Researchers have recently identified a serious flaw in the WPA2 protocol called KRACK attack. Most WPA2-enabled Wi-Fi clients and a large number of wireless access points are impacted by this vulnerability. The vulnerability allows an attacker to force the use of known keys that are then used to encrypt communication to and from the Wi-Fi connected device. As a result, the attacker is able to decrypt WPA-protected traffic and, in some cases, inject or modify data in transit.
What is the impact?
In isolation, the current exposure is of “Medium” severity, mostly due to the requirement for attacker proximity and the lack of publicly available exploits in the wild presently. However, if multiple vulnerabilities are chained together, the damage potential can be higher than a single vulnerability’s CVSS score.
For example, due to the WPA2 vulnerabilities, organizations may view/rely on HTTPS (via SSL and TLS transport layer security) as the defense-in-depth fallback. However, certain devices, such as IoT devices in use for many years, may not have been updated and patched for OpenSSL and TLS vulnerabilities such as Heartbleed, Poodle and Shellshock from yesteryears. When combined, WPA2 plus HTTPS medium severity issues can become more dangerous for IoT environments.
Impacts include:
- Data in transit can be visible to attackers and is potentially at risk of leakage (breach of confidentiality).
- Data in transit may be modified (breach of integrity) for WPA-TKIP or GCMP implementations. The WPA2 AES-CCMP mode is less vulnerable.
- Certain client-side devices are more impacted than others. Linux and Android devices are more vulnerable. As with any such vulnerability, the ultimate goal is to patch all impacted devices and reduce the attack surface. That is easier said than done, however, when the scope of impacted devices is so widespread, both in the sheer number as well as the varied types of devices. Organizations will have to rely on a combination of risk reduction techniques over the next few weeks and months as they engage in this patching cycle.
Six Ways ForeScout Can Help Assess and Mitigate Risk
1. Gain a better understanding of your risk exposure. ForeScout CounterACT® can provide a complete inventory of wireless-connected devices, including corporate, BYOD, guest and IoT devices. These devices can be classified by operating system, type, function, ownership and several other attributes to provide essential insight into your wireless environment.
For ForeScout customers that haven’t created a policy for this yet, we have posted a policy template to help you categorize wireless devices by their risk level. Please refer to the Knowledge Base Article #4846 through the ForeScout support portal at support.forescout.com.
2. Patch impacted devices. Patches are being made available by vendors, with varying degrees of responsiveness. Based on the inventory and classification of wireless devices provided by CounterACT, you can prioritize your patching efforts. CounterACT can also help you enforce polices to enable and initiate automatic updates for certain device types in your environment.
The following links can be referenced for current list of known patches:
- http://www.zdnet.com/article/here-is-every-patch-for-krack-wi-fi-attack-available-right-now/
- https://github.com/kristate/krackinfo#vendor-patch-matrix-non-complete
- https://www.reddit.com/r/KRaCK/comments/76pjf8/krack_megathread_check_back_often_for_updated/
3. Consider additional risk-mitigation steps such as disabling 802.11r Fast Transition (FT) mode. You can use ForeScout’s agentless assessment and control capabilities to identify wireless clients that are using FT roaming and initiate desired remediation actions.
4. Favor WPA2 AES-CCMP over WEP, WPA/WPA2 TKIP and GCMP implementations for Wi-Fi encryption.
5. Treat wireless networks as less trusted than wired networks until you complete your patching efforts. Wherever possible, use CounterACT to implement network segmentation to reduce your attack surface.
6. Use CounterACT to isolate, restrict or block non-compliant and high-risk devices. If you’re enforcing policies such as automatic OS updates, disabling FT mode or use of certain Wi-Fi encryption schemes only, you can use CounterACT to isolate non-compliant devices and initiate remediation actions.
ForeScout will continue monitoring the threat landscape and provide further updates as needed.