It’s been a fairly exciting several days for wireless networking professionals, network security staff, and end users far and wide, all trying to digest the news about the KRACK Wi-Fi vulnerability.
Standing for Key Reinstallation Attack, KRACK is either an apocalyptic nightmare about to come trueor a small-potatoes issue—it all depends on what you read.
Here’s my own take on KRACK, and a bit on overall wireless security, too.
Simply put, the KRACK exploit takes somewhat skilled hands and close proximity to the target network to attempt, and then its depends on how well both the WLAN gear and the client devices on that network have been patched.
If the attack is successful, other network defenses (or lack of) will determine what the bad guys/gals can actually get from it. Large networks with structured device management programs and robust security mechanisms maylook at KRACK and say “meh.”
But the rest of us should be aware of what’s at stake, as eventually KRACK will likely be turned into a packaged attack that even beginner hackers will be able to do.
Rather than rehash the same details of the exploit that are all over the internet, let’s focus on what we can and should do in response, and what we can learn from the situation. If you have no real familiarity with the exploit, there’s a great write-up here.
First and foremost, the message is patch everything. It’s easy to say, but often harder to do. If it’s a wireless router or access point, check with the manufacturer to see if they have or will put out an update specifically for KRACK.
If it’s really old gear, or the vendor has left the market, you either live with the risk or make plans to replace it (again, knowing an attacker needs to get close enough to “hear” and to interact with the network). All of this means administrative burden, downtime, and possible problems if the patching doesn’t go well—or living with the risk of doing nothing.
For client devices, there’s no excuse for mainstream clients not to be patched.
- Windows and OS X, if patched recently, should be in good shape.
- It may take well into November for Apple and Android to release updates that will address the remaining OS versions that aren’t yet fixable. (It’s a mixed bag right now between what’s yet to be released, what’s “fixed, but in beta”, etc).
- Linux will be the wild card as many older versions may likely never be updated.
And what about all those “other” devices—like wireless door locks, cameras, streaming gadgets, and so on? The story doesn’t change: Patch them if you can.
If you can’t, make sure the wireless network they connect to is patched. If you know you simply can’t replace a device, and the device can’t be patched, start thinking about how you can otherwise isolate it so if it’s compromised it can’t lead to bigger hacks deeper inside the network.
Wireless security isn’t the only security
The KRACK exploit reminds us that groups like the IEEE and Wi-Fi Alliance are not absolute in their standards and guidelines. Sometimes they leave the “how” of certain functions up to individual device makers, and other times they just can’t see into the future to predict how sophisticated attacks using better hacking tools might cause trouble in the years to come.
Its incumbent on us, as the network folks, to make sure that wireless security isn’t the only defense in use. Secure applications, VPN, network segmentation, frequent password changes, two-factor authentication, and good physical security always help, and KRACK may be the motivator many environments need to get serious about their security.
At the same time, security tends to be at odds with ease-of-use, and we as human beings often prefer the path of least resistance and so tend to get sloppy again even after being jolted into action from situations like KRACK.
Whatever your own reality, make sure you don’t let the KRACK hysteria fade without at least getting patched far and wide, and assessing what could happen if unpatchable devices are compromised in their current places on the network.
Also be sure to leverage the current buzz to educate your staff, managers, and customers as best you can. As Winston Churchill said, never let a good crisis go to waste.