Brown’s Bytes – What’s the KRACK?
Welcome to Brown’s Bytes! Your weekly insight from Mobliciti’s CTO Andy Brown. Follow #brownsbytes
20th October 2017
It’s been an interesting week if you are in the Wi-Fi business, like Mobliciti. Monday was pretty much written off for me thanks to the publication of the KRACK Attack Wi-Fi Vulnerability with WPA2. For a little while it seemed like the sky was falling in as everyone scrambled to understand what this now meant.
WPA2 has been the mainstay of Wi-Fi security now for over a decade. Over that time, it’s become a standard part of every Access Point and crucially every device that connects to the Wireless Network. Suffice to say, if WPA2 is compromised then we’re all in a scary place. Initially there were the usual panicked reports coming out to disable Wi-Fi on your device, put a tin foil hat on, etc. Fortunately, as the week progressed things calmed down a lot as people started to understand the threat better and come to terms with the actual risks associated with this new attack. It’s still not a great picture, but it has at least now come down to manageable risk that can be mitigated with a layered approach to Wireless security.
The problem now is simply going to be that this is a risk that will need to be managed for years (arguably decades) to come.
Why so long?
Enterprise Access Point vendors have scrambled to produce patches on the infrastructure side. Kudos to Microsoft, for providing patches to Windows 7 and up already. Apple has patches lined up in the next betas as well. Android (the OS used to prove the hack and the most vulnerable at present) has a patch being released by Google on the 6th of November.
So that’s sorted then. Err… nope!
The problem is that WPA2 has worked so well, for so long. This means there are an awful lot of devices out there that need patching.
Combine this with the fact that patched/unpatched devices will continue to talk to each other quite happily (they have to as it’s a still WPA2 standard) and you’ve got a massive patching headache and no easy way to control it.
For example, we’ve talked before about Android patching… realistically it will be months before any sizeable portion of the total estate is patched and it will never be 100%. Same goes for older versions of iOS, MacOS and Windows.
Oh, and Linux…
This is where it get’s even more complex. Linux is all over the place now and while it has patches available, they will be updated to a fraction of the overall base – Linux is embedded in all kinds of wireless devices that will likely never be patched.
So, in summary.
You do need to patch your devices where you can, but this is just the start of looking at the overall security of the network. This is something that goes way beyond the scope of (an already long) byte, so please get in touch if you need help to understand this better.