‘Krack’ Wi-Fi guidance

Wi-Fi networks typically encrypt traffic between client devices and access points to prevent unauthorized external access to network communications. One such protocol utilized for encryption is WPA2. The Krack vulnerability threatens this encryption, allowing attackers potential access to the encrypted data, and, in some scenarios, the ability to send data back over the network.

Current information indicates that:

• An attacker needs to be within close proximity to the target, making Krack a less widespread threat compared to recent ransomware like WannaCry.
• This vulnerability impacts all wireless devices utilizing WPA2 Wi-Fi.
• It affects both WPA2 Personal (commonly used in home networks and small businesses) and WPA2 Enterprise configurations.
• A WPA2-secured network is still preferable compared to those protected via WEP or WPA, despite vulnerabilities to Krack.
• Private networks using WPA2 offer greater security than public Wi-Fi networks found in cafes or hotels.
• Attackers cannot extract the WPA2 encryption key (or password), and as a result cannot connect malicious devices directly to the Wi-Fi network. There is no immediate need to alter Wi-Fi passwords or other enterprise credentials in light of the Krack vulnerability.

Services such as email, online banking, and e-commerce already utilize HTTPS for data encryption over the Internet. Similarly, many businesses employ Virtual Private Networks (VPN) to guarantee safe data transfer between user devices and enterprise resources. The Krack vulnerability does not undermine connections to secure services utilizing these technologies.

The NCSC recommends the following measures.

1. Secure Sensitive Data Transfers

It is crucial to encrypt sensitive data transmitted from your devices to online platforms to safeguard it during transit over the public Internet. Such encryption will also shield data from potential exploitation of the Krack vulnerability over a wireless network. Implement comparable security measures for sensitive data within private networks, like connections to file shares or HR applications.

Two prevalent encryption technologies can protect data across the Internet or insecure Wi-Fi networks:

• HTTPS: Individual web services should employ HTTPS, identifiable by a padlock icon in web browsers. This is commonly used for user login, credit card transactions, or submission of personal data, and is increasingly seen in business environments.
• VPN: Organizations and small businesses may leverage a well-implemented VPN to encrypt some or all traffic flowing between devices and enterprise services, as detailed in the NCSC End User Devices guidance.

2. Implement Security Patches

If you consistently apply security updates to all your devices, you will be protected as soon as vendors release updates (many have already issued patches for user devices and networking equipment, as indicated in the CERT advisory). Otherwise, it is critical to urgently install these patches.

• Prioritize updates on devices utilizing wireless networks, such as laptops, smartphones, and other connected smart devices (often referred to as IoT). Keeping these devices up to date will safeguard them along with the data they transmit over Wi-Fi, even if they connect to a vulnerable wireless network. However, WPA2 Enterprise networks using fast roaming configurations are an exception; the NCSC advises that security updates should be applied regularly and automatically.
• Update your wireless network infrastructure including wireless routers and access points, as this will enhance protection for all connected devices. Major ISPs often provide auto-updating for routers, yet many Wi-Fi networking devices (including those for enterprises and small businesses) will necessitate manual updates.

The Wi-Fi Alliance (a consortium responsible for maintaining Wi-Fi standards) is collaborating with its members to incorporate and test security patches addressing the fundamental vulnerability, with updates to Wi-Fi standards anticipated for new devices.

3. Monitor Your Enterprise Wireless Networks

Organizations with an existing wireless intrusion detection system (WIDS) may be able to detect attempts to exploit the Krack vulnerability. Consult with your vendor for the availability of features or signatures that assist in identifying these attacks.

4. Verify Your Enterprise Wireless Access Point Configurations

Enterprise access points and Wi-Fi routers could be set to utilize the outdated TKIP standard. This standard’s obsolescence increases an attacker’s ability to inject unauthorized packets into the wireless network. If available, reconfigure your wireless setup to utilize AES-CCMP.

Wireless devices configured in WPA2 Enterprise mode may remain vulnerable even if clients are patched, if certain features are active. Temporarily disable functionalities on devices acting as Wi-Fi repeaters, and turn off 802.11r (fast roaming). Once wireless access points are updated, these features can be safely re-enabled.

Wireless devices operating with AES-GCMP might still allow attackers to inject unauthorized packets into the network. Temporarily disable GCMP mode on your Wi-Fi access point or router and switch to CCMP mode. After the devices receive patches, restoring AES-GCMP is safe.

• Small businesses should consider exploring the Cyber Essentials standard and certification program as a strategy to mitigate common cyber threats.
• Home users can access information on wireless networks and hotspots, coupled with further security guidance from Get Safe Online.
• Further insights into the NCSC’s broader guidance on enterprise technology with a focus on cybersecurity can be found, including recommendations on utilizing VPNs, TLS, and Wi-Fi in enterprise settings.
• Further details regarding the vulnerabilities constituting ‘Krack’ have been disseminated by researchers from the University of Leuven, which includes a collection of frequently asked questions.