IT-related audit and consulting services.