Detection and response measures regarding the WPA2 vulnerability
On Monday, October 16th 2017, the press and social media were flooded with a wireless vulnerability that had been discovered in the WPA2 protocol, which has been dubbed KRACK as a short version of “Key Reinstallation Attack”. By now, most of us are familiar with this vulnerability, however, several manufacturers where already informed about this discovered vulnerability much earlier (read: months). The discoverer of this vulnerability has reported this under the so-called ‘responsible disclosure’ procedure. It is astonishing to me – as “half-techie” that some manufacturers state that they take these “vulnerabilities seriously and are busy addressing this”, but have no solution yet. To me, it appears that they have been ‘sitting’ on the shared information for months…
What is the impact of the reported vulnerabilities?
Simply put, these vulnerabilities allow malicious people to access and view data transmitted over WiFi. WPA2 is the most commonly used wireless encryption method and it has been the standard for more than 10 years. There is no alternative for this protection method yet, and no successor. The impact is severe, as long as the wireless infrastructure and the clients are not patched. The patching of the wireless infrastructure alone is not enough.
After the public announcement, technicians stumbled across each other with reactions and doom scenarios. Certainly, the errors detected are very serious and it will take a long time before all possible systems (especially the different client devices) will be patched. Additionally, there are many systems for which the question is: will the manufacturers still be patching them? This needs attention, who will look into these matters with possible detection measures? If a system cannot be patched, it remains vulnerable and if the system cannot be easily replaced, then only one option remains. Make sure that you detect a possible use of one of the detected vulnerabilities as quickly as possible. Because what you do not see/detect, you cannot protect or defend.
Detection and response are the next steps
Detection is step one in the process of protection. After detection, you can take response measures. In this specific case, I see sufficient reasons for automating response measures. Why? To reduce the timeframe of a potential attack as much as possible, and keep attackers from obtaining information. As I write this, I have not yet read much about this in different responses and articles. I don’t want to sound arrogant, but this confirms the fear of many infrastructure and security specialists!
Response measures can consist of multiple actions, such as disconnecting the relevant wireless session and sending an alarm (text, email, etc.).
Fortunately, there are also parties who have thought of this possible step and even have a short presentation with explanation available. Including Aruba, a Hewlett Packard Enterprise company, one of the market leaders in wireless solutions. They were one of the first with a clear explanation.
Detection with Aruba, a HPE company
Detection capabilities are a standard feature in the Aruba Wireless Solution. If desired, this functionality can be brought to an even higher level and insight by adding the so-called RFProtect license in a controller based environment. Within the so-called controller-less instant solution, RFProtect functionality is a standard included in the Aruba InstantOS.
The implementation of detection and counter measures is unfortunately a technical matter and I realize that not all customers have the knowledge or resources available to apply them. However, this does not make the necessity for these measures any less, especially not in environments such as healthcare, industry and public infrastructure. SecureLink has as many as 18 specialists available to support customers with this. If you have worry that your wireless environment cannot be patched, we will be happy to discuss the possible detection and response measures with you.
The announced vulnerabilities will certainly not be the last. Setting up good detection and response measures is always a good move toward a more mature security infrastructure.
For the techies amongst our readers; The following points provide detailed and substantive information: