WPA2: It Has a Hole in It, but It's Not Broken

18th Oct 2017

Assuming that you haven’t been hiding under a rock for the past two days, we are sure you’ve heard about the WPA2 WiFi vulnerability, dubbed ‘KRACK’. In fact, we’d go as far as to wager that you may be experiencing a degree of ‘information overload’ with every man and his dog chiming in on the topic.

Although we cannot claim to ‘know it all’ at this stage, the media ‘noise’ surrounding KRACK (an acronym for Key Reinstallation Attack), is probably justified given the potential gravity of this particular vulnerability. However, please pay close attention to the ‘potential’ word – as of right now, there isn’t really much cause for panic.

So, let’s breakdown what it actually means.

The technical explanation

Effectively, after authentication, there’s an exchange of keys which are used for encryption. Two sets of keys are passed between a client and the infrastructure; one of which encrypts unicast communications, which is the individual communication between the client and the access point; and the other, which is a group key, encrypts any devices connected to that access point using broadcast frames.

In short, each client has two ‘keys’. One encrypts and decrypts its own traffic and the other encrypts and decrypts what is known as ‘group’ traffic.

So, that takes four ‘frames’ – or stages - to exchange, the Krack vulnerability is that the third frame can be replayed -this leads to a reinstallation of the key.

Still with us?

Quite what that means – in reinstalling the key – is not yet clear. Of course we can speculate, but there is enough of that going on and, at times like these, some level-headedness is, we hope, refreshing.

However, in layman’s terms, the possible implications are that wireless frames can be decrypted VERY easily. If this is the case, then the ‘hype’ surrounding the ‘Krack’ WPA2 vulnerability is more than justified as the time taken to decrypt these frames would be very quick indeed.

Who could be affected?

Most of us will want to be, at the very least, aware of the vulnerability and to follow best security practices – such as updating your WiFi-enabled devices as soon as possible. It is also advisable to update the firmware on your router wherever possible.

*In fact, updating client devices such as laptops, tablets, HHTs and smartphones is just as (if not more) critical as updating network infrastructure hardware such as wireless access points. 

As far as domestic networks are concerned, normal secure usage should continue. Articles advocating switching off WiFi entirely and upgrading data plans are way off-the-mark and, in our opinion, are downright irresponsible.

For private WiFi networks the message is a simple one: only connect to websites with SSL because that’s your protection at the application layer. In other words, it doesn’t matter what happens ‘in-between’, either endpoint, up-the-stack to the application – your browser for instance – is protected from browser to server.

So, as long as you have that padlock (in the search bar of your browser) or you’re already using a VPN, then you can be sure that this portion is encrypted.

However, any non-encrypted traffic passing through the stack on your computer and exiting via the WiFi could be captured.

For businesses actively seeking to defend themselves against a direct attack, will want to proactively mitigate any risks presented by WPA2 vulnerabilities. Most major technology infrastructure manufacturers have released guides to the relevant updates.

Is there anything unique about the WPA2 Krack Hack?

Other than the ‘shock factor’, there is very little in this vulnerability that is particularly complex or technically ground-breaking.

In the past, any vulnerability of secure protocol methods have been ‘theoretical’, which means they would eventually become practical, but there has historically been a degree of time in-between the two.

In the case of Krack, the vulnerability was found and it was broken in very quick succession – this is probably unprecedented.

So, why all the fuss?

The really interesting thing is that it looks like changes to how the standard is implemented can protect against this…however, if this is not the case – big ‘if’ - then we really have nothing to fall back on.

What has the WPA2 vulnerability got to do with antibiotics?

In order to understand the Krack hack, a look into the world of antibiotics might help. Our resistance to certain strains of antibiotics occurs naturally, increased usage can lead to more resistance, rendering the medicine less effective. For this reason we have to control dosages and the release of new strains.

In much the same way, the security community needs a fall back. Years ago, when we found that the WEP (Wired Equivalent Privacy) standard was weak, we had the original WPA (WiFi Protected Access) to fall back on, knowing that, should vulnerabilities be discovered, the WPA2 standard would fill the void.

There is no WPA3 - as far as we know.

Although this may well be a moot point, as it is not clear that anything is actually structurally wrong with the WPA2 standard, the current vulnerability is down to the way in which vendors have deployed it. 

Worst case scenario?

If an effective fix cannot be found for WPA2 then an alternative method of authentication and encryption will have to be developed – no small task indeed!

That said, there is a great deal of optimism that this problem is fixable. The only real worry as we move forward is the potentially large number of old devices creating weaknesses. Complete recovery from this vulnerability relies on all outdated firmware being either updated or replaced.

Of course, one would have to trust that the majority of businesses will make this a priority but the same cannot necessarily be said for the public en masse.

The long and the short of it

So, although we are trying to approach this carefully and from a logical and measured foundation, there is no getting away from the fact that a lot of the discourse surrounding vulnerabilities in WPA2 do sounds somewhat negative.

Translating all of this into the real world:

Do businesses need to be concerned? Yes, if they have something to protect and they should take action to protect their data and their customers.

Do people at home need to be concerned? No, we wouldn’t be worried. In order for the Krack vulnerability to be a problem you still have to come under a directed attack.

What Next?

For advice on WPA2 'KRACK', securing your business network and associated systems, or the deployment of security solutions like Next Generation Firewalls and Endpoint Network Security, please contact Ensign Communications for a chat with our technical team.