On Monday October 16th, one of the government watch centers (CERT) warned about several vulnerabilities in Wi-Fi authentication methods, specifically in the WPA / WPA2 protocols. These flaws, known as KRACK (Key Reinstallation AttaCKs – KRACKs), affect all infrastructures and devices.
Our experts summarize information and measures to be taken about them.
Analysis: A weakness that allows the usurpation of a “secure” Wi-Fi
The flaw discovered allows attackers to usurp in a transparent way (without the user realizing it) an existing “secure” Wi-Fi network already known by the device. In other words, when a computer or a mobile device connects to a usurped Wi-Fi network, it is possible to:
- View all unencrypted streams (Applications, Internet, …) and thus recover passwords and other personal information;
- Attempt other types of attacks, including removing encryption from encrypted communications.
Risk: A flaw that affects all devices
KRACKs flaws affects all infrastructures and devices. Concerning mobile devices, 100% of the iOS fleet and 50% of the Android fleet are vulnerable. For Android, it affects only most recent devices: version 6.0 and higher. For iOS, the flaw exists, but is more complex to exploit: it is not possible to reset the WPA encryption key.
Editors have already reacted:
- Apple developed a Security Patch at Beta 3 stage. It will be deployed with iOS 11.1 release which will come out soon (but whom the exact date has not been communicated yet). The deployment of a patch for devices that do not support iOS 11 has not been confirmed.
- For Android, Google integrated its corrective to the Android Security Patch that will be deployed on November 6th. Each manufacturer will have to integrate then deployed this corrective to make it available for end users.
- Microsoft deployed Patches for Windows 7, 8, 8.1 and 10. PC patches must now be applied.
Data stay secure as long as it transits through an EMM (Enterprise Mobility Management) solution, provided that it is part of “Leader” solutions (MobileIron, Airwatch or IBM Maas 360). Indeed, these solutions ensure over-encryption of data during communications, which is not the case, by default, for SOTI, Intune, Google EMM, for which it is necessary to deploy an additional VPN on device.
Data that do not transit via an EMM or an encrypted VPN can be exposed, specially data from applications or websites; unless those applications or websites guarantee data encryption themselves.
Even if there is an EMM solution, a residual risk on “non-tunneled” data remains.
Measures to be taken
- Disconnect Wi-Fi and favor 3G / 4G connections
- Use « tunneled access » and / or EMM containers
- If you don’t have an EMM solution to encrypt network flows, use a VPN to guarantee encryption
- In case of Internet connections via Wi-Fi, check that communications with servers remain encrypted in HTTPS (“Locket” icon at the top left of the browsers)
- Implement a Mobile Threat Defense (MTD) solution on mobile devices to immediately detect Man-In-The-Middle (MITM) attacks such as KRACK
NB: as regards mobile security, EMM solutions are one of the first answer, but it’s not enough. Mobile Threat Defense solutions such as Lookout, Zimperium or Wandera are designed to predict and detect various forms of attacks, particularly those of the MITM type.
- Apply the security patches as soon as manufacturers make them available
- Monitor the deployment of patch in production to identify the residual exposure
- How to control patch version:
- On iOS: check the version upgrade in iOS 11.1 in Settings> General> Information
- On Android: check the Android security patch version in Settings> About Phone> Android Security Patch Level (the date must be equal to or later than November 6, 2017)