US CERT (Homeland Security’s Computer Emergency Response Team AKA Computer Emergency Readiness Team) released an alert today for an attack named KRACK for Key Reinstallation Attack.
While an article on ARS Technica says that this attack is especially dangerous for Android, Linux and OpenBSD (so much for open source being secure), the Homeland Security alert lists the following vendors: Aruba, Cisco, Expressif, Fortinet, FreeBSD, Google, HostAP, Intel, Juniper, Microchip, Microsoft, OpenBSD, Peplink, Redhat and Samsung. Those are only the ones for which Homeland Security has information from the vendors. There are probably hundreds of other vendors affected – some of whom either don’t know or don’t care.
The attack is a classic person-in-the-middle (MitM) attack that inserts traffic into the encrypted traffic stream which forces a reset and, at least in some cases, enables reuse of certain parameters that would enable an attacker to decrypt the data stream is it eavesdropping on.
According to some reports, the attack is relatively easy to execute – but you must be in WiFi range. Visiting a Starbucks with your WiFi enabled might not be a great plan for a little while.
The attack does affect Windows, although Microsoft did release a patch on October 10th, so if you have installed the October Security Roll Up release, you should be good.
The other half of the problem is that it does affect WiFi access points, so you will likely need to re-flash the firmware on all of your WiFi access points. The process for doing this will vary from vendor to vendor and even model to model.
Also likely affected are all of your smart light bulbs, smart refrigerators, smart door locks, webcams and every other smart Internet of Things device you own. Most of which have not been patched. Many of which will never be patched.
Sources are saying that the attack is easy enough to do that someone is bound to build a turnkey solution and distribute it – possibly for free, possibly for money – on the Internet.
The US CERT gave this attack 10 unique vulnerability IDs (CVE-2017-13077, 13078, 13079, 13080, 13081, 13082, 13084, 13086, 13087 and 13088). That is pretty unusual for one attack.
Ultimately this is a problem with the WPA 2 WiFi PROTOCOL but luckily it can be patched, although it must be patched on both ends of the connection. Sometimes protocol flaws cannot cannot be easily patched; this one seems to be an exception. The attack works against both WPA 2 PERSONAL and WPA 2 ENTERPRISE.
This also does not matter whether your WiFi is for guests or employees; in either case it may be vulnerable.
Over the next week or two, and as the researchers present a paper on this attack early next month, we will likely get more details.
IT organizations should contact your WiFi vendors right away to understand what it takes to patch the vulnerability. After all that, you will need to understand what it will take to patch all your end point devices. That is likely a much more complicated problem than reflashing your WiFi access points.
While we have not – yet – seen any attacks using this vulnerability, now that it has been officially released, we likely will. As we saw with WannaCry, many organizations will not install patches – until after they get attacks. Don’t be one of those organizations.