A Single Partner for Everything You Need Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner. However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
KRACK - What you need to know about Key Reinstallation AttaCKs Breadcrumb Home Insights Blog KRACK - What you need to know about Key Reinstallation AttaCKs October 24, 2017 KRACK - What you need to know about Key Reinstallation AttaCKs On Monday, October 16, researchers announced the discovery of several vulnerabilities within the wireless protocol WPA and WPA2. The details of these vulnerabilities—dubbed KRACK—have not been disclosed in full to the public, as researchers only released a whitepaper and a video outlining the vulnerabilities. In the days following the announcement, more and more information was released, but many questions still go unanswered. The basic issue with this vulnerability is its impact on a commonly-used wireless security protocol used by enterprises and consumers—WPA2. This vulnerability not only affects WPA/WPA2 Personal but also WPA/WPA2 Enterprise implementations on access points as well as wireless client devices. In short, an attacker can conduct this attack by injecting packets that reinstall the encryption keys to a known value, allowing them to decrypt and replay traffic from clients. This can happen with a few specific configurations, including: Android/Linux devices with a standard WPA configuration. Systems with fast transition (802.11r) enabled and the client supplicant vulnerable as well. 802.11r is used to help transitioning from one access point to another without re-authenticating. Many manufacturers do not enable this feature by default due to deployment complications. Some recommend its use and others do not for specific wireless applications. The use of GCMP (Galios/Counter Mode Protocol), which also is vulnerable to the same replay attack. The picture below outlines which vulnerabilities can be exploited on access points and client devices. Figure 1: Source – KRACK Attack Whitepaper, Written by Mathy Vanhoef There are no new attack vectors or techniques associated with KRACK vulnerability, other than injecting encryption keys and causing clients to use these new encryption keys known to the attacker, allowing the attacker to replay, decrypt or forge wireless traffic. Replaying, traffic decryption and wireless packet forging attacks have been well-known, commonly used and documented prior to the release of this vulnerability. To help protect themselves against the KRACK vulnerability, consumers should update their wireless access points and clients as soon as patches become available. Most access point vendors and Linux distributions have released patches. The following matrix outlines the current list: Vendor Patch Management Vendor Patch Available In Development Not Directly Affected Arch LinuxX Arista X ArubaX Cisco X DD-WRTX DebianX Extreme Networks X FedoraX FreeBSD X Lenovo X LineageOS X LXDE X MerakiX MikroTikX Synology X Turris Omnia X UbiquitiX UbuntuX UniFiX VMware X Watchgaurd Cloud X Watchguard X Windows 10X WPA SupplicantX Figure 2: Source – https://github.com/kristate/krackinfo The picture below outlines which WPA implementations are vulnerable on specific devices. Figure 3: Source – KRACK Attack Whitepaper, Written by Mathy Vanhoef So, what does this mean? WPA/WPA2 Enterprise and Personal authentication credentials are not compromised. Changing either user passwords or the PSK will not mitigate this vulnerability. This is an issue in how wireless devices or clients handle the key reinstall sent during the 4-way handshake. As of right now, Windows 7, 10 or iOS 10.3.1 and above are only vulnerable if using an unpatched GCMP configuration. At this time, Microsoft has released a set of patches to address this issue. While GCMP is rarely used, most wireless devices will utilize one of the currently vulnerable WPA implementations. A large amount of the vulnerable devices consists of unpatched versions of Linux and Android; however, some versions of Apple’s software are vulnerable. Apple has developed a set of patches across OSX, WatchOS and TVOS to address this vulnerability that will be available soon. CERT is maintaining a list of affected vendors that also links to each vendor’s current or planned remediation, if released. Until patched, approach WPA networks with the same caution as an open network at your local café. Since this vulnerability could potentially compromise the encryption of a wireless network, useful countermeasures until patches for specific devices are released include using HTTPS for all websites and/or using a VPN to encrypt all network traffic. Today, there are no proven signatures that can be used to detect the KRACK attack. However, there are signatures to detect man-in-the-middle or “Evil Twin AP” attacks. These alerts can be used to detect an outside threat but not whether a key reinstallation has occurred. The use of wireless intrusion detection systems and wireless intrusion protection systems (WIDS/WIPS) should be a part of a healthy wireless security practice. By: Josh Wyatt Practice Manager, Attack and Penetration Josh Wyatt is a practice manager in Optiv's advisory services practice on the attack and penetration team. Josh is responsible for day-to-day practice leadership, as well as, advancing Optiv's attack and penetration team tradecraft, services, and solutions. His area of expertise is offensive security governance, program development, and integrations. Share: Threat Cyber Attack