Written by Paul Nicholls, Network Technical Manager at DB Systems
It’s been widely reported this week that a major security flaw has been found in the standards that govern the Wi-Fi protected access protocol (WPA2). This exploit, discovered by Mathy Vanhoef of the security research group imec-DistriNet, has been termed KRACK (or Key Reinstallation Attacks) and theoretically could allow a sophisticated attacker to read and inject data that should have been encrypted.
With some media outlets reporting this as a disaster of cataclysmic proportions, and virtually every Wi-Fi-capable device susceptible to the attack, does this mean we should all be turning off our Wi-Fi networks to protect ourselves?
The short answer is no, there’s no need to stop using Wi-Fi, but that doesn’t mean KRACK shouldn’t be taken seriously, and there are some precautionary measures we should be taking.
Whilst Vanhoef’s paper Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 only became officially public very recently, giving rise to the recent media attention, it was actually first discovered in May 2017, and CERT, who globally co-ordinate the response to these vulnerabilities, actually notified wireless vendors, including our preferred vendor and wireless partner Ruckus, about this exploit in August to give them time to respond before the issue was made public.
Ruckus have had time to review the details of the vulnerability, and in a recent partner security bulletin outline how their products can actually already completely mitigate the attack with some minor configuration changes.
At DB Event Networks we are now ensuring that all our access points are configured with AES encryption (which was already our standard practice, rather than the outdated TKIP protocol) as this completely eliminates the risk of malicious data being injected into wireless communications, and as a temporary precautionary measure, in larger network deployments where this is applicable, we are also disabling a feature known as Fast BSS Transitions (or 802.11r) which is a further source of vulnerability.
These two straightforward configuration changes completely negate the impact of the vulnerability in all our standard wireless networks.
The situation is slightly more complicated when your network includes Mesh or Wi-Fi Point-to-Point topologies, whilst these are never our preferred designs, sometimes they are necessary, particularly when working with Outdoor events. With this equipment it still remains theoretically possible for a sophisticated attacker, with specialist equipment, to read data from the network that should have been encrypted. Whilst we await patches to resolve this, we’ll be making use of the standard Ruckus security features that would alert us to this type of attack as it happens, allowing our Wi-SE certified wireless engineers to respond live to any incident on-site, co-ordinated by our cloud-based security monitoring, logging and response management systems.
It’s important to be aware though that this information only applies to our enterprise-grade access points, there are additional vulnerabilities that affect other standards used in domestic equipment, such as the routers and access points used in many homes and small businesses. To secure yourself in these environments it’s important to keep all your devices up to date with security updates and contact your ISP for details on how to update your home router.
For more information on how the exploit could affect your event, or to learn more about how secure our wired and wireless networks, contact one of our DB Event Networks specialists.