KRACK vs Secure WiFi: What your clients need to know
Once again network security is in the headlines, this time with the announcement that WPA2 (WiFi Protected Access), WiFi's most popular encryption standard, has been cracked and that WiFi networks around the world are at risk.
This latest vulnerability, dubbed KRACK (for Key Reinstallation AttaCK), tricks client devices, such as laptops or smart phones, into allowing hackers to read information passing between the device and a wireless access point. This vulnerability can potentially allow a hacker to spy on your client's data as well as gain access to unsecured devices sharing the same WiFi network.
So what should you be telling your clients, especially the ones that have come to rely on secure WiFi as a key productivity tool for mobile users?
"The first thing to understand is that KRACK hackers have to be physically near both the client and access point," says Swapneil Diwaan, Fortinet Business Manager at Ingram Micro, New Zealand's largest and most experienced distributor of Fortinet's cyber security solutions. "This means that unless your clients have adversaries running around their facility surreptitiously tapping away on their laptops, their WiFi network would not be at risk.
Public WiFi, on the other hand, is more problematic. "WPA2 has been broken," continues Diwaan, "but this shouldn't affect WiFi connections taking advantage of additional security enhancements such as SSL (Secure Socket Layer) encryption or VPN (virtual private network) access. Mobile users should be using one or both of these security protocols as a rule whenever they access your client's enterprise network from public WiFi.
In the short term, if your clients have been rigorous in keeping their firmware up-to-date and patched and users follow industry standard security best practices, they have little to worry about. In the medium term, the vendor community will be issuing up-to-date patches that address this particular vulnerability.
Ensure that your clients know which of their WiFi components are affected and when they can expect remediation. And then follow-up to ensure that they have made the necessary adjustments.
KRACK de-mystifiedEssentially, KRACK breaks the WPA2 protocol by forcing 'nonce reuse' in encryption algorithms used by Wi-Fi. "In cryptography," explains James Meuli, Solution Architect and NSE4 Trainer at Ingram Micro's Fortinet Business Unit, "a nonce is an arbitrary number that should only be used once. It is often a random or pseudo-random number issued in the public key component of an authentication protocol to ensure that old communications cannot be reused.
"As it turns out, the random numbers used on WPA2 aren't quite random enough, allowing the nonce to be reused, and the protocol to be broken. Once the nonce has been exposed, the WiFi network is open to prying eyes. The impact of exploiting this vulnerability can include decryption, packet replay, TCP connection hijacking, HTTP content injection and other nefarious activities.
SAM, 802.11r and mesh mode in the cross-hairs"KRACK attacks target the client," continues Meuli, "not the access point or the controller. However, in some uncommon modes and configurations, an access point will transmit the handshake packets like a client, so there are steps that administrators should take to further secure their WiFi networks. For instance, the 802.11r fast roaming protocol is particularly susceptible to KRACKing. As are controller-managed APs running SAM (Security Assurance Module) or running under Mesh mode. Turning off 802.11r, SAM and Mesh mode will close most security vulnerabilities and protect WiFi transmissions until patches are released.
Is secure WiFi an oxymoron?"No," says Diwaan emphatically. "Security is a moving target. Adversaries uncover vulnerabilities, vendors issue patches, adversaries try again and vendors reply in kind. These battles happen every second of every day and often take place in cyberspace unseen and un-noticed until a particularly nasty outbreak occurs. But if your clients are diligent in accessing the corporate network via HTTPS and VPNs when using public WiFi, keep their patches up-to-date and take remedial action when necessary (such as shutting down 802.11r), they can take advantage of the benefits of mobile computing and WiFi with confidence.
If you have any questions about any of the above, especially 802.11r, SAM or Mesh mode, please do not hesitate to contact the Fortinet team at Ingram Micro. They can help you understand the technicalities so that you can reassure your clients that KRACK, while potentially dangerous, doesn't necessarily open their networks to compromise and that they can operate in a safe and secure manner.
For further information, please contact:James Meuli, Solution Architect / NSE4 Trainer Email: james.meuli@ingrammicro.com M: 027 552 0167
Rod Christie, Solution Architect Email: rod.christie@ingrammicro.com M: 027 568 0053
Jeffrey Whale, Business Development Manager Email: jeffrey.whale@ingrammicro.com M: 027 543 5927
Gerrard Kennedy, Business Development Manager Email: gerrard.kennedy@ingrammicro.com M: 027 543 8212
Swapneil Diwaan, Business Manager Email: swapneil.diwaan@ingrammicro.com M: 021 240 1240