Wi-Fi Security Check-Up
March 23, 2018
Millions of older devices remain vulnerable to a major wireless flaw.
A 13 year old vulnerability in the widely used Wireless Protected Access II (WPA2) security protocol has left millions of wireless clients vulnerable to snooping.
The vulnerability, which was revealed publicly in mid-October, allows thieves to stand between you and your router and intercept your digital communications. Even with vendors quickly releasing patches, some simple data security practices can help mitigate this and future headaches.
Information security is a never ending game of cat and mouse: every safeguard to protect 1s and 0s will eventually be beat, and new safeguards will be needed to replace those that have been hacked. As time goes on, technology becomes more secure, and flaws that manage to persist through the fixes become more valuable to hackers and more destructive to users.
Both proprietary and open source code is frequently taken apart and analyzed. When malicious actors discover a weakness, the knowledge usually makes it through a few hands before being exploited for profit. Once a vulnerability becomes known and the vendor issues a patch, the information is no longer as valuable. The public release starts the race to find unpatched victims.
The most recent Wi-Fi vulnerability has been dubbed the KRACK attack, short for Key Reinstallation Attack, and it affects any (unpatched) device connected to a Wi-Fi network.
What is a KRACK?
When you connect any device to a secure Wi-Fi network, you must use an authenticator, or access point (AP), most commonly a router. In order to ensure a protected connection, your device (the client) and the authenticator (the router) send each other a series of messages that contain encryption keys and verification codes. This series of communications is the 4-way handshake.
During any secure connection, devices will perform the handshake and negotiate a new encryption key, which is used to protect all data during that connection. The handshake is essentially an agreement that transmissions are safe.
The vulnerability, which was discovered by Mathy Vanhoef, a network security and applied cryptographer, involves message three of the 4-way handshake. Vanhoef was finishing a paper on the OpenBSD Linux operating system, and was browsing code he has likely seen millions of times when he saw the flaw.
Sometimes, if a connection is unstable, one of the messages in the handshake may be dropped. In this case the AP (your router) will resend the third message because it has not gotten a confirmation from your device that it has received the key. Your device may receive message three multiple times, and each time it will install the same encryption key and reset the incremental transmit packet number (nonce).
Vanhoef was reviewing the function that is called when your device processes message three of the 4-way handshake and installs the pairwise key (encryption code) to the driver.
“Staring at that line of code I thought, ‘Ha. I wonder what happens if that function is called twice.’ At the time I (correctly) guessed that calling it twice might reset the nonces associated to the key. And since message three can be retransmitted by the access point, in practice it might indeed be called twice,” writes Vanhoef.
Vanhoef had discovered that a hacker can force resets that sometimes occur naturally and establish new encryption keys that are known to the hacker. Essentially, the hacker sets up a dummy access point between you and your router and can interfere with any data transmissions. Your information is no longer encrypted.
Proof of a long-available concept
In a proof of concept video of the attack, Vanhoef intercepts traffic by easily overpowering the signal between an Android client and the router, effectively breaking WPA2 encryption. Android and other Linux based operating systems are especially affected by this bug because it is possible to simply reset the key on these devices to all zeros. Once the actor is positioned between you and the internet, a number of things can happen from malware injection to the removing of HTTPS certificates that protect your communication.
This flaw does not show the password used to initially log into the network and requires someone with nefarious intentions to be in an optimal position, physically, between the client and the access point, which makes this an impractical attack to scale. Nevertheless, our phones and computers, updated or not, may use several different hotspots throughout the day and might be unlucky enough to be selected for snooping.
Thanks to the responsible disclosing by Vanhoef, many attacks can be prevented. Microsoft has already delivered a ninja update, Google released a patch for Android devices on November 7, and Apple included a fix in a late-October update. But older devices that no longer receive developer support, or systems that remain unpatched, will always be vulnerable. Both casual and professional users stand to benefit by catching up on the latest security measures.
Encrypt everything in transit
As an end user, there is not a lot you need to do in order to stay safe when online. The Electronic Frontier Foundation has developed a simple browser plugin called HTTPS Everywhere, which helps you by automatically switching you to the secure version of a site. Secure Socket Layer or SSL certificates are easy to install. SSL certificates provide a secure and encrypted line of communication between a website and an internet browser. Any site without SSL should be browsed with discretion.
By funneling your online activities through a third-party, you ensure your communications are protected from snooping along every step of the way. Nearby key reinstallers, warrantless monitoring organizations, overzealous internet service providers and other digital eavesdroppers will only see an encrypted mess. It is highly recommended to add this additional layer of encryption, which encapsulates all of your internet traffic, not just individual sites, using a virtual private network (VPN).
Several outfits have popped up in the VPN-as-a-service industry to empower small business and individuals to easily gain enhanced security. Private Internet Access is one of the more trusted providers, with strict customer-aligned privacy policies and over 30 clusters globally. Setting up an internal VPN server will require some moderate to advanced knowledge, depending on your set and size, but can be deployed quickly with a widely supported solution like OpenVPN.
Update software and patch firmware
Our digital climate is as turbulent as ever, with attacks coming from foreign states, sophisticated crooks and bored neighbors. Unless you have explicit instructions to run older versions of programs or hardware, make sure your IT policy includes frequent updating. Updating the operating system and browser are always a top priority, but other software should receive the same level of attention.
Investigation into the Equifax data breaches revealed that an unpatched web server was the entry point for unveiling sensitive credit information on nearly 146 million Americans. Equifax has since patched the server, but our information is still out there. Anyone who has ever dealt with the American credit system should take steps to freeze their credit immediately to prevent that information from becoming ammunition.
Ninite is a tool that streamlines the process of installing updates to frequently used software such as web browsers, word processors and antivirus programs. Just visit the main page at ninite.com, select which software to install, and a small executable will download. Run the program and the latest version of your selected software will be installed in the background. No need to hunt down downloads around the web or sit through endless prompts, Ninite makes it easy.
Software that is critical to the operation of electronic equipment like motherboards, smartwatches and TVs is called firmware. Unfortunately, consumers are not always eager to update their firmware, which requires moderate technical knowhow and effort to track down and apply the latest updates. Even IT departments struggle with this decision, split between “if it isn’t broke don’t fix it” and “it’s fine until it’s not” philosophies.
Audit passwords regularly
People have gotten really good at using bad passwords. The rise in two-factor authentication has helped reduce unauthorized access to our accounts, but has not helped us make better passwords in the first place. Arbitrary requirements like capitals, numbers and special characters can lead to overly complex passwords, which are forgotten almost immediately and can be trivial for computers to brute force. Even worse, passwords reused across services with varying degrees of security are like a series of dominoes lined up, just waiting for the first one to be toppled.
Password managers provide users with much needed security re-education. Utilities like LastPass (cloud based) and KeePass (locally managed) organize your login credentials and other sensitive information inside a vault. After installing the LastPass browser extension and creating a master passphrase, you can import your saved logins, see how secure your passwords are and replace weak ones. Other features include a simple password generator, local encryption of your secrets to prevent unauthorized remote access and plans for teams that allow zero-knowledge sharing of passwords with co-workers.
The Identity Theft Resource Center tracked a record breaking 1,093 data breaches in 2016, up 40 percent from the previous year. The myth that hackers are just bored teenagers in their parents basement must be dispelled. In reality they are professionals in a global industry dedicated to stealing your information. Aggressive encryption, frequent updates and maximum strength passwords should be the bare minimum when using technology in any capacity.