Stopping KRACK Attacks Starts with Visibility
Stopping KRACK Attacks Starts with Visibility

KRACK attacks hit the headlines last week and the news was bad for anyone who uses Wi-Fi. (Or in other words, everyone.) KRACK or Key Reinstallation Attack is a security flaw in the WPA2 protocol that allows an attacker to break encryption between a router and any device and interrupt network traffic as a user connects. The attacker isn’t actually on your network, rather they are listening in as users consume and exchange data over Wi-Fi. Threat implications include theft of course but also the injection of malware and/or ransomware and the opportunity for criminals to gain footholds into your company’s network for more grandiose schemes in the future.

As I said, the news is not good, especially when you consider the extensive range of devices that rely on WPA2. That’s a very long list made even longer when you also count Wi-Fi enabled IoT devices manufactured by many different companies. The flaw is extensive, but repairable and it will require some work on your part. To stop KRACK attacks, you need to patch both the router and your devices -all of them. And don’t worry, it’s okay to admit even knowing what that device list consists of isn’t easy; we’ve all been there.

Former TheNextWeb editor, Owen Williams has compiled a helpful, running list of firmware patches that includes links on where to download them. As he calls out, some heavy hitters like Apple only offer the fix in beta currently and others, like Google, say a patch is coming soon. Regardless of what your vendors are doing to close the loop on KRACK, it’s critical you first have visibility into what is running. When you consider remote offices, contract workers and employees running rogue devices on your network, visibility is anything but obvious for most of us.

While the engineers and security teams at scores of hardware and software vendors, from operating systems to laptops, to smartphones to smart devices, have their work cut out for them pushing out KRACK fixes, you also can’t patch what you don’t know you have. Absolute Reach is one way to assess your level of risk. Reach identifies device presence, on and off the corporate network, and, using a script that indicates the presence of a KB article (which comes with a patch), discovers fixes that need to be made. You can also freeze a device until a KRACK fix can be applied.

What are the chances your organization could fall victim to a KRACK attack? Pretty high unfortunately given the everyday use of Wi-Fi. The good news though is I have seen no evidence of active attacks in the wild rampantly exploiting KRACK. Over time though, we should expect automated tools deployed to detect vulnerable machines as well as tools to exploit them.

Shutting down devices until they are clear of today’s present danger is one way to effectively mitigate KRACK but for most, it’s simply too much of an ask when productivity is at stake. If you’re unable to deploy the needed patches, you might start instead by turning off all Wi-Fi infrastructures at the office and put a new Group Policy in place to disable connections to unapproved wireless access points. This way, you’re forcing users to rely on Ethernet connections until the risk has passed.


Richard Henderson
Richard Henderson is global security strategist at Absolute Software where he is responsible for spotting trends, watching industries and creating ideas. He has nearly two decades of experience and involvement in the global hacker community. He is a researcher and regular presenter at conferences, and skilled electronics hacker. He was one of the first researchers in the world to defeat Apple's TouchID fingerprint sensor on the iPhone 5S. Richard was a technical editor of a book on IoT Security: RIoT Control: Understanding and Managing Risks and the Internet of Things. He is currently co-authoring the second edition of Cybersecurity for Industrial Control Systems.