Here are some guidelines from national digital security agency CyberSecurity Malaysia and digital security experts for IT admins and internet users on how to stay safe from the latest exploit - KRACK.
Krack - which stands for Key Reinstallation Attacks - is the name of a major vulnerability in Wi-Fi routers' WPA2 security protocol uncovered recently by researcher Mathy Vanhoef.
WPA2, which replaced the WEP protocol in about 2003, was created by the Wi-Fi Alliance to cover up eavesdropping on what websites your computer is trying to access.
The flaw in WPA2 will allow "man-in-the-middle" eavesdropping attacks, as well as possible ransomware and other malicious code injections, Vanhoef has said in various media reports. Krack may allow attackers to steal credit card numbers, passwords, chat messages, emails, photos, and so forth.
Dato' Dr. Haji Amirudin Abdul Wahab (pic below), chief executive officer of CyberSecurity Malaysia, confirmed to Computerworld Malaysia (over the weekend of 22 October) that the globally used Wi-Fi Protected Access 2 (WPA2) Wi-Fi security protocol has been broken. "This standard is the most commonly used security standard by Wi-Fi networks around the world."
"This attack abuses design or implementation flaws in cryptographic protocols and resets the key's associated parameters such as transmit nonce and receive replay counters," explained Dr Amirudin. "Several types of cryptographic Wi-Fi handshakes are affected by the attack."
As IT administrators know, WPA2 puts devices through a four-way handshake, and Krack will forces part three to be resent repeatedly, promoting your Wi-Fi access point to look for a response from the router.
While it's a clever attack on a protocol, Krack appears to require attackers be close enough to a router's signal to connect to it, like any normal sign-in to a Wi-Fi network. Also, Krack is "highly effective" against devices running Android and Linux operating systems.
Independent threat intelligence specialist Azril Azam (pic below) told Computerworld Malaysia: "Krack has been one of the most discussed security topics in 2017. The attack occurs at a deep, very low level and quite technical. The two researchers from Belgium who discovered the protocol weaknesses have setup a website for general understanding (krackattacks.com)."
"This exploit aims to trick a 'victim' Wi-Fi (802.11) supported device into reinstalling an already used cryptographic key, which is used to encrypt and decrypt network traffic. The attacker achieves this by manipulating and replaying/retransmit cryptographic handshake messages. Krack is not a cryptographic algorithm attack - it only targets the 4-Way-Handshake (4WH) in the WPA2 protocol itself," he said.
Azril explained that although Krack mainly targets the WPA2 4WH, since other protocols in the Wi-Fi 802.11 family are also embedded, the same 4WH process may impact these other protocols.
The following are the protocols possibly affected by the 4HW attack from Krack:
- CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake.
- CVE-2017-13078: Reinstallation of the group key (GTK) in the 4-way handshake.
- CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the 4-way handshake.
- CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake.
- CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake.
- CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it.
- CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
- CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.
- CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
- CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
mage (Azril): Krack Attack Setup
Azril, however, believes that a Krack attack "is quite difficult and not as easy as shown in the YouTube video demo by the two Belgium researchers."
"First, the attacker needs to apply Man-In-The-Middle (MiTM) attack techniques between the Wi-Fi Access Point (AP) and the Wi-Fi Client," he explained. Secondly, setting a rouge AP with different MAC address for forwarding the packets between real AP and its Client is not possible. The attacker will have to employ a channel-based MiTM attack by cloning the real AP on a different channel with same MAC address and SSID. The following paper describe in detail on how to established Wi-Fi MiTM Channel Attack
"Thirdly, by default both Windows & MacOS (including iOS) do not accept retransmission of Message3 in the 4WH," Azril continued. "This is because it violates the 802.11 standards. As such, Windows, MacOS (iOS) are not vulnerable against Wi-Fi Client WPA2 4WH but still vulnerable on the Group-Key Handshake. These operating systems are also vulnerable to Krack is the attacker decided to target the AP for the 802.11R Fast BSS Transition (FT) Handshake."
Guidelines from security experts
When alerting Computerworld Malaysia about the exploit, former white hat hacker turned financial security consultant LGMS director, Fong Choong Fook (pic below), summed it up as: "If you are using Wi-Fi in office or home, you are vulnerable."
