impact of KRACK vulnerability
Lately researchers publicly disclosed their discovery on a major vulnerabilities called KRACK in WPA2, a security protocol used to protect Wi-Fi networks, and they warned "if your device supports Wi-Fi, it is most likely affected".
This discovery triggered a wide-spread fear among many Wi-Fi customers.
A few things to note:
- According to https://www.krackattacks.com/, the weaknesses are in the Wi-Fi standard itself, not in individual products or implementations, and it exploits both sides of the 4-way handshake relationship (client and AP). It does not steal any Wi-Fi password, and it's more relevant to behaviors of client devices, especially Android/Linux devices.
- The "attack" worked in lab environments by researchers/scientists, which means in real life, the attacker has to be very skillful, sophisticated, in the same Wi-Fi network as the victims (eg. connecting to the same AP), and equiped with all the advanced hardware and software to launch such attack. As of now, there's no publicly known tools/software that are capable of such attack. This is still a "theoretical" vulnerability.
- This attack requires a Man-In-The-Middle attack first (which is already difficult), then tricks client devices by forcing nonce reuse to decrypt client connection. Note the "decrypt" here really means decrypting data link layer (layer 2) frames encrypted by WPA2 encryption protocols, but if your applications are protected by upper layer security (eg. VPN or SSL/https), you are still protected. Why would you care who look at what you read if you don't even bother to secure it with https?. At most, when a WPA2 secured Wi-Fi connection is hacked by KRACK, it's as good as an open Wi-Fi without any encryption, which is commonly used in many public hotspots anyway. Unarguably, SSL/VPN have their own potential vulnerabilities but these are outside the scope of this discussion (Hey, what's 100% secure?).
- The researcher has recommended to "mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming).". Note this can be achieved easily just by configuring your AP correctly, eg. disable wireless mesh, bridging or WDS or 802.11r etc.
So how does this impact RansNet solutions?
- In general, RansNet solutions are targeting at public hotspots, where most of them are using open SSID, irrelevant to WPA2, and authentication is done by a captive portal through HSG. The intelligence of RansNet solution is mostly on the network layer and above, not much of wireless.
- For the case of HSA, which can be an integrated Wi-Fi and hotspot controller, it is designed to operate as standaone Wi-Fi AP, without 802.11r functionality and WDS is also turned off by default. So in most HSA deployment, this KRACK is irrelevant. And if you do have WDS configured, please turn it off. There's no plan to release any patch or update to specifically address this.
- For the case of MAP, as most of the MAPs are deployed with open SSID and without WDS/802.11r enabled etc, we don't see immediate urgency to release any patch specifically for KRACK. Until Wi-Fi alliance or IEEE releases new standards later, our future new firmware upgrades will include the relevant fixes. For now, if you do need to use WPA2, please make sure to disable 802.11r and don't use WDS.
- KRACK has absolutely no impact and is completely irrelevant to HSG/CMG, which are gateways and agnostic to users' connectivity options, be it open/WPA2 wireless or even wired networks.
What should RansNet customers do?
- If you have HSA deployed using WPA2 SSID, make sure no WDS configured. 802.11r is not supported on HSA.
- If you have MAP deployed using WPA2 SSID, turn of 802.11r and make sure no WDS configured.
- Again, as KRACK is more prevalent to client device, make sure to patch/update your client device promptly once device vendor releases any new updates, so that you're always protected, irregardless which AP connected to.