We woke up Monday to large amounts of news media coverage on a series of vulnerabilities known as KRACK today. While most people think their Wifi connections are secure, as KRACK demonstrates, this is not the case. Jigsaw Security's JPM does not allow connections to internal networks for this very reason. Our auditing teams will flag any internal network wireless access that is not secured with 2 factor authentication to include something you have and something you know (smart card + pin in most cases). Today our model was validated with the news of this vulnerability.
Advertisers use cell phone snooping to target ads toward shoppers near their stores
In recent vulnerability assessments we have been seeing more and more personal wireless devices in the workplace. We have demonstrated time and time again that we can perform MITM attacks quite easily on wireless and cellular based connections using inexpensive hardware and customized software. If your familiar with law enforcements use of Stingray it should be noted that for only a few hundred dollars you can build your own device capable of intercepting wireless communications from cell phones which generally have been deemed fairly secure (less so in recent years). This KRACK attack paper outlines just why end to end encryption and revalidation of wireless is critical in corporate network environments.
In many cases every application installed on your phone provides some sort of anonymous usage statistics which may be anonymous data used to identify individuals that may have an interest in produces and services to display content while shoppers are in a particular location. Wireless in general is problematic because it was created out of convenience to the users. Just like IOT devices and automation in the home, devices were created to make our experience more enjoyable often overlooking the security implications of that ease of use.
So let's have a look at the KRACK report as we already know wireless is a problem. So what is the problem with wireless anyway and what's the big deal on KRACK? During normal communications with an access point the client and the AP must agree on a key to be able to encrypt content. Because of this several times per hour a client and an access point do what is known as a 4 way handshake to determine what keys to use to send the encrypted data. During this process the client sends a one time random string of data to the AP so that both sides can calculate a key to use for communications. Both the AP and the client send each other some random data which is used to seed each system so that a key can be generated. Both sides of the communication then mix the data sent and received with a pre-shared key that was previously known to generate a key. Then each side of this communicates that they have enough data to encrypt the connection and proceed. That's a quick and easy way to understand exactly what happens during the handshake process.
The new vulnerability should allow a client to talk to the AP securely but there is a problem with the way in which it is often implemented. One way we have seen this accomplished is to get an access point very close to the client and spoof the AP. Once you make yourself look like the AP that is supposed to be receiving data and you overpower the real access point, you can then capture data and using the same methods as the real AP sniff traffic. Another method is to actually interrupt the real communications with the AP and interject your own. This MITM (man in the middle attack) simply overpowers the real AP with your fake AP to interrupt the handshake and force the client to communicate with the fake AP. These attacks are quite easy to perform and have been seen for several years how going back go 2010 and probably earlier. In 2010 a silicon valley startup started providing hardware and software making this easy enough for the average home user to hijack connections for under $500.
In short this is just one of the issues with wireless and why it's much more advisable these days to encrypt the data from client to server even if the wireless network is believed to be secure in using VPN's to safeguard the data in case the wireless connection is hijacked. While the specific KRACK attack is new, the method of carrying out this same attack is nearly 8 years old now and widely in use. Even when out shopping or connecting to coffee shop WIFI you should probably encrypt all traffic.
When using WIFI networks our recommendations would be to use a VPN regardless of if the wireless is encrypted or not. If a WIFI password is handed out for convenience you might as well treat that network as an open book whereas anyone with that password may intercept your communications and glean details about you. Let's treat all WIFI as insecure all the time because when you think about it, WIFI is broadcasting and if you can receive it you can get details about what is happening even if you can't read the payloads. VPN really only reveals where your VPN concentrator is and not what you are doing over the network. Ensure your VPN is using encrypted packets and change your passkeys frequently. There is a reason the military changes their keying materials daily. This frequent change of keying materials ensures that even if communications are broken for a brief period of time that an ongoing campaign of espionage or cyber warfare cannot continue over an extended period of time.
In short, wireless is broken and insecure, use a VPN that you control. Happy Monday!