UPDATED 23:52 EST / OCTOBER 16 2017

INFRA

The KRACK Wi-Fi security vulnerability: Here’s what you need to know

As news of the severe KRACK vulnerability in the technology underpinning the security of Wi-Fi networks continues to make global headlines, more about its implications and what can be done to protect against it are coming to light.

First, it’s important to know that this is a huge vulnerability. Steve Moore, vice president and chief security strategist at Exabeam Inc., explained to SiliconANGLE that the first problem with KRACK is its scale: “From smartphones to IoT devices, all clients that use Wi-Fi will need to be updated as this is a core protocol level flaw in WPA2 and isn’t vendor specific,” he said.

The second problem, Moore said: The possible impact “could mean a compromise of the connected network or device via connection hijacking and possible malicious content injection into sites being visited by a victim – even decryption of some information.” As a result, he believes, there will “certainly be an uptick in war-driving by both penetration testing and adversaries for awhile, even before the exploits make their way into tools like Metasploit.”

Rapid7 Inc. Chief Security Data Scientist Bob Rudis added that everyone using Wi-Fi is vulnerable because “the protocol-level weakness impacts both WPA1 and WPA2 protocols, those used to secure both home and enterprise Wi-Fi networks. Attackers only need to be within signal range of your Wi-Fi networks. No authentication is required.”

Along with applying patches if and when available, Rudis recommended that “all users should use a virtual private network service when connected via public Wi-Fi or fully ensure they only connect to websites over HTTPS,” the secure version of the protocol for sending data between a browser and a website. “Organizations should consider re-architecting their Wi-Fi networks to consider them as ‘untrusted zones’ and always require a VPN into the main organizational network,” he added.

Rich Campagna, chief executive officer at Bitglass Inc., confirmed that public Wi-Fi hotspots present a particular risk, saying that “there’s no stopping users from connecting to public Wi-Fi hotspots,’ so it’s up to businesses to add their own protection mechanisms.

“This vulnerability speaks to the importance of ensuring that all connections from endpoints leverage strong encryption, such as the latest versions of Transport Layer Security,” he said. “Intermediary proxies can ensure that regardless of what the application supports, all connections from end-user devices leverage strong encryption.”

Although the Wi-Fi vulnerability itself is gaining the most attention, others believe that KRACK highlights the need to better secure applications within devices that connect to Wi-Fi.

“This creates another man-in-the-middle opportunity,” said Arxan Technologies Inc. Vice President Rusty Carter, referring to a situation in which an attacker gains control of communications between two parties. “Between device vulnerabilities, OS issues, etc., it’s important that app developers start to not rely on the network to manage security, and take matters into their own hands.”

App security can be “addressed through a primary level of data encryption before transit managed within the app, so that data is protected all the way to the datacenter — and then the app and keys are defended with app protection,” Carter added. “This way, if the network is compromised through something like this vulnerability, the data and users information is still protected.”

Photo: Shaunleeyh/Wikimedia Commons

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU