<< Back to article Print this page Loading page, please wait...

KRACK Attack: Are You Vulnerable?

Michael Davies (CSO Online)
15 November, 2017 09:55

The WPA-2 KRACK vulnerability has been all over the news recently and given how many people it affects, there’s no wonder it’s getting some serious airtime. But before you hit disconnect and rip your router out the wall, it’s important to understand that the KRACK Attack is not quite the WPA-2 apocalypse it’s made out to be.

To understand the KRACK Attack, let’s go back to basics. The current industry standard for Wi-Fi networks is Wi-Fi Protected Access 2 or WPA-2. The standard was first rolled out in 2004, with the intention of encrypting data transmitted over a Wi-Fi network to stop hackers from intercepting your information. In the last few weeks, new research from Mathy Vanhoef of KU Leuven in Belgium has revealed that WPA Wi-Fi Protected Access might not be as safe as we assume. After running a few trial hacks, researchers discovered a key vulnerability in the WPA2 Wi-Fi encryption protocol, known as ‘Key Reinstallation Attacks,’ or ‘KRACK Attacks.’ This security flaw essentially allows hackers to act as a fake ‘man in the middle’ and intercept your sensitive data, such as credit card numbers, passwords and photos.

When Wi-Fi Goes Rogue...

KRACK attacks unfold when a hacker finds a vulnerable network, makes a carbon copy of it and steps in pretending to be the MAC address. By changing the Wi-Fi channel and forging an exact replica of the network, the hacker inadvertently forces you to bypass the original WPA-2 connection and join a rogue network.

WPA-2 connections traditionally require a unique key to encrypt each block of plain text and this is where the hack steps in. The WPA-2 KRACK overrides traditional encryption keys by foiling the handshake process, bypassing HTTPS and revealing sensitive data along the way. To break it down, when a computer tries to connect to a foreign device like a router or network server, the handshake process is what establishes the connection and sets the rules for communicating with the device. A KRACK attack hijacks the handshake and redirects the connection to a malicious network. According to the researchers who discovered the flaw, the routers themselves aren’t attacked and similarly, Wi-Fi passwords and secret keys can’t be compromised. The KRACK is more about eavesdropping on network traffic – think sneaky snooping with a side of sinister.

When the WPA-2 KRACK is at play, a hacker is able to manipulate commands like instructing the computer to send money to itself. It also allows the injection of new data, like malware or ransomware into a Wi-Fi network. The major caveat to the WPA-2 KRACK is that a hacker would need to be within physical reach of a vulnerable Wi-Fi network. Given that there are literally tens of millions of Wi-Fi and IoT enabled devices, the problem has serious legs.

SD-WAN for the Win

In the last few weeks, discussions around the WPA-2 KRACK vulnerability have brought a lot of issues to light. Most importantly, it’s highlighted that enterprise networks need to up the ante, even if they have WPA2 protocols in place. Security breaches are a frightening reality for consumers, corporates and network managers alike, especially when they expose the flaws of a stalwart standard like WPA-2. The thing about traditional networks is that they’re vulnerable to traditional problems. Newer, leaner, safer networking protocols like SD-WAN, when paired with secure and compliant peripheral hardware, aren’t susceptible to man-in-the-middle attacks like WPA-2 KRACK. Because SD-WAN uses dynamic key encryption at the packet level, it means that your network is safe, no matter what type of connecting links the data travels across.

The very nature of SD-WAN means that data is encrypted from its origin all the way to its destination, leaving no weak points for hackers to exploit. In the context of financial security standards like PCI 3.0, transactional data travelling to and from retail sites are protected at all points along the SD-WAN network.

Macquarie Telecom SD-WAN uses standard IPSec site-to-site tunnels, encrypted using either AES-128 or AES-256 bit. All keys are protected by a built-in Certificate Authority process that automatically refreshes periodically without any user intervention.

Put simply, you’re safer with SD-WAN.