KRACK Attack: The Impact and How to Mitigate Risk

Oded Comay | October 20, 2017
Researchers have recently identified a serious flaw in the WPA2 protocol called KRACK attack. Most WPA2-enabled Wi-Fi clients and a large number of wireless access points are impacted by this vulnerability. The vulnerability allows an attacker to force the use of known keys that are then used to encrypt communication to and from the Wi-Fi connected device. As a result, the attacker is able to decrypt WPA-protected traffic and, in some cases, inject or modify data in transit.
What is the impact?
In isolation, the current exposure is of “Medium” severity, mostly due to the requirement for attacker proximity and the lack of publicly available exploits in the wild presently. However, if multiple vulnerabilities are chained together, the damage potential can be higher than a single vulnerability’s CVSS score.
For example, due to the WPA2 vulnerabilities, organizations may view/rely on HTTPS (via SSL and TLS transport layer security) as the defense-in-depth fallback. However, certain devices, such as IoT devices in use for many years, may not have been updated and patched for OpenSSL and TLS vulnerabilities such as Heartbleed, Poodle and Shellshock from yesteryears. When combined, WPA2 plus HTTPS medium severity issues can become more dangerous for IoT environments.
Impacts include:
Six Ways Forescout Can Help Assess and Mitigate Risk
1. Gain a better understanding of your risk exposure. Forescout CounterACT® can provide a complete inventory of wireless-connected devices, including corporate, BYOD, guest and IoT devices. These devices can be classified by operating system, type, function, ownership and several other attributes to provide essential insight into your wireless environment.
For Forescout customers that haven’t created a policy for this yet, we have posted a policy template to help you categorize wireless devices by their risk level. Please refer to the Knowledge Base Article #4846 through the Forescout support portal at support.forescout.com.
2. Patch impacted devices. Patches are being made available by vendors, with varying degrees of responsiveness. Based on the inventory and classification of wireless devices provided by CounterACT, you can prioritize your patching efforts. CounterACT can also help you enforce polices to enable and initiate automatic updates for certain device types in your environment.
The following links can be referenced for current list of known patches:
3. Consider additional risk-mitigation steps such as disabling 802.11r Fast Transition (FT) mode. You can use Forescout’s agentless assessment and control capabilities to identify wireless clients that are using FT roaming and initiate desired remediation actions.
4. Favor WPA2 AES-CCMP over WEP, WPA/WPA2 TKIP and GCMP implementations for Wi-Fi encryption.
5. Treat wireless networks as less trusted than wired networks until you complete your patching efforts. Wherever possible, use CounterACT to implement network segmentation to reduce your attack surface.
6. Use CounterACT to isolate, restrict or block non-compliant and high-risk devices. If you’re enforcing policies such as automatic OS updates, disabling FT mode or use of certain Wi-Fi encryption schemes only, you can use CounterACT to isolate non-compliant devices and initiate remediation actions.
Forescout will continue monitoring the threat landscape and provide further updates as needed.
Toll-Free (US): 1-866-377-8771
Tel (Intl): +1-408-213-3191
Support: +1-708-237-6591
Headquarters
190 W Tasman Dr.
San Jose, CA, USA 95134