Wi-Fi Key Reinstallation Attack “KRACK” Update: Protecting Unpatched Devices

Summary
On October 16, 2017, security researchers announced several vulnerabilities in the WPA/WPA2 encryption protocol that affect countless Wi-Fi enabled devices worldwide. As a result of KRACK, Wi-Fi data streams, including passwords and personal data, can be intercepted, decrypted, and modified without a user’s knowledge. This security flaw means that, for vulnerable clients and access points, WPA- and WPA2-encrypted Wi-Fi traffic is potentially exposed until certain steps are taken to remediate the issue.

Presently, there are 10 known vulnerabilities that comprise KRACK. WatchGuard is providing patches for all of our affected products. For non-WatchGuard devices, users should refer to their vendor’s website and security advisories to determine if they are affected, and if updates are available. Even though most companies will provide patches, it’s likely that unpatched devices will interact with your network and expose you to risk. WatchGuard offers additional methods to protect unpatched client devices from KRACK.

How to Mitigate KRACK
The steps below describe recommended actions to protect your network from KRACK vulnerabilities in various scenarios, including from unpatched client devices.

1. Update your access point (AP) firmware
   • WatchGuard will provide patches for all supported APs and tabletop appliances with embedded wireless APs.

 

2. Enable “Mitigate WPA/WPA2 key reinstallation vulnerability in clients” feature. The AP can compensate for the unpatched clients with this setting enabled. Mitigation is recommended only until all clients are patched.
   • AP managed by GWC: Available for the AP120, AP320, AP322, and AP420 with the patch issued on 10/31/17.
   • AP managed by Wi-Fi Cloud (link to WatchGuard Knowledge Base article is below).
   • Firebox with built-in Wi-Fi: Available on the T-10W, T-10W, and T-50W with TBD firmware update.
   • In a small percent of cases, mitigation may exacerbate client connectivity issues in environments already suffering from weak signal coverage or high interference.

 

3. Alternatively, enable “AP MAC Spoofing Prevention” setting in Wi-Fi Cloud WIPS policy.
   • AP managed by GWC: manage your APs with a Wi-Fi Cloud license and acquire dedicated WIPS sensors for your environment.
   • AP managed by Wi-Fi Cloud: enable setting in the management interface.

Additional Information

• Learn more about the WatchGuard patch schedule, and the KRACK Common Vulnerability and Exposure (CVE) identifiers in our Product and Support Blog post.
• WatchGuard Knowledge Base article: WatchGuard Wi-Fi Cloud and the KRACK WPA/WPA2 wireless vulnerabilities.
• See our Knowledge Base article about Gateway Wireless Controller and the KRACK WPA/WPA2 wireless vulnerabilities.