EnGenius Advisory

 

WPA2 KRACK Vulnerability

 

Oct. 17, 2017

 

 

What Has Happened

—————————-

On October 16, 2017 a public announcement was made by security researchers
who discovered a weakness in the Wi-Fi Protected Access 2 (WPA2) protocol
that is used in all modern Wi-Fi networks. A malicious attacker in
range of a potential unpatched victim can exploit this weakness to read
information that was previously assumed to be safely encrypted. The
vulnerability is within the Wi-Fi IEEE 802.11 standard itself, and is
therefore not unique to any particular access point or client device
vendor. It is generally assumed that any Wi-Fi enabled
device is potentially vulnerable to this particular issue.

 

 

A Summary of How WPA2 Security Works

——————————————————–

WPA2-AES security consists of both authorization and encryption. The
authorization step is used to determine whether a particular client is
allowed to access the wireless network, and comes in two flavors, Personal
and Enterprise. In WPA2-AES Personal, a pre-shared key or passphrase
is used to provide the key identifying credential. In WPA2-AES
Enterprise, the Extensible Authentication Protocol (EAP) is used to
validate the client credentials against an external RADIUS or Active
Directory server. In either the WPA2-AES Personal or WPA2-AES
Enterprise scenario, once the client’s authorization credentials
are validated, a unique set of encryption keys are established between
that particular access point and that particular client device, to encrypt
the traffic between them. This encryption process is done via a four-way
handshake, where particular keys are passed back and forth between the
access point and the client device so each can derive the appropriate
unique encryption key pair.

 

 

A Summary of the Vulnerability

——————————————

The security researchers discovered that they could manipulate and replay
the third message in the four-way handshake to perform a key
reinstallation attack (KRACK). Strictly speaking, each key that is
passed in the four-way handshake should only be used once and never
re-used. However, in a key reinstallation attack, the attacker pretends to
be a valid access point and tricks the client device into reinstalling a
key that is already in use, serving to reset the transmit and receive
packet numbers. For WPA2-AES, the attacker can then derive the same
encryption key as the client device, and then decode upstream traffic from
the client device to the access point. For the older (and less
secure) WPA-TKIP, the attacker can go even further, and potentially forge
and inject new packets into the data stream.

 

For an attack to be carried out to take advantage of this vulnerability,
it must be done by a malicious actor conducting a man-in-the-middle attack
(i.e. pretending to be an AP on your network and serving to be a relay
between the client device and the legitimate wireless network).

 

 

How This Vulnerability Impacts EnGenius Products and Networks

————————————————————————————–

As the issue occurs on client devices, the first step for any network
operator is to check with your client device manufacturers for security
patches and updates and apply these updates as soon as they are available.

 

This particular vulnerability has no direct impact on any EnGenius APs
operating in “access point” mode. However, EnGenius
access points that are used as client devices (i.e. Electron™ APs
operating in “client bridge” mode) or any access points that
are used for point-to-multipoint communications (i.e. Electron™ APs
operating in “WDS bridge” or “WDS station”
mode) are potentially impacted by this vulnerability in the IEEE 802.11
protocol.  Furthermore, some advanced applications and features, such
as mesh networking and fast roaming (i.e. 802.11r), may also be
potentially vulnerable to this issue.

 

EnGenius software developers are currently actively investigating the
impact of this vulnerability across all of the products in our product
portfolio, and will be issuing firmware releases in the coming days and
weeks to address this issue. In the interim, EnGenius still
recommends the continued use of WPA2-AES Personal or WPA2-AES Enterprise
for network security. Do not use WEP and do not use WPA-TKIP, as the
vulnerabilities of those deprecated security protocols are significantly
more serious and easier to execute by a malicious attacker.

 

 

FAQs

———

  1. Can I still run my EnGenius Wi-Fi network?

    1. Yes, you can still run your EnGenius Wi-Fi network. There is no need
      to shutdown or replace your EnGenius devices.
    2. This vulnerability is within the Wi-Fi IEEE 802.11 standard itself,
      and is therefore not unique to any particular access point
      or client device vendor. It is generally assumed that
      any Wi-Fi enabled device is potentially vulnerable to this
      particular issue.

 

  1. Are EnGenius wireless products vulnerable to this type of
    attack?

    • EnGenius wireless products running in “AP mode” have
      no direct impact from this vulnerability.
    • EnGenius access points that are used as client devices such as APs
      operating in “client bridge” mode or any access points
      that are used for point-to-multipoint communications such as APs
      operating in “WDS bridge” or “WDS
      station” mode are potentially impacted by this vulnerability
      in the IEEE 802.11 protocol. 
    • Furthermore, some advanced applications and features, such as mesh
      networking and fast roaming via 802.11r, may also be
      vulnerable to this issue.

 

  1. Is my wireless network still secure?

    • Yes, there is no evidence that the KRACK vulnerability has been used
      maliciously.
    • Yes, all passwords and certificates are still secure. This type of
      vulnerability does not affect passwords, authentication tokens or
      keys.
    • A Krack attacker must be onsite to conduct this type of attack.
    • The malicious actor must also decrypt over-air traffic between the
      AP and your clients in order to gain any access to your information,
      and this is not easily done.
    • EnGenius still recommends the continued use of WPA2-AES Personal or
      WPA2-AES Enterprise for network security. 
    • Do not use WEP and do not use WPA-TKIP, as the vulnerabilities of
      those deprecated security protocols are significantly more serious
      and easier to execute by a malicious attacker.

 

  1. What can I do immediately to ensure my clients are kept
    secure?

    • This vulnerability also impacts client devices, be sure to check
      with your client device manufacturers and implement any available
      security patches and updates. Major device vendors are working on
      fixing these vulnerabilities and will make patches available as soon
      as possible.
    • Until client device updates are made available, consider disabling
      the 802.11r Fast Roaming feature to help reduce vulnerability.

 

  1. When will EnGenius provide security patches and updates for this
    vulnerability?

    • EnGenius software developers are currently working on security
      patches and will issue firmware releases as soon as possible.
    • For up to date information about affected EnGenius products, refer
      to the
      Vulnerable Product Updates
      page

 

 

For More Information

——————————

The website https://www.krackattacks.com/ provides a detailed summary of the issue along with links to the
research paper and tools detailing the vulnerability.