Key Reinstallation Attacks are a threat to nearly every wireless network, but there’s a set of straightforward steps any enterprise can take to protect itself from hemorrhaging high-value data.
From the WannaCry ransomware outbreak, to the NotPetya virus, to the massive Equifax data breach, 2017 wasn’t exactly a stellar year for cybersecurity. What’s more, Cybersecurity Ventures’ 2017 Cybercrime Report predicts that the global cost of cybercrime will balloon to $6 trillion annually by 2021, doubling the tab from just two years ago.
Even more concerning, the cybersecurity community received an unprecedented rude awakening last October when researcher Mathy Vanhoef went public with a proof-of-concept for a Key Reinstallation Attack, or “KRACK attack.” As the Cybersecurity Ventures report puts it, KRACK attacks “put every WiFi connection in the world at risk.”
Unlike previous attacks against the WPA2 security protocol, KRACK attacks do not involve any attempts to guess a network password. “The weaknesses are in the WiFi standard itself, and not in individuals, products, or implementations,” Vanhoef explains. “Therefore, any correct implementation of WPA2 is likely affected.”
The security of the WPA2 protocol stems from what is known as a “4-way handshake.” When a new device attempts to join a password-protected network, this handshake (1) guarantees that the user and the network access point have the same credentials and (2) creates a key that is used to encrypt later communications between the two network nodes.
As its name suggests, a key reinstallation attack works by tricking a device into reinstalling an old encryption key. “Because messages may be lost or dropped, an access point will retransmit [the message with the encryption key] if it does not receive an appropriate response as acknowledgement,” Vanhoef points out. “Each time [a device] receives this message, it will reinstall the same encryption key, and thereby reset the incremental transmit packet number (nonce) and receive reply counter used by the encryption protocol.”
Once a KRACK attacker is able to mimic the cryptographic handshake message (often referred to as “Message 3” of the 4-way handshake), the connected device will be tricked into continuously resetting the encryption protocol. Devices running Linux or Android 6.0 or higher are particularly vulnerable to this kind of attack, as they are easily tricked into reinstalling all-zero encryption keys. This gives attackers unmitigated access to all of the data transmitted between device and access point, exposing everything from credit card numbers and login credentials to emails and photos.
Fortunately, as devastating as a wave of KRACK attacks has the potential to be, enterprise IT teams can fight back. Most importantly, enterprises must do everything they can to ensure that the devices connecting to and comprising their networks are both sufficiently sophisticated and properly patched.
Consumer-grade routers and access points tend to be insufficiently secure even outside of the context of the KRACK vulnerability, meaning they should be entirely off-limits for any security-minded enterprise. But while in-house networking infrastructure is easy enough to regulate with the proper corporate commitment, managing end-user devices is far more difficult.
Especially in the bring-your-own-device (BYOD) era, enterprise networks are often exposed to new connections each and every day, dramatically increasing their exposure to KRACK attacks. The best way for an enterprise to reduce this exposure is to ask its employees to patch their devices before attempting to connect to the corporate network. Helpfully, the GitHub community has put together a list of devices vulnerable to KRACK attacks and all the patches these devices’ vendors have released.
A properly patched device will only install a specific encryption key once, thereby counteracting the KRACK approach. But as Vanhoef cautions, “Although an unpatched [device] can still connect to a patched access point, and vice versa, both the [device] and the access point must be patched to defend against all attacks!”
Considering that companies like Apple and Microsoft can take weeks to release patches, enterprise IT teams are often forced to fend for themselves when vulnerabilities like KRACK are exposed. In order to ensure that it’s fully protected, an enterprise must catalogue, assess, and upgrade hundreds if not thousands of networked devices and connections. This can easily overwhelm even the most experienced enterprise IT team, which is why partnering with a networking expert like Turn-key Technologies is often the best — and certainly the least stressful — way to audit one’s IT infrastructure.
As Certified Wireless Security Professionals, we provide a wide range of cutting-edge cybersecurity solutions, including inspecting an enterprise’s network traffic, educating its employees on cybersecurity best practices, and facilitating device upgrades when needed.