Monday morning was not a great time to be an IT admin, with the public release of a bug that effectively broke WPA2 wireless security.
As reported previously by ZDNet, the bug, dubbed “KRACK” — which stands for Key Reinstallation Attack — is at heart a fundamental flaw in the way Wi-Fi Protected Access II (WPA2) operates.
The security protocol, an upgrade from WEP, is used to protect and secure communications between everything from our routers, mobile devices, and Internet of Things (IoT) devices, but there is an issue in the system’s four-way handshake that permits devices with a pre-shared password to join a network.
According to security researcher and academic Mathy Vanhoef, who discovered the flaw, threat actors can leverage the vulnerability to decrypt traffic, hijack connections, perform man-in-the-middle attacks, and eavesdrop on communication sent from a WPA2-enabled device.
US-CERT has known of the bug for some months and informed vendors ahead of the public disclosure to give them time to prepare patches and prevent the vulnerability from being exploited in the wild — of which there are no current reports of this bug being harnessed by cyberattackers.
The bug is present in WPA2’s cryptographic nonce and can be utilized to dupe a connected party into reinstalling a key which is already in use. While the nonce is meant to prevent replay attacks, in this case, attackers are then given the opportunity to replay, decrypt, or forge packets.
In general, Windows and newer versions of iOS are unaffected, but the bug can have a serious impact on Android 6.0 Marshmallow and newer.
The attack could also be devastating for IoT devices, as vendors often fail to implement acceptable security standards or update systems in the supply chain, which has already led to millions of vulnerable and unpatched IoT devices being exposed for use by botnets.
The vulnerability does not mean the world of WPA2 has come crumbling down, but it is up to vendors to mitigate the issues this may cause.
In total, ten CVE numbers have been preserved to describe the vulnerability and its impact, and according to the US Department of Homeland Security (DHS), the main affected vendors are Aruba, Cisco, Espressif Systems, Fortinet, the FreeBSD Project, HostAP, Intel, Juniper Networks, Microchip Technology, Red Hat, Samsung, various units of Toshiba and Ubiquiti Networks.
Who’s on top of the game?
Apple: The iPhone and iPad maker confirmed to sister-site CNET that fixes for iOS, macOS, watchOS and tvOS are in beta, and will be rolling it out in a software update in a few weeks.
Arris: a spokesperson said the company is “committed to the security of our devices and safeguarding the millions of subscribers who use them,” and is “evaluating” its portfolio. The company did not say when it will release any patches.
AVM: This company may not be taking the issue seriously enough, as due to its “limited attack vector,” despite being aware of the issue, will not be issuing security fixes “unless necessary.”
Update: AVM has now released a statement on the issue:
“FRITZ!Boxes on broadband connections are currently not affected by the wireless security breach known as “Krack,” as such access points do not use the affected 802.11r standard. A possible, theoretical Krack attack targets the wireless connection of a client connecting to the wireless LAN. […]
AVM became aware of Krack on 16 October. Unfortunately, the responsible disclosure policy that applies in such cases was disregarded by the discoverers of the leak. After further investigation and tests, AVM will provide updates for its wireless repeaters.”
Cisco: The company is currently investigating exactly which products are impacted by KRACK, but says that “multiple Cisco wireless products are affected by these vulnerabilities.”
“Cisco is aware of the industry-wide vulnerabilities affecting Wi-Fi Protected Access protocol standards,” a Cisco spokesperson told ZDNet. “When issues such as this arise, we put the security of our customers first and ensure they have the information they need to best protect their networks. Cisco PSIRT has issued a security advisory to provide relevant detail about the issue, noting which Cisco products may be affected and subsequently may require customer attention.
“Fixes are already available for select Cisco products, and we will continue publishing additional software fixes for affected products as they become available,” the spokesperson said.
In other words, some patches are available, but others are pending the investigation.
eero: eeroOS version 3.5 includes a patch to protect against KRACK and is available as an in-app update.
Espressif Systems: The Chinese vendor has begun patching its chipsets, namely ESP-IDF and ESP8266 versions, with Arduino ESP32 next on the cards for a fix.
Fortinet: At the time of writing there was no official advisory, but based on Fortinet’s support forum, it appears that FortiAP 5.6.1 is no longer vulnerable to most of the CVEs linked to the attack, but the latest branch, 5.4.3, may still be impacted. Firmware updates are expected.
FreeBSD Project: A patch is actively being worked on for the base system.
Google: Google told sister-site CNET that the company is “aware of the issue, and we will be patching any affected devices in the coming weeks.”
HostAP: The Linux driver provider has issued several patches in response to the disclosure.
Intel: Intel has released a security advisory listing updated Wi-Fi drives and patches for affected chipsets, as well as Intel Active Management Technology, which is used by system manufacturers.
LineageOS: The Android operating system patched the bug in 14.1 builds, the developers confirmed in a tweet.
Netgear: Netgear has released fixes for some router hardware. The full list can be found here.
Microsoft: While Windows machines are generally considered safe, the Redmond giant isn’t taking any chances and has released a security fix available through automatic updates.
Microchip: The company has a list of patches available.
MikroTik: The vendor has already released patches that fix the vulnerabilities.
OpenBSD: Patches are available.
Toshiba: A Toshiba spokesperson told ZDNet: “We are currently investigating the effect of WPA2 vulnerability detail. We are reviewing our countermeasures and will clarify them once they become available.”
Ubiquiti Networks: A new firmware release, version 220.127.116.1137, protects users against the attack.
WatchGuard: Patches for Fireware OS, WatchGuard legacy and current APs, and for WatchGuard Wi-Fi Cloud have become available.
Wi-Fi Alliance: The group is offering a tool to detect KRACK for members and requires testing for the bug for new members.
Wi-Fi Standard: A fix is available for vendors but not directly for end users.
At the time of writing, Samsung has not responded to our requests for comment. If that changes, we will update the story.
Post your thoughts below in the comment section.