Infineon, WPA2, KRACK – Oh My!!!

“Oh My” is about as best as you can describe it, what a week it’s been! And it’s only Wednesday!!

On Monday, Common Weakness Enumeration (CWE) issued CWE-310: Cryptographic Issues - CVE-2017-15361. The report identifies a flaw in the Infineon RSA library version 1.02.013 resulting in improperly generated RSA key pairs. As a result, attackers may be able to recover the RSA private key. The list of impacted devices and vendors is quite exhaustive. 

Vulnerability Note VU#307015 from the CERT vulnerability database (sponsored by the Department of Homeland Security) suggests the following courses of action:

1)     Apply an update as soon as it is available

2)     Generate an ECC key pair since ECC keys are not impacted by this vulnerability

3)     Only RSA key generation is impacted, not the use of secure keys. Hence, owners of affected devices could generate an RSA key pair using different method (e.g., OpenSSL) and then use the new secure RSA key pair with the old device.

4)     The report also suggest replacing the device with a non-impacted device but this seems a bit drastic since other alternatives are available

On the same day, CERT went on to report another major vulnerability that affects most everyone using Wi-Fi. Vulnerability Note VU#228519 reports that an inherent flaw in the Wi-Fi Protected Access II (WPA2) handshake protocol can be manipulated to induce nonce and session key reuse. In layman’s terms, this makes it possible for an attacker to use a man in the middle attack to gain access to the wireless network, devices on it, or data being transmitted. Devices affected include Linux/Unix based systems, Android Phones & Tablets, and Internet of Things (IoT) devices.

KrackAttacks discussed this vulnerability in depth and demonstrated how to exploit it.

So, if turning off Wireless is not an option, how can you protect yourself? The only truly effective answer  would be to updated the drivers and Operating Systems for affected client devices. Don’t forget some of the items in your home such as set-top video devices, smart TVs, Blue Ray players, thermostats, cameras, light bulbs and switches, alarm systems, door bells, wireless locks, printers and of course your phones.

Of course, the infrastructure equipment should be patched as well. The list of companies releasing patches is growing rapidly. Check with your device manufacturer for an update and apply it as soon as it is available.

Devices that are not affected include Apple iOS devices (iPhones & iPads) as well as Microsoft Windows 7 or Windows 10 devices.