Wi-Fi security took a severe blow on Monday as Mathy Vanhoef, a Belgian security researcher, released details of a major weakness in the Wi-Fi Protected Access 2 (WPA2) protocol.
The WPA2 security protocol was first made available in 2004 and has since served as the de-facto standard for securing wireless networks using data encryption.
The hack was named KRACK for Key Reinstallation Attack and allows an attacker physically within range of a victim to decrypt and read data off the Wi-Fi network. More worrying is the ability for the attacker, in certain situations, to inject (e.g. ransomware and other malware) and manipulate data.
KRACK is also particularly devastating for Android and Linux users due to the way Wi-Fi is implemented, making it trivial to intercept and manipulate the traffic sent by these devices. To demonstrate, the researchers posted a demonstration video on their website.
Why is this Wi-Fi security flaw significant?
While previous security issues are the result of weaknesses in the way hardware vendors implemented the protocol, the discovery by Vanhoef however exposes a fundamental flaw in the way the protocol was designed. In other words, even if a vendor has implemented the standard perfectly, the vendor would have inadvertently built the flaw into his product.
A vulnerability in the protocol means that every device is affected and will require vendors to roll out Wi-Fi security patches to every connected device that relies on Wi-Fi. This includes wireless networks, computers and mobile devices. This will take time.
How can organizations protect themselves?
While waiting for vendors to provide security updates to affected equipment, organizations can try to limit their exposure by implementing additional Wi-Fi security measures.
Reduce your Wi-Fi network footprint
Since the hack requires the attacker to be in close proximity and connected to your Wi-Fi access point, you can make sure that access to Wi-Fi signal is controlled. In many implementations, the organization’s Wi-Fi network signal may be covering a physical area that is much larger than needed. If you are getting a signal from the parking lot, you may be subjecting your network to unnecessary Wi-Fi security risks as malicious attackers can tap onto these signals. Here are some steps you can take to reduce signal leakage:
- Keep the wireless access points away from windows
- Position the wireless access points on the ceiling
- Use the right wireless antennas to keep signals within your building/office
Add an additional encryption layer
To protect your Wi-Fi security, organizations may consider implementing an additional layer of encryption on their network traffic using a Virtual Private Network (VPN). Even if the attacker can access the Wi-Fi network, data cannot be siphoned due to the VPN encryption.
As the attack must be executed within range of the Wi-Fi signal, the impact will not be as devastating compared to an online threat that can spread quickly over the internet. However, the widespread impact in terms of the number of networked devices that must be updated may mean a prolonged period where vulnerable devices will be at risk.