A KRACK in the Wireless Armor

Feb. 13, 2018
A closer look at the newest threat to your customer’s networks, along with strategies to deal with a seemingly constant onslaught of cyber risks

You know the way business is these days – it is all about providing valuable services that make a customer’s life more convenient, safe and secure. That also means trying to help customers on the cybersecurity front, so their information, video streams or other system data is not compromised. Unfortunately, that is getting harder to do in today’s reality, where new threats are emerging almost daily and you have to know how to try to actively prevent, detect and monitor these types of activities. This applies to your customers as well as your own business.

Customers look to systems integrators as their hired expert advisors, relying on them to make design and product recommendations that are the best fit for their organization. So, what should a systems integrator do if the product itself has a defect; or potentially even worse, a security vulnerability or “back door” to gain access?

Case in point: It has been four months since the KRACK wireless vulnerability discovery was made public in October 2017, yet there are still devices currently deployed and in operation which have not yet been updated to address this threat.

Inside the KRACK

KRACK, short for “Key Reinstallation Attacks,” is a weakness discovered by Mathy Vanhoef – a postdoctoral researcher with the iMinds-DistriNet Research Group, KU Leuven University, Leuven, Belgium – in the Wi-Fi network security standard WiFi Protected Access 2 (WPA2).

According to Vanhoef’s report, the flaw – which affected millions if not billions of devices – may enable an attacker to deploy a method that allows them to read information which was previously assumed to be encrypted during wireless transmission. The technique involves “tricking” devices to reinstall an already in-use encryption key, resulting in potentially allowing traffic to be intercepted and decrypted.

Unlike many vulnerabilities discovered in the past, KRACK does not just affect a specific manufacturer or product – the weakness is in the Wi-Fi standard itself and therefore most devices that support WPA2 are at risk. The result may potentially be the theft of sensitive data being transmitted over the wireless network and devices in danger include Wi-Fi routers, smartphones, thermostats, security cameras, speakers and really, any kind of wireless internet-connected device.

The KRACK method is not something that can be accomplished from the other side of the country but rather requires the attacker to be in wireless range and positioned as a Man-in-the-Middle (MitM) – meaning they must have communication range (i.e. physically in the proximity) between the device and the wireless network.

When the vulnerability was made public in October, a handful of manufacturers were already notified of the problem and had solutions in place; others just began to work to solve the discovered weakness. The recommended solution, per Vanhoef’s report, is for each manufacturer to develop and release security updates/patches to their products.

Steps to Take

KRACK can be found on the US-CERT website (the U.S. Computer Emergency Readiness Team, an organization within the Department of Homeland Security that reports on these types of vulnerabilities) is listed as Vulnerability Note VU#228519. A search of the site shows individual manufacturers and products along with their current reported status in regards to resolving the issue.

Even months after the discovery there are still many devices affected without updates available to address KRACK. It is expected to be much longer for many of them to be able to fix the problem. The US-CERT site is quite detailed, but it is still recommended to contact manufacturers directly to get confirmation of affected systems and updates on the status of mitigation.

Manufacturers releasing a security update to KRACK is just the first step. Getting each of these devices patched is another challenge. Many customers who own these products are simply unaware that their products are at risk of compromise from the vulnerability – never mind even thinking about applying an available patch. Many do not monitor device vulnerability reports, and without product registration, there are not many ways for manufacturers to inform consumers.

On the flip side, for more sophisticated organizations, patching may involve delays because, for many, there is often a significant internal change management process required to apply patches and updates to systems to ensure no negative impact to business operations.

The Role of Security Integrators

It is a strange concept to think the security devices that systems integrators deploy to protect customers may end up posing a significant cybersecurity risk. The fact is, vulnerability discoveries in internet of Things (loT) devices is not a trend that is going away any time soon.

With 20 billion loT devices expected to be installed by 2020, according to Gartner Inc., we are in the middle of explosive growth and vastly uncharted territory for cybersecurity and potential threats. So what is the role of the systems integrator?

Organizations today must know what network-enabled devices they have in place, devise methods of collecting security updates when they are available and define procedures in change management and processes for applying updates. Whether this process is done internally or via a third party is up to the organization, but it is an ongoing process that is vital to cybersecurity threat mitigation.

