blog / Oct 17, 2017 New Threat May Slip through the KRACK in BYOD Policies by Lori MacVittie SHARE Another week, another threat. This week dawned with a spate of twitchy fingers telling us about the latest monster to emerge from the closets: KRACK. KRACK stands for Key Reinstallation Attack. You can read the details of this one on a variety of sites including Arstechnica,1 Verge,2 and, as befitting the seriousness of this one, its own website.3 I’ll sum up by saying it’s a flaw in the WPA2 protocol itself that tricks devices into reinstalling keys that can then be used by the attacker to decrypt everything in flight. E v e r y t h i n g. The Verge article ominously reports “41 percent of Android devices are vulnerable to an ‘exceptionally devastating’ variant of the Wi-Fi attack that involves manipulating traffic. Attackers might be able to inject ransomware or malware into websites thanks to the attack, and Android devices will require security patches to protect against this. Google says the company is “aware of the issue, and we will be patching any affected devices in the coming weeks.”” The attack exploits the WPA2 protocol.4 Changing your password won’t fix this, nor will rebooting your router—whether it’s at home or in the data center. This one requires end-user device updates. Every. Single. Device. If that doesn’t bother you, it should. The latest statistics on BYOD5 note: North America has the highest BYOD adoption rates at 36%, a number that will increase to about 50% of the market by the end of 2017 (MarketsandMarkets6). More than 67% of workers use their own devices at work (CBS MoneyWatch7). As of 2013, 60% of companies had a BYOD-friendly policy, and estimates are that more than 50% of workplaces will require employees to bring their own devices by 2017 (Gartner8). That means devices employees might be using to access corporate resources right now. Which may make for an interesting conversation if you haven’t paid a lot of attention to carefully crafting a serious BYOD strategy—with serious ramifications. This is a bigger threat than the public one at coffee shops, at airports, and at home. You know, the use of public (open) Wi-Fi by employees—both using personal and corporate-owned devices. A Symantec survey last year9 noted that “87 percent of U.S. consumers have used the readily available public internet, whether at a cafe, airport or hotel.” To make things worse, “logging into” things is a common activity while on public Wi-Fi, with 58% checking e-mail, 56% social media, and 22% checking their bank accounts. You can smell the stolen credentials because the attackers are stuffing them into your corporate systems10 right now. A 2016 survey found similarly frightening statistics on the use of public Wi-Fi:11 48% of Wi-Fi users connect to public Wi-Fi at least three times per week; 31% connect to public Wi-Fi every day. 91% of Wi-Fi users do not believe public Wi-Fi is secure, yet 89% use it anyway. When on public Wi-Fi, 83% of Wi-Fi users access their email, whether it’s for work or personal reasons, and 43% access work/job specific information. If folks are that willing to interact with public Wi-Fi, you can bet that they’re even less concerned about what they do when they’re on a “secured” Wi-Fi network. And that’s really part of the problem. They don’t care. They’re honey badgers. One in four (25%) reported in a survey conducted by Absolute Software12 that the loss or leak of corporate data wasn’t their problem. Another survey on the topic conducted by Centrify13 found that 15% of employees believed they had “no to minimal responsibility to protect data stored on their personal devices.” And it only takes one to infect your entire network or open that tiny little hole for someone else to come behind and dig out. It’s ironic that the name for this security vulnerability is so very close to that dreaded, ancient mariner’s nemesis: The Kraken. Because like the tales of its horrific attacks, when it reared its head there was nowhere to hide. Which is pretty much like this one: there’s no place on the network to hide from this one. To combat this one, you’re going to have be ready to insist (force?) updates on personal devices or perhaps deny them access altogether. However you choose to approach it, you need to approach it from a corporate security perspective. Because it’s a pretty big hole for attackers to drive through. Or drive by, outside, because Wi-Fi signals don’t care, either. This might be the moment we point to in future years as the one that changed how enterprises approached BYOD. Stay safe out there. For a video tutorial explaining the KRACK vulnerability, and what you can do to protect yourself, check out the KRACK page on our DevCentral community site: https://devcentral.f5.com/articles/post-of-the-week-explaining-the-krack-vulnerability-28350 1 https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/ 2 https://www.theverge.com/2017/10/16/16481252/wi-fi-hack-attack-android-wpa-2-details 3 https://www.krackattacks.com/ 4 https://www.wi-fi.org/discover-wi-fi/security 5 https://www.insight.com/en_US/learn/content/2017/01182017-byod-statistics-provide-snapshot-of-future.html 6 http://www.marketsandmarkets.com/PressReleases/byod.asp 7 https://www.cbsnews.com/news/byod-alert-confidential-data-on-personal-devices/ 8 https://www.gartner.com/newsroom/id/2466615 9 https://www.cnbc.com/2016/06/28/most-people-unaware-of-the-risks-of-using-public-wi-fi.html 10 https://f5.com/about-us/blog/articles/credential-stuffing-what-is-it-and-why-you-should-worry-about-it-24784 11 https://www.helpnetsecurity.com/2016/10/19/public-wi-fi-users-habits-risk/ 12 https://www.cio.com/article/2378170/cio-role/cios-battle-worker-apathy-towards-lost-or-stolen-mobile-phones.html 13 https://www.cio.com/article/2376794/byod/cios-face-byod-hard-reality--employees-don-t-care.html SHARE MODIFIED: Nov 16, 2017 Tags: cyber security, krack, threat intelligence, wifi, wpa2 stay up to date Get the latest application threat intelligence from F5 Labs. There was an error signing up. Thank you, your email address has been signed up. submit Follow us on social media. Related Stories article / Jul 22, 2016 Web Injection Threats: The Cost of Community Engagement on Your Site article / Oct 23, 2016 DARPA Proves Automated Systems Can Detect, Patch Software Flaws at Machine Speed blog / Aug 12, 2016 Is HEIST a Risk or a Threat?