Monday morning was not a great time to be an IT admin, with the public
release of a bug that effectively broke WPA2 wireless security.
WPA2 security flaw puts almost every Wi-Fi device at risk of hijack,
eavesdropping
WPA2 security flaw puts almost every Wi-Fi device at risk of hijack,
eavesdropping
Security experts have said the bug is a total breakdown of the WPA2 security
protocol.
Read More
As reported previously by ZDNet, the bug, dubbed "KRACK" -- which stands for
Key Reinstallation Attack -- is at heart a fundamental flaw in the way Wi-
Fi Protected Access II (WPA2) operates.
The security protocol, an upgrade from WEP, is used to protect and secure
communications between everything from our routers, mobile devices, and
Internet of Things (IoT) devices, but there is an issue in the system's four
-way handshake that permits devices with a pre-shared password to join a
network.
According to security researcher and academic Mathy Vanhoef, who discovered
the flaw, threat actors can leverage the vulnerability to decrypt traffic,
hijack connections, perform man-in-the-middle attacks, and eavesdrop on
communication sent from a WPA2-enabled device.
US-CERT has known of the bug for some months and informed vendors ahead of
the public disclosure to give them time to prepare patches and prevent the
vulnerability from being exploited in the wild -- of which there are no
current reports of this bug being harnessed by cyberattackers.
The bug is present in WPA2's cryptographic nonce and can be utilized to dupe
a connected party into reinstalling a key which is already in use. While
the nonce is meant to prevent replay attacks, in this case, attackers are
then given the opportunity to replay, decrypt, or forge packets.
In general, Windows and newer versions of iOS are unaffected, but the bug
can have a serious impact on Android 6.0 Marshmallow and newer.
The attack could also be devastating for IoT devices, as vendors often fail
to implement acceptable security standards or update systems in the supply
chain, which has already led to millions of vulnerable and unpatched IoT
devices being exposed for use by botnets.
The vulnerability does not mean the world of WPA2 has come crumbling down,
but it is up to vendors to mitigate the issues this may cause.
In total, ten CVE numbers have been preserved to describe the vulnerability
and its impact, and according to the US Department of Homeland Security (DHS
), the main affected vendors are Aruba, Cisco, Espressif Systems, Fortinet,
the FreeBSD Project, HostAP, Intel, Juniper Networks, Microchip Technology,
Red Hat, Samsung, various units of Toshiba and Ubiquiti Networks.
Who's on top of the game?
Apple: The iPhone and iPad maker confirmed to sister-site CNET that fixes
for iOS, macOS, watchOS and tvOS are in beta, and will be rolling it out in
a software update in a few weeks.
MORE SECURITY NEWS
WPA2 security flaw puts almost every Wi-Fi device at risk of hijack,
eavesdropping
Homeland Security orders federal agencies to start encrypting sites, emails
OnePlus dials back data collection after users protest
These fake tax documents spread jRAT malware
Arris: a spokesperson said the company is "committed to the security of our
devices and safeguarding the millions of subscribers who use them," and is "
evaluating" its portfolio. The company did not say when it will release any
patches.
Aruba: Aruba has been quick off the mark with a security advisory and
patches available for download for ArubaOS, Aruba Instant, Clarity Engine
and other software impacted by the bug.
AVM: This company may not be taking the issue seriously enough, as due to
its "limited attack vector," despite being aware of the issue, will not be
issuing security fixes "unless necessary."
Cisco: The company is currently investigating exactly which products are
impacted by KRACK, but says that "multiple Cisco wireless products are
affected by these vulnerabilities."
"Cisco is aware of the industry-wide vulnerabilities affecting Wi-Fi
Protected Access protocol standards," a Cisco spokesperson told ZDNet. "When
issues such as this arise, we put the security of our customers first and
ensure they have the information they need to best protect their networks.
Cisco PSIRT has issued a security advisory to provide relevant detail about
the issue, noting which Cisco products may be affected and subsequently may
require customer attention.
"Fixes are already available for select Cisco products, and we will continue
publishing additional software fixes for affected products as they become
available," the spokesperson said.
In other words, some patches are available, but others are pending the
investigation.
Espressif Systems: The Chinese vendor has begun patching its chipsets,
namely ESP-IDF and ESP8266 versions, with Arduino ESP32 next on the cards
for a fix.
Fortinet: At the time of writing there was no official advisory, but based
on Fortinet's support forum, it appears that FortiAP 5.6.1 is no longer
vulnerable to most of the CVEs linked to the attack, but the latest branch,
5.4.3, may still be impacted. Firmware updates are expected.
FreeBSD Project: A patch is actively being worked on for the base system.
Google: Google told sister-site CNET that the company is "aware of the issue
, and we will be patching any affected devices in the coming weeks."
HostAP: The Linux driver provider has issued several patches in response to
the disclosure.
Intel: Intel has released a security advisory listing updated Wi-Fi drives
and patches for affected chipsets, as well as Intel Active Management
Technology, which is used by system manufacturers.
Linux: As noted on Charged, a patch is a patch is already available and
Debian builds can patch now, while OpenBSD was fixed back in July.
Netgear: Netgear has released fixes for some router hardware. The full list
can be found here.
Microsoft: While Windows machines are generally considered safe, the Redmond
giant isn't taking any chances and has released a security fix available
through automatic updates.
MikroTik: The vendor has already released patches that fix the
vulnerabilities.
OpenBSD: Patches are now available.
Ubiquiti Networks: A new firmware release, version 3.9.3.7537, protects
users against the attack.
Wi-Fi Alliance: The group is offering a tool to detect KRACK for members and
requires testing for the bug for new members.
Wi-Fi Standard: A fix is available for vendors but not directly for end
users.
WatchGuard: Patches for Fireware OS, WatchGuard legacy and current APs, and
for WatchGuard Wi-Fi Cloud have become available.
Apple: Apple has patched the issue in iOS, tvOS, watchOS, macOS betas with
fixes due to roll out to consumers soon.
At the time of writing, neither Toshiba and Samsung responded to our
requests for comment. If that changes, we will update the story.
