Hi biomed, thanks for stopping by! It’s Bob in IT again. I want to update you on what we’re doing about Key Reinstallation AttACK (KRACK) in IT and share guidance on what you need to do.
We first learned about KRACK a couple of weeks ago. There are multiple vectors of attack against the clients that connect to the network (our PCs, phones, printers, and your medical equipment) and one method of attacking the network itself—our wireless access points. The good news is, so far, the risk of someone leveraging these is pretty low. The bad news is that could change quickly, and we need to take remedial action now before tools become available to exploit the vulnerabilities.
What is KRACK? That’s a good question. KRACK is a set of man-in-the-middle replay attacks that allow an interloper to force the reinstallation of previously used encryption keys. These attacks trick end-points into transmitting data that could then be decrypted. It’s not good, and it’s an industry-wide problem.
The network change you saw recently is for us to apply a patch to fix the network’s vulnerability. Most access point (AP) manufacturers have published their fix. It corrects a problem with the 802.11r fast transition protocol. Dot11r is a standard that decreases the delay of a secured client roaming between APs. It’s useful for real-time traffic, voice, and video, specifically, which happen to be delay, loss, and jitter sensitive. We’re not running it on our data networks because older clients have proven to have problems connecting when it’s enabled. If we were running it, a simple workaround would be to disable the feature, but since we have a fix, we’re installing it.
I’m afraid you have the bigger job here, though we’re doing what we can in IT to help give you breathing room. Clients are vulnerable to attack regardless of whether they’re using a pre-shared encryption key or if it’s being dynamically and uniquely generated based on its authentication. This is also true whether it’s using old WPA, which has been busted in other ways for a while, or the more prevalent WPA2. The only true remediation is to contact every device manufacturer and get fixed firmware from them. I know, that’s a tall order.
We have time though. I want to stress again that the risk here is low. Supposing there were readily available tools, which so far there aren’t, the attackers would need to set up their own access point, advertise our network’s name, lure an unsuspecting client, and inject the right sequence of frames to trick it into using old encryption material.
We’re already monitoring the network for unknown radios, rouge access points if you will, that are attempting to masquerade as serving our network. Once detected, we can work on locating and removing the offender, and we have ways of immediately containing their transmissions so no one can communicate through them. We have to be careful, however, to make sure we’re not stepping on our neighbors in and near our hospitals and clinics. We don’t want the Federal Communications Commission dropping in us and handing us a fine!
You have a lot of equipment that’ll need updating, so I’d recommend you think about the most critical assets you’re using and get patches as soon as possible. Then work on the rest. In the meantime, we’ll prevent what we can and help ensure all your updates work as planned.
Robert Sayle, CCIE security emeritus, is a technical solutions architect for Cisco Systems, Inc., in Irvine, CA, and a member of AAMI’s Wireless Strategy Task Force