"Researchers will be presented more detail in the coming Black Hat Europe hacking conference," said Fong. "The attack, in particular is targeting the weakness in the WPA2 protocol. WPA2 is widely use in the Wi-Fi access points today. Most, if not all Wi-Fi networks today are using WPA2 one way or another. Wi-Fi users are advised to update their wireless access points and their computer immediately."
"Microsoft Windows have released the patches; however popular network device manufacturers such as D-link and TP-link have yet [at the time of this interview] to release any firmware update at this moment of writing," he said. "The fixes need to apply in both ways, the Wi-Fi client (e.g. Microsoft Windows) and the Wireless Access Point (e.g. D-link Wi-Fi router)."
According to a statement by the Wi-Fi Alliance: "This issue can be resolved through straightforward software updates, and the Wi-Fi industry, including major platform providers, has already started deploying patches to Wi-Fi users."
As of 17th October, Microsoft revealed it quietly patched Windows last week against vulnerabilities in the Wi-Fi Protected Access II (WPA2) protocol used to secure wireless networks. All supported versions of Windows received the update, according to the catalogue listing, including Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2012 and Windows Server 2016. On the same day, Apple also announced a patch for MacOS, iOS and WatchOS.
However, as other firmware updates (such as to actual routers) may take a little while to appear, local digital security specialists have offered some guidelines to IT admins and internet users to combat this latest vulnerability.
Azril, and Fong agree on the main advice from CyberSecurity Malaysia. Their advice has been collected and summarised below.
Advice for IT Admins
- Apply system patch where it is deemed necessary. Subscribe to CERT notices and get alerted when fixes are available
- Monitor any rouge clone Wi-Fi Access Point (AP) in the network and close it down you have a corporate VPN, ensure all staff uses the VPN for any WI-FI connections. You may want to take the opportunity to also encourage people to use personal VPN for their personal use
- Ensure systems are updated. As soon as a patch is released, ensure any device that connected to a Wi-Fi network is updated. This is a great opportunity to remind others why updating is so important, to include enabling automatic updating
- In general, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming).
Advice for users:
- Be cautious when selecting Wi-Fi AP especially on public network
- Make sure to check on available Wi-Fi AP list and avoid choosing the one that has more than one similar SSID
- Use VPN if possible on public network.
- Use specific mobile apps instead of the browser version (e.g. Facebook, WhatsApp, Gmail and etc.) because the mobile apps are utilising certificate pinning and eliminates SSL-Stripping.
- Where possible, use Ethernet cables and connect directly into the network, rather than using Wi-Fi.
- If tethering is not possible or you do not have a VPN, ensure any online activity is natively encrypted. This step is more limited as some encrypted sessions (such as browsing) may also include unencrypted traffic. Another option is to use HTTPS Everywhere plugin for browsers. Always use encrypted sessions.
Fong added. "This is the *largest scale* of vulnerability impact in the history of WPA protocol. We have not even touched on the impact surface of the Internet of Things (IoT), which may be using WPA. Krack's impact may turn out to be far more serious than we know today."
CyberSecurity Malaysia's MyCert has issued an advisory and the appendix below gives contact details to report suspected cybersecurity attacks. (See - www.mycert.org.my/en/services/advisories/mycert/2017/main/detail/1288/index.html)
To see some latest local digital security news, visit:
- Ransom DDOS attacks hit Malaysian financial firms: Experts advise action plan for IT
- 33 Malaysian websites hacked following SEA Games error: Experts reaffirm security musts for Sysadmins
- WannaCry attacks: Former Malaysian hacker predicted healthcare target
- Global ransomware attacks prompt national 'WannaCry' alert from CyberSecurity Malaysia
- Crash Override, Industroyer malware: CyberSecurity Malaysia calls for critical infrastructure checks
- Malaysia interview: How easy is it to set up as a cyber crook today?
- In Malaysia, worries about cyber threats overtake physical concerns for the first time: Unisys Index
- What can IT professionals learn from the HBO hack?
The latest edition of this article lives at Computerworld Malaysia.
To report incidents at Cyber999, please use these channels:
- E-mail: email@example.com or firstname.lastname@example.org
- Phone: 1-300-88-2999
- Fax : +603 89453442
- Mobile: +6019 2665850 (24x7 call incident reporting)
- SMS : Cyber999 report email complaint to 15888