A couple weeks ago, a serious security flaw in the WPA2 protocol, that can be exposed with Key Reinstallation Attacks (or KRACK for short), was introduced to the world. This was an interesting discovery because we’re used to seeing vulnerabilities typically show up in software, whereas this weakness was found in a protocol, and a widely-used one at that.
WPA2 is common security protocol used to encrypt many of the Wi-Fi networks you’re likely currently connected to or have recently used. When a user uses a device to connect to a Wi-Fi network that uses WPA2, a four-way handshake is initiated between the device and the access point (typically a router) that the device connects to. An attacker could use the vulnerability that was discovered in WPA2 to initiate a KRACK to interfere inside the handshake process and start sniffing traffic exchanged over the Wi-Fi connection, where the attacker would see unencrypted data.
How KRACK Impacts the Enterprise
You may be wondering, what does that really mean for my organization? Most organizations today allow their employees to use a variety of devices, including smartphones, laptops, desktops and rugged devices. Employees usually either bring in their own device (known as BYOD or bring your own device) or have devices issued to them from corporate (known as corporate-owned devices). Many of these devices connect to Wi-Fi networks to give users access to their local network (intranet) or world-wide network (internet)—and that is where KRACK comes into play.
Corporate data that flows freely across Wi-Fi networks using the WPA2 protocol could be stolen using KRACK. If an attacker is within range of that Wi-Fi network, he or she could sniff sensitive information, such as passwords, emails and contact information, which is exchanged between devices employees use and the Wi-Fi network they’re connected to. An attacker doesn’t even need to know the WPA2 password key to enable the attack!
Patches have already been issued for many of the operating systems that run on devices that connect to Wi-Fi networks with WPA2. For example, Microsoft quickly issued a patch for Windows 7, 8.1 and 10 operating systems. Customers with desktops, laptops and mobile devices running Windows should immediately patch their devices.
However, many customers have more than just Windows operating systems running in their environment and on their end users’ devices, including iOS and Android. Google will release their patch for Android on Nov. 6, for example. Devices that run Android also tend to not run the latest version of the operating system, which creates an even bigger security hole.
For any organization where this is relevant, VMware Workspace ONE can help.
How to Protect the Enterprise From KRACK
At its core, Workspace ONE, powered by VMware AirWatch unified endpoint management technology, simply and securely delivers and manages any app on any device by integrating access control, application management and multi-platform endpoint management.
Specifically, as we focus on KRACK and similar cybersecurity threats, Workspace ONE has VMware Tunnel capabilities that allow VPN access on a per-app basis to corporate resources. The VMware Tunnel allows mobile device Wi-Fi traffic to be encrypted at the application level.
On an Android device for example, VMware Tunnel would allow only specific apps on the device to VPN into the network to access corporate data, and the traffic exchanged across the connection created between the app and corporate resources would remain encrypted and protected if an attacker tries to use KRACK to sniff data.
Furthermore, Workspace ONE has mobile device management controls to help mitigate the risk caused by KRACK and similar threats. For example, with Workspace ONE, IT can restrict devices from even accessing Wi-Fi networks and ensure only cellular data is used. Cellular traffic is not affected by KRACK.
Workspace ONE is a digital workspace platform that combines identity and context to enable simple and secure access to apps from any device. The platform can be extended to provide additional security capabilities that would also help when combating against KRACK.
Several partners of the VMware Mobile Security Alliance focus on mobile threat defense (MTD), which can add extra layers of security across mobile devices. Workspace ONE and these mobile threat defense solutions are integrated such that anytime a man-in-the-middle (MiTM) attack like KRACK is detected from that MTD solution, that information is relayed into Workspace ONE.
At this point, Workspace ONE can automatically move the device that was affected by KRACK into a smart group and enforce a specific policy and/or remediate. Once the threat is removed, the device can return to its original, non-restricted state.
Best Practices for Mobile Security
While the WPA2 vulnerability remains top of mind for organizations and full patches are issued, it’s important to note some best practices for mobile security, including:
- Using a solution like Workspace ONE to enforce minimum operating system versions to prevent malicious devices from connecting to corporate resources
- Using VPN technology, such as VMware Tunnel, to exchange unencrypted data
- Continuing to use WPA2 compared to legacy protocols, which may have even bigger security holes
- Being aware that all encrypted application and web traffic (HTTPS, for example) continues to be encrypted
The WPA2 vulnerability is just the latest in a string of cybersecurity threats we’ve seen this year, and we’ll continue to see threats become more dynamic as they evolve. Minimizing risk for corporate data loss has to continue to be a top priority for any organizations.
Workspace ONE can help by providing organizations with a secure digital workspace for their employees. For more information on Workspace ONE, visit vmware.com/go/workspaceone.
