The NCSC is currently investigating the impact of the vulnerability in WPA2 Wi-Fi networks known as 'Krack', which was first published on 16 October 2017. This page contains guidance for enterprise administrators, small businesses and home users in relation to the recently published vulnerability in their Wi-Fi networks. This page will be updated as more information becomes available.
What is Krack?
Most Wi-Fi networks are configured to encrypt traffic between client devices and access points, so that someone outside the network cannot read or interfere with communications on the network. WPA2 is one protocol that can be used for this purpose. Krack is a vulnerability in WPA2 that could allow an attacker to read the encrypted network traffic, and in some cases, send traffic back to the network.
Current information suggests that:
- An attacker would have to be physically close to the target. This makes Krack a less likely and less pervasive attack than recent ransomware such as WannaCry.
- The vulnerability affects all types of wireless devices that use WPA2 Wi-Fi.
- The vulnerability affects both WPA2 Personal (as commonly seen on home networks and in small businesses) and WPA2 Enterprise profiles.
- A Wi-Fi network protected by WPA2 will still be more secure than a Wi-Fi network protected by WEP or WPA, even if the WPA2 Wi-Fi network is still vulnerable to Krack.
- A Wi-Fi private network protected by WPA2 will be more secure than a public Wi-Fi service such as is found in a coffee shop or hotel.
- An attacker cannot derive the WPA2 encryption key (or password) and hence cannot connect malicious devices directly to the Wi-Fi network. There is no need to change Wi-Fi passwords or other enterprise credentials in response to the Krack vulnerability.
Online services such as email, internet banking and shopping sites already use HTTPS to encrypt data over the Internet before it leaves your device. Similarly, many enterprises use a Virtual Private Network (VPN) to encrypt all data between work devices and enterprise services. Krack does not compromise connections to secure services that are encrypted using these technologies.
What can I do to protect myself and my organisation?
The NCSC recommend the following.
1. Encrypt sensitive data between your device and the web (or network services)
Sensitive data sent from your device to online services should be encrypted so that it is protected as it travels across the public Internet. Encrypted data will also be protected from an attacker exploiting Krack on a wireless network. You should take similarly effective precautions with sensitive data that stays inside a private network, such as on connections to a file share, email server or HR web application.
There are 2 common encryption technologies that can protect data as it flows over the Internet or across a weakened Wi-Fi network:
- HTTPS Connections to individual web services can be protected with HTTPS, which the user will see as a padlock in their web browser. This is prevalent for Internet services that require the user to log on, or submit credit card details, or give access to personal data. It is also becoming more common for web services inside the enterprise.
- VPN Enterprises and small businesses can use a well-configured VPN to encrypt some or all traffic flowing between devices and enterprise services, as described in the NCSC End User Devices guidance.
2. Apply security patches
If you are already automatically and aggressively applying security updates to all your devices, you will be protected as soon as the vendor releases an update (many vendors have already released patches for end user devices and wireless networking equipment as described in the CERT advisory). Otherwise you should urgently apply patches.
- Prioritise deploying patches on the devices that use wireless networks, such as laptops, smartphones and Internet-connected 'smart devices' (often described as IoT). Applying patches will protect a device and the data it sends and receives over Wi-Fi, even if it connects to a wireless network that is still vulnerable to Krack. WPA2 Enterprise networks configured to use fast roaming networks are an exception to this. The NCSC recommends that security updates are applied regularly and automatically to devices.
- Deploy patches on your wireless network infrastructure such as wireless routers and wireless access points, as this will protect traffic from all devices while they are connected to that network. Wireless routers issued by major ISPs may automatically update once a patch becomes available. However, many Wi-Fi network devices (including some of those used by enterprises and small business) will require a manual update.
The Wi-Fi Alliance (a group of companies responsible for maintaining the Wi-Fi specification and ecosystem) has stated that it is working with its members to integrate and test security patches that will fix the underlying vulnerability, and is likely to be updating the Wi-Fi standard that new devices will follow.
3. Monitor enterprise wireless networks
Organisations that already have a wireless intrusion detection system (WIDS) may be able to signature an attacker attempting to use the Krack vulnerability. You should refer to your vendor to determine whether you are able to deploy features or signatures that help detect these attacks.
4. Check the configuration of enterprise wireless access points
Enterprise wireless access points and Wi-Fi routers may be configured to use the older TKIP standard. As well as being a deprecated standard, it makes it easier for an attacker using Krack to inject rogue or malicious packets into the wireless network. If your wireless infrastructure supports it, you should update its configuration to use AES-CCMP instead.
Wireless devices configured to use WPA2 Enterprise mode may be susceptible to attack even after clients have been patched if they have certain features enabled. You should temporarily disable client functionality on devices that act as Wi-Fi repeaters and disable 802.11r (fast roaming). Once the wireless access points have been patched, these features are safe to turn on again.
Wireless devices configured to use AES-GCMP may be susceptible to an attacker injecting rogue or malicious packets into the wireless network. You should temporarily disable GCMP mode on your Wi-Fi access point or router, configuring it instead to CCMP mode. Once these devices have been patched, AES-GCMP is safe to turn on again.
Where can I find more information?