Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

WPA2 KRACK Fallout in the Enterprise

The big news Monday that security researchers had discovered vulnerabilities in the Wi-Fi Protected Access 2 protocol sent WLAN professionals scrambling to understand the scope of the problem and figure out a plan of action to protect their networks.

WiFi networking pros were sorting through all the information about KRACK, posting comments on Twitter and online forums. Joshua Williams, senior solutions strategist and sales manager at United Systems, tweeted early Monday, "Headed to the office at 3:45 AM to get in front of this lovely KRACK festival. God speed, my friends."

Security researchers publicly disclosed the WPA2 vulnerabilities early Monday, after notifying vendors in July. Attackers in the range of a vulnerable WiFi client and access point can exploit the encryption flaws to read, steal or manipulate data. Researchers called their discovery KRACK for key reinstallation attacks.

With most all modern WiFi equipment affected, dozens of vendors released a flurry of advisories and updates.

"The WPA2 protocol is ubiquitous in wireless networking," US-CERT said in an advisory on the WPA-2 flaw. "The vulnerabilities described here are in the standard itself as opposed to individual implementations thereof; as such, any correct implementation is likely affected. Users are encouraged to install updates to affected products and hosts as they are available."

Security

In a phone interview, Williams said there was chatter and rumors in the infosec community Sunday leading up to KRACK disclosure. Early Monday, he gave up on sleeping and decided to head to work.

"We're a systems integrator and managed services provider with dozens and dozens of WiFi customers and they're running different systems with all kinds of different clients," he told me. "The challenge at this point is getting an idea of what the scope of the problem is for those customers."

He spent the morning gathering information and talking to customers. "Next steps will be doing things on the infrastructure side to plug up holes where we can, and then patching the client side," he said.

Lee Badman, CWNE #200 and wireless network architect for a large private university, told me in an email that KRACK is "worthy of attention, but not panic in the enterprise."

He and Williams both noted that exploiting the flaw is complex. A successful exploit requires a "fairly difficult AP-by-AP attack, requiring the attacker to physically be in WLAN range," Badman said.

Some enterprise WLAN vendors have already patched the vulnerabilities while others are working on it. The trickier part, experts said, will be patching WiFi clients, especially in the fragmented Android ecosystem.

"I have no doubt our wireless vendors will provide a patch promptly. Our biggest challenge will be patching end user devices, especially for environments where BYOD is substantial," Rowell Dionicio, who designs and deploys WiFi networks for higher education, told me via email. "This drives the importance of patching on a regular basis. It is our duty to maintain secure systems and to educate others on becoming more secure."

KRACK isn't a sky-is-falling type of scenario, but it's "something we really need to pay attention to," Williams said.

From an IT management perspective, it poses a bit of a dilemma, he added. "Do you risk inciting panic by drawing the wrong amount of attention, or do you try to downplay it? Then you've created a lack of urgency and people take too long to patch devices. This isn't something you want to let go."

Andrew von Nagy, a senior WiFi architect, posted a helpful list of links with information about KRACK including vendor updates, on his Revolution Wi-Fi blog.