<img height="1" width="1" src="https://www.facebook.com/tr?id=1046809342117480&amp;ev=PageView &amp;noscript=1">

VSEC Blog: IT Security Channel News brought to you by Infinigate UK

Share the Infinigate UK Blog on LinkedIn Share the Infinigate UK Blog on Twitter Share the Infinigate UK Blog on Facebook Share the Infinigate UK Blog on Google+ Share the Infinigate UK Blog via Email

Wi-Fi Security not all its KRACK’d up to be…

Posted: 25 October 2017

Wi Fi Security KRACK Attack WPA2 Vulnerability

Back in August 2001 a cryptanalysis of Wired Equivalent Privacy (WEP) was published which outlined a passive attack which could be used to recover the RC4 keys used to encrypt wireless traffic. Fast forward to October 2017 and its replacement WPA2 has had the same treatment in the form of the KRACK Attack.

What's the KRACK?

Discovered by Mathy Vanhoef and KU Leuven, the Key Reinstallation AttaCK (KRACK) focuses on the 4-way handshake that is executed when a client device connects to a wireless network and is used to negotiate a new encryption key. The exploit manipulates the process by replaying the 3rd message of the 4-way handshake which in turn forces the reinstallation of an already in use encryption key. As a result the device resets the incremental transmit packet and receives packet numbers (nonce and replay counter) which are used to ensure the encryption key is only used once. By forcing nonce reuse the protocol can be attacked and the attacker can replay, decrypt and potentially forge packets.

For more information, please see this in depth overview and analysis of the KRACK exploit on the official KRACK website and this insight in to the mechanics of the 4-way handshake from Mojo Networks CISO/VP Hemant Chaskar.

Is Wi-Fi security broken?

Yes and no - obviously there are some inherent vulnerabilities in the way the protocol is implemented which need to be addressed. Short term this can be rectified with patches to the client devices and/or the access points; long term though, the way in which wireless security is achieved needs to be addressed.

Keep in mind that for this vulnerability to be exploited, an adversary needs to achieve the following:

  • Be within range of a client device at the same time as the 4-way handshake is occurring.
  • Spoof the client device MAC address.
  • Have a device with dual wireless network cards setup as a MITM (Man In The Middle).

Although tough, the above steps aren’t beyond the realms of possibility for a determined individual. If we take the average wireless network deployment within an enterprise for example, most don’t have a dedicated WIDS/WIPS (Wireless Intrusion Detection/ Prevention Solution) in place which would be required to detect these particular attack vectors (MITM or MAC spoofing). At best they rely on the in-built heuristics based rouge detection systems that are part of the existing wireless solutions functionality. These systems carry out what’s known as background scanning to detect threats but the problem with this is that it isn’t full time monitoring, it is usually only scanning one frequency band at a time in between serving wireless clients and generally won’t detect a MITM or MAC spoofing based attacks. As such this leaves a rather large window of opportunity for an attacker to exploit.

If we then factor in the ever increasing BYOD culture that can be found in around 75% of organisations these days, that window of opportunity grows as there is an increased chance that there will be client devices on the network which haven’t been patched due to lack of user awareness or patch availability from the relevant vendor. Add all of this together and it becomes very clear that full time WIDS/WIPS is a must in the modern day wireless enabled enterprise environment.

Air defence is what we need!

WIDS/WIPS solutions are equipped with counter measures to neutralise exactly these types of attack vector with little effort. For example, MAC spoofing and MITM based attacks are addressed with ease and require little more than a check box being ticked to mitigate them in solutions such as the Mojo Networks WIPS offering.  Once these functions have been enabled, should an instance of MAC spoofing or an MITM attack be detected by the full time sensors, they will automatically defend the network and quarantine the offending devices whilst alerting the network security team of the incident. In the case of the Mojo Networks offering, also giving location details based on the Rf signature of the devices involved.

Based on this functionality what we have in the case of the WPA2 KRACK vulnerability is zero day protection with no need to rely on patching of devices before the network can be deemed secure again.

For more information on the Mojo Networks WIPS solution feel free to contact the Infinigate Mojo Networks team to discuss your requirements and get a tailored WIPS solution that best fits your needs.

Mojo Networks Cloud Security Wireless Wi-Fi Security

Dion Phillips Senior Technical Consultant, Infinigate UK
Posted by: Dion Phillips
Senior Technical Consultant, Infinigate UK


Share via:


Subscribe to VSEC Blog Updates

Terms and Conditions:
  • When completing this form, you are indicating your consent for this processing activity. By doing this you are providing Infinigate UK with lawful consent to process your submitted personal data for one or both of the marketing purposes below:
    • We will use your details to send you blog updates.
    • We will match your answers to areas of interest which believe you have and may send you additional marketing materials related to those areas.
  • We will keep your personal data for nine months, upon which we will delete your personal data unless you have consented to further processing or we have legitimate interests to retain it. You are free to withdraw your consent at any time by contacting our marketing department or using one of our unsubscribe links in our communications.
  • In some cases where you indicate consent for supplying you with additional promotional marketing material, we will share your personal data with one of our reseller partners, should your areas of interest match a solution or service they provide. We instruct all our reseller partners to communicate this data transfer with data subject affected.
  • Your personal data is stored in a marketing automation solution database, access to this is limited to authorised users and all necessary steps to ensure data security is maintained.

For further information about this form, your rights under the General Data Protection Regulation or how to exercise them, please contact Infinigate's marketing department here.

Popular Posts