Another new vulnerability affecting encryption was revealed today, www.krackattacks.com has detailed how their research has effectively found that both WP1 and WPA2 are no longer secure and cannot be relied to protect Wi-Fi communications within encrypted tunnels. This vulnerability affects both personal and enterprise networks, the ciphers WPA-TKIP, AES-CCMP, and GCMP, and significantly affects Android and Linux clients.
Researchers indicate that 41% of Android devices are vulnerable, and until new firmware is installed, communications that do not use HTTPS to encrypt traffic will be vulnerable to eavesdropping and injections of ransomware or malware into websites.
In addition, most IoT devices rely on Wi-Fi encryption because they typically do not support HTTPS. The problem is compounded by the fact that not only will it take time for vendors to update firmware to resolve the vulnerability, but many applications and IoT devices will have compatibility issues that may take significant time to remediate.
The Krack flaw represents yet another reason why consistently deploying HTTPS throughout your environment is so important. The best way to prevent exposure of the Krack kind is to consistently deploy HTTPS to all critical connections, not just web servers. Once that is done, you can’t let your guard down. Even HTTPS is not foolproof, especially if it isn’t deployed correctly, securely, and constantly validated.
The larger challenge is that HTTPS alone does not solve the problem. While we rely on websites to secure their HTTPS configurations, most websites are still not implementing strong encryption practices. This inattention may be due to challenges with compatibility or simply because encryption best practices aren’t prioritized until after a breach affects them or an industry peer.
The bottom line is that it’s critical for all organizations to understand the security implications of the machine identities that govern their encrypted tunnels. And let’s face it. With today’s mobile workforce, you can’t be sure that users are not accessing your network through a (now compromised) WPA2 tunnel.
First you need to re-enforce the need for your users to switch to more safer tunnels that use the more secure SSH or VPN protocols. Then you’ve got to make sure that the tunnels your organization is using are indeed secure and that you can trust the traffic that travels through them. Protecting the machine identities on both sides of a tunnel is a great way to validate the security of your encrypted tunnels.
Does your organization provide adequate oversight for tunnels that travel into and out of your network? See how Venafi can help.