If there’s good news regarding the recently revealed KRACK and ROCA encryption holes, it’s that many systems have already been patched to fix the problems. The better news is that there’s no evidence that either have been exploited by hackers. But don’t breathe out that sigh of relief just yet, because these are potentially very serious.
The KRACK vulnerability affects anyone or any system using WPA2 encryption on their WiFi networks. Since WPA2 is the only WiFi encryption method that’s considered reasonably secure, this is a big deal. It’s even a bigger deal because it potentially affects nearly everyone.
The ROCA vulnerability attacks versions of RSA encryption using key lengths of 2048-bits and shorter. It can be used to produce fake signed certificates for things like software updates and can even be used to bypass the security of the TPM (trusted platform module) where encryption keys are stored.
Both vulnerabilities affect a wide range of platforms including Windows-based computers. However, the ROCA vulnerability only affects those devices with Infineon chips, which includes computers made by HP and Lenovo. Some Chromebooks are also affected.
Microsoft has already released updates to fix both of these vulnerabilities as has Lenovo for computers it makes that use those chips. The KRACK vulnerability requires patches from hardware and software makers that depend on WiFi. At this point, it’s not clear if Apple has included a fix in its most recent update to iOS. Google has not yet provided patches for Android.
However, there’s more to WiFi than your computers and endpoints. WiFi devices including routers and access points are also vulnerable and they also need to be updated. The infrastructure patching can be daunting, if only because you have to start by tracking down every point on your company network where WPA2 encryption or decryption takes place, then either patch it or replace it.
While an attacker must be within WiFi range to exploit the KRACK vulnerability, that should not be much comfort for your organization. For one thing, you only need a single unpatched AP for hackers to exploit an encryption hole. For another, WiFi can cover a much larger area than you probably realize—in some cases reaching out for miles—so distance can’t be relied on for protection.
The problem with patching every available access point is that some may be hard to find, especially in a company where employees sometimes set up their own APs or routers. To be really safe, you’ll need to track all of those down and either eliminate them or at least make sure that they’re updated.
Do I need to mention that this applies to remote locations? If you have employees who use a VPN to connect their local devices or routers to your network, you’ll need to make sure those are safe as well.
But even that’s only part of the job. You still have all of those IoT devices on your network. You’ll need to find devices that are using WPA2, which can be anything from security cameras to printers and make sure they’re updated. That’s assuming that your devices even have security and use WPA2. There are plenty of IoT devices where encryption was an afterthought that was never implemented.
Meanwhile, there are things you can do that don’t depend on WPA2 security. There’s still a lot of hardware out there that can use Ethernet, and while running a cable is annoying and possibly expensive, it’s not wireless. For mobile devices, you can turn off WiFi and depend on the encryption provided by your cellular provider.
You can also do a sort of triage to identify vulnerable devices that will require KRACK and possibly ROCA updates. If those devices have updates available, such as Windows computers, then update them. If they don’t, then identify any cases where they will touch sensitive information. If you find those, determine whether an alternate method such as using HTTPS connections will work.
You’ll need to consider eliminating any other older devices that will be difficult or impossible to patch. Those devices may include older Android phones and tablets for which updates are no longer available or IoT devices that can’t be updated.
There are some devices that may not matter. Even if the encryption on your wireless thermostat is hacked it may not matter, as long as the thermostat isn’t connected to your wider enterprise network.
The WiFi Alliance has pointed out that so far there’s no evidence that anyone has managed to break into a WiFi network using these vulnerabilities. The organization has now added testing for this vulnerability as a requirement for a device to be WiFi Certified, so new devices with the official label will have to show that they’re safe. However the Alliance cautions that users still need to confirm that any WiFi products they buy include the fix.
While most users will have dodged the bullet on these vulnerabilities, KRACK and ROCA demonstrate that you can’t depend on taking the easy way out when it comes to protection.
Your devices may have some protection such as encryption built in, but you still have to do the hard work of making sure that your data is fully protected that means your network has some method of protection beyond what comes with the products you use. That requirement won’t change even when these vulnerabilities are fixed.