Patching and updating may seem basic, but it is often overlooked, especially with loT devices. Patch management of all devices is an important step in a cybersecurity program. Once vulnerabilities are discovered publicly, it is an informal invitation for attackers. Device firmware and software updates are not all about just getting new features out of a product, but also being able to apply the latest critical security safeguards available.

If you are a systems integrator and your business model involves selling and installing devices without a maintenance program that includes updates and patches, you may be leaving your customers at risk. As a trusted advisor and partner to these customers, it is important to guide them and help them understand the importance of the patch management process. Most will already be able to relate because of widespread coverage of cybersecurity attacks.

There is also an opportunity for integrators to provide cybersecurity as a managed service. Integrators can include device update management and patching for the solutions as well as other related services for a monthly fee or include the offering in the tiered pricing they may already have. A proactive approach to incorporating this as a service may help boost overall company valuation – with the additional revenue streams – and distinguishes integrators from their competitors.

The good news is that many cloud-based solutions often have the ability to push out update and new patch releases without much interaction by the customer or integrator. These systems are traditionally charging a monthly fee, but in most cases the fees include these types of updates. Cloud-based solutions may also be beneficial for smaller integrators who don’t have a help desk or other direct technical support.

Keep Informed

KRACK certainly will not be the last major vulnerability found; in fact, early 2018 has already produced Meltdown and Spectre – security vulnerabilities affecting Intel, AMD and ARM processors, which are found in just about any computing device (learn more at www.securityinfowatch.com/12389895).  

By keeping informed, closely monitoring and taking action when discovered, you can ensure your organization and customers significantly improve their cyber posture. That is an integral part of being the trusted advisor your customer counts on.

Rob Simopoulos is a Co-Founder of Defendify (www.defendify.io), which makes cybersecurity possible for small business through an all-in-one cybersecurity platform. In more than 20 years in the security industry, Simopoulos has been an entrepreneur, receiving numerous awards and recognition. He can be reached at [email protected], 888-508-9221 x 101. 

Sidebar: Wi-Fi Alliance Enhances WPA2

Upcoming WPA3 will feature more robust security

The Wi-Fi Alliance has introduced enhancements and new features for Wi-Fi Protected Access (WPA2) to ensure Wi-Fi certified devices continue to implement state-of-the-art security protections. While not specifically cited, these improvements are speculated to be in direct response to KRACK.

“WPA2 provides reliable security used in billions of Wi-Fi devices every day, and will continue to be deployed in Wi-Fi certified devices for the foreseeable future,” the group said in a press release. “Wi-Fi Alliance will continue enhancing WPA2 to ensure it delivers strong security protections to Wi-Fi users as the security landscape evolves.”

Building on the widespread adoption and success of WPA2, Wi-Fi Alliance also announced a suite of features to simplify Wi-Fi security configuration for users and service providers, while enhancing Wi-Fi network security protections.

Four new capabilities for personal and enterprise Wi-Fi networks will emerge in 2018 as part of Wi-Fi Certified WPA3. Two of the features will deliver robust protections even when users choose passwords that fall short of typical complexity recommendations, and will simplify the process of configuring security for devices that have limited or no display interface. Another feature will strengthen user privacy in open networks through individualized data encryption. Finally, a 192-bit security suite, aligned with the Commercial National Security Algorithm (CNSA) Suite from the Committee on National Security Systems, will further protect Wi-Fi networks with higher security requirements such as in government, defense and industrial markets.

“Security is a foundation of Wi-Fi Alliance certification programs, and we are excited to introduce new features to the Wi-Fi Certified family of security solutions,” said Edgar Figueroa, president and CEO of Wi-Fi Alliance.

To learn more about the new security enhancements, visit www.wi-fi.org

About the Author

Rob Simopoulos

Rob Simopoulos is the Co-Founder of Defendify, the all-in-one cybersecurity platform that makes cybersecurity possible for Small Business. In his 20+ years in the security industry, he has received awards and recognition from many trusted industry experts and publications. Email him at [email protected].