October 17, 2017

Coronet’s SecureCloud, the platform that offers end to end outside the perimeter security, confirms that it is the first company to offer protection against KRACK.

In a paper written by Belgian researchers, a vulnerability in WPA and WPA2 protocols was published in which an attacker executing a multi stage attack could circumvent the built-in protections built into these commonly used protocols.

While most key vendors are working on patches to address KRACK, an exploit golden hour exists for attackers which can extend indefinitely for endpoints and IOT devices that are not expected to receive updates.  

Coronet is the only available solution in the market that can protect devices from this vulnerability, eliminating the risk regardless of availability of a patch. Coronet’s SecureCloud platform’s network detection and mitigation layer can not only identify a KRACK attack, but also automatically mitigate it.

What is the attack?

An attacker can get in a MITM position and circumvent the WPA/WPA2 protection, providing the attacker the ability to access corporate data for both data stream inspection, as well as packet injection.

Who is vulnerable?

  Decipher Client → AP packets Decipher AP → Client packets Inject Client → AP packets Inject AP → Client packets Replay Client → AP packets Replay AP → Client packets Mitigation
Android 6.0 and up and some Linux (*) Yes Yes Yes Yes Yes Yes OS patch
(If available)
Android Yes No TKIP & GCMP only GCMP only No Yes OS patch
Use CCMP
iOS No No No No No Yes OS patch
Windows 7 & 10 No No No No No Yes OS patch
Mac OS Yes No TKIP & GCMP only GCMP only No Yes OS patch
Use CCMP
Linux Yes No TKIP & GCMP only GCMP only No Yes OS patch
Use CCMP

 

(*) In addition to the protocol vulnerabilities, Android 6.0 and up and Linux with wpa_supplicant versions 2.4 and 2.5 have a bug that installs an all-zero encryption key (KT), practically exposing these OS to all vulnerabilities in both directions.

Are patches available?

Some are already available. Here is a list: https://www.kb.cert.org/vuls/id/228519

The attack surface:

While any unpatched device connecting to WPA/WPA2 is vulnerable, the largest attack surface is devices running Android 6.0 and higher, representing 48% of all android devices (or about 1 Billion devices). Some of these Android devices may not be patchable, and as such will remain vulnerable.
What should you do?

If you are a Coronet customer: you need to do nothing, you are already protected.

In case of non-Coronet customer:

  1. As a good practice, always ensure your devices are patched with the latest OS and vendor updates once available.
  2. For APs for which a patch is yet to be released, disable the Fast Transition (802.11r) option.
  3. Make sure all your information is accessed using only secure HTTPS/TLS protocols.

To learn more, and to protect your organization from KRACK and all other attacks outside the perimeter, contact Coronet expert at: www.coro.net