NENA Bulletin on Wi-Fi Vulnerability Issue
Tuesday, October 17, 2017
Posted by: Chris Nussman
Bottom line up front:
ALL Wi-Fi access points, routers, and devices (computers, phones, etc.) contain a major vulnerability that can allow an attacker to decrypt traffic. Until patches are in place, all Wi-Fi networks should be treated as untrusted, and internal resources should require separate authentication and encryption for access. Other mitigations are also recommended.
What's going on:
On Sunday, October 15th social media reports circulated indicating that disclosure of a major Wi-Fi vulnerability was forthcoming. Subsequently, security researchers, government responders, and major Wi-Fi manufacturers provided a coordinated disclosure that confirmed the extent and severity of the flaw.
Everyone. Everything. No, really. This flaw affects essentially every Wi-Fi-enabled router, access point, phone, computer, IoT device etc., that uses WiFi Protected Access (WPA) for security. This includes both WPA and WPA2, and both the Pre-Shared Key (PSK) and Enterprise modes, regardless of the cipher Suite (TKIP / AES) used.
What this flaw allows:
Hackers exploiting this flaw can decrypt all “secure” traffic sent over the air, delay or block the flow of traffic, intercept traffic via a “Man-in-the-Middle” approach, and inject arbitrary, malicious data and code into users’ data flows. These attacks require varying levels of proximity between the attacker, victim, and AP.
How PSAPs should respond:
Major manufacturers have been aware of this flaw since mid-July, and are working to issue patches. However, most estimate that patches are at least a few weeks away. For many older devices, patches may never be developed. The following are mitigation’s that PSAPs can implement now, to reduce the likelihood of compromise:
1. Conduct an in-depth site survey to identify all Wi-Fi Access Points and endpoints. Look for both known and unknown/unexpected devices, and survey both the 2.4 and 5GHz bands, regardless of how your network is supposed to be configured.
2. For each manufacturer’s product discovered in the site survey, carefully monitor the manufacturer’s website for patch availability. If patches are not forthcoming, begin planning to replace that device.
3. Apply all manufacturer-recommended patches as soon as possible.
4. Disable “fast roaming” or 802.11r on all multi-AP networks.
5. Disable client and repeater functionality in all enterprise APs. Consider replacing any repeaters or “extenders” with wired APs.
6. Decrease AP transmit power to the absolute minimum required to cover the area where Wi-Fi is needed.
7. Treat Wi-Fi-based network endpoints (phones, tablets, computers, printers, etc.) as UN-trusted, when they connect via Wi-Fi: Segment Wi-Fi clients onto a non-routable VLAN; require strong authentication over a separately-encrypted connection for access to internal resources such as file, CAD, and RMS servers; and consider requiring endpoints to connect via VPN, even when using internal Wi-Fi networks.
8. Raise awareness of Wi-Fi Security Issues with all users, and recommend they update the firmware on all home routers, access points, phones, tablets, computers, and IoT devices.
9. Consider installing security-enhancing browser extensions such as HTTPS Everywhere. This helps to ensure that encryption-enabled sites are accessed securely, reducing reliance on Wi-Fi security.
10. Restrict especially-sensitive traffic to wired networks, only.
How to learn more:
For technical details, check out www.krackattacks.com.
Contact NENA's Director of Government Affairs & Cybersecurity Issues, Trey Forgety.