James Anderson

A massive number of technology vendors had to scramble to find patches and updates for their customers when researchers discovered a seemingly universal Wi-Fi flaw.

Belgian researchers last week announced findings from a year-long study, which shows vulnerability in the Wi-Fi Protected Access II (WPA2) security protocol that guards most wireless networks. Skilled cyber attackers can exploit the flaw using a Key Reinstallation Attack, also known as KRACK. The implications are far reaching because the vulnerability is tied to a protocol and not a particular piece of hardware or software.

“The attack … allows a capable, threat actor the ability to inject malicious data into unencrypted HTTP connections. During a supposedly secure session an attacker can abuse this to inject ransomware or malware into websites that the victim is visiting. All companies using WPA2 are impacted and at risk,” said Stephen Gates, chief research intelligence analyst for Zenedge.

Straitform’s Dallas Bishop

Dallas Bishoff, director of security services for Stratiform, tells Channel Partners that only a very skilled threat actor can successfully exploit the vulnerability. The attacker would have to be close enough to the get the wireless signal of a network that is secured with WPA2 and inject an encryption mechanism key. And in the case of a transaction on a bank website, a separate encryption process remains unexposed.

“Despite the hyberbole inside the marketplace, it has relatively limited considerations,” Bishoff said.

Gates agrees that the attack is not proven to be “remotely executable,” which means that the threat actor must be physically close to the target.

“However, the vulnerability in the actual ‘protocol standard’ itself will have a massive fallout, as there are millions upon millions of vulnerable Wi-Fi networks, operating systems and applications that will likely take a considerable amount of time to patch,” Gates said.

But panic over that fallout may overblown, because vendors have responded quickly to the problem. Bishoff says most vendors already know about the flaw and have released patches that address it.

“So in most cases for business networks, the vulnerability won’t even be possible by the end of the week,” he said.

But one type of business faces an elevated risk, according to Bishoff.

“The place where it would have the most impact is small businesses that don’t have the technical skill sets to do updates and patches on their devices, and home networks where most casual users don’t understand how to maintain technical equipment,” he said.

Isaac Adegbemle, chief technology officer of the managed services provider Systemverse, says his business’ role in the response was identifying its vulnerable clients and the vendors they used. He says the MSP’s main vendors – Cisco, Microsoft and Ubiquiti Networks – each responded …

… within two days of the news.

“It was just a case of quickly getting on with the vendors, making sure that they released patches, and then going into our control panel and pushing out those patches to the clients,” he said.

Adegbemle says the vulnerability was a teachable moment for customers to learn the importance of automation in their software and hardware.

“If you don’t have the automation in place to put in those updates month over month over month, then you realize at a certain point that updates start falling through the cracks,” he said. With really important vulnerabilities like this, you can’t afford that to happen. You need a system in place that automates your update installation.”

He says Systemverse has been migrating clients to platforms that can deliver software over the last few years. He says Cisco Meraki is an example of an offering that can quickly deliver new updates in instances like KRACK.

“For small businesses, the way forward is to move away from just going to Best Buy and buying one home or small business wireless router and hooking it up and thinking, ‘Yeah, I’m good as long as it lasts.’ That strategy’s no longer going to cut it.”

Businesses are giving more and more attention to security — even businesses that aren’t traditionally known as financial institutions. As the Equifax breach demonstrated, threat actors are interested in stealing data in order to sell it. Bishoff joins countless analysts in describing the monetization of data.

“Data is the new form of modern currency,” he said. “If you have data, you can convert it into cash for a variety of different reasons. And data gets traded inside the underground.” he said.

We gave initial suggestions for how partners can help their customers through the WPA2 vulnerability last week, with the final recommendation of “don’t panic.”