Key Reinstallation Attacks

January 15, 2018 Enterprise Networking, Trends

In mid-October a research group published a white paper detailing ten discovered vulnerabilities with WPA2-regarded as a safe security standard in wireless networking. The days of thinking our WiFi streets are safe are now over; KRACK is running rampant.  And worse, KRACK (Key Reinstallation Attacks) affects the core of the 802.11 protocol, meaning all vendors are affected and no one was safe. This silent epidemic exposed everyone to theft of information and possible malware injections. For KRACK to work, a malicious client must be within reach of the wireless network and cannot exploit the vulnerabilities from a remote location. Malicious clients can reuse integrity keys and the attacker can then begin decrypting traffic!

Although I am painting a dark side, there is a bright future.

Since the KRACK white paper was published vendors quickly released software updates to address these vulnerabilities. In fact, most vendors turned around patches within two days. One key idea to note is that only one of the ten vulnerabilities directly affects wireless infrastructure, like access points or wireless controllers. The other vulnerabilities only affect client devices-so patches for those particular clients would be needed.  The research paper also provided a bittersweet moment; it led to the uncovering of three additional vulnerabilities using the same exploits. It’s not good that they exist, but we are better off knowing about them now.

There is inherent risk in any protocol, no standard is perfect.  Obviously, some are better than others; WPA2 is far superior to WEP for example (even with the KRACK vulnerability). The best we can do is keep ourselves educated so we can overcome risks.  The more informed we are, the better tools we have access to, the easier it is to keep KRACK off our WiFi streets.

 

alex-zeltmann-1

Alex Zeltmann is an ABS veteran and a rockstar Infrastructure Engineering Manager. With over 10 years of experience in networking technology, he leads ABS’ team of implementation engineers as they integrate the latest technologies for ABS clients.