By Vince Lujan Posted October 28, 2017
The Key Reinstallation Attack (KRACK) on WiFi has been in the headlines recently. For those that haven’t heard, KRACK targets the WPA2 protocol – the protocol internet connected devices leverage to communicate with wireless access points (WAPs).
Unfortunately, the KRACK attack happens on the device itself, outside of authentication and most modern network security best practices. That is why JumpCloud was quick to respond to the KRACK vulnerability to teach our customers how to secure WiFi in response to KRACK.
What is KRACK?
Since the KRACK vulnerability exists on the device level, not the network, we must be mindful that the attack is happening beyond the scope of authentication and network security for wireless capable devices.
KRACK is effectively a man-in-the-middle attack, in which the bad guys broadcast a rogue wireless signal that appears to victims as the real network they are trying to join. Once connected, attackers have the ability to install an encryption key onto user devices.
The result is that all wireless traffic that was previously assumed to be safely encrypted by WPA2 is now transmitted as plain text viewable by attackers. This information can literally be anything transmitted over WiFi including passwords, credit card information, social security numbers, photos – essentially anything you don’t want the bad guys to have.
The good news is that the fix for KRACK is simply patching the device. Most IT companies and service providers have already pushed updates to protect against KRACK. That means that as long as users update their devices, they will likely be safe from the KRACK vulnerability.
Securing WiFi beyond KRACK
While the KRACK vulnerability can be easily remedied in most circumstances, it is important that we all use this as an opportunity to start a conversation about the best practices for WiFi security with our friends, family, and peers to ensure that we as a community are doing all that we can to protect ourselves from the bad guys.
The sad truth is that while the KRACK attack has been the most recent headline, it is but one attack vector in a sea of threats. That is why it is so important that we do all we can to secure our information because attackers only need one way in, whereas we must defend from all directions.
As a security company, JumpCloud was quick to respond to the KRACK vulnerability by educating our customers about how to protect themselves from KRACK. Yet, WiFi security goes far beyond protecting against KRACK and one of the best ways to secure WiFi is by implementing RADIUS.
Securing WiFi with RADIUS
RADIUS is a network security protocol in which users leverage login credentials that are unique to each individual. In doing so, RADIUS ensures that only authorized individuals can access the network compared to the shared SSID and passphrase model.
Without RADIUS, organizations are forced to share SSIDs and passphrases. This approach is far less secure because effectively anyone with the passphrase can gain access to the network. This can include former employees, visitors, and anyone else who retains access to the network when they shouldn’t – including attackers.
The challenge with RADIUS is that it has traditionally been difficult to implement. Organizations had to stand up RADIUS servers and manually configure all of their endpoints to work with the RADIUS service. That is why so many organizations continue to leverage the shared SSID and passphrase model because it’s just easier. Yet, organizations must understand this shortcut comes at the expense of security.
Fortunately, a new generation of Identity-as-a-Service (IDaaS) platform can provide RADIUS-as-a-Service to simplify the process. One particularly powerful example is Directory-as-a-Service®.
RADIUS with Directory-as-a-Service
RADIUS-as-a-Service is a native function of Directory-as-a-Service, and is included at no added cost. With RADIUS-as-a-Service, JumpCloud administrators can enjoy all of the benefits of RADIUS without the heavy lifting of setting it all up. Instead, organizations simply point their endpoints at JumpCloud managed RADIUS servers in the cloud and we take care of the rest.
The key advantage with this approach is that organizations gain the ability to control access to their networks on an individual basis. End users simply leverage their core credentials to gain access to the network – the same credentials they will use to login to their computer, email, web apps, and more. These credentials can be revoked at anytime by IT admins. Thus, preventing specific users from accessing the network while still allowing everyone else to remain connected.
Unfortunately, RADIUS cannot help protect against KRACK. However, in addition to patching your devices, RADIUS is the next step to ensuring access to wireless networks is secure. Check out our security briefing video for more ways to protect yourself from the KRACK vulnerability.
Learn more about RADIUS-as-a-Service
To learn more about how to secure WiFi in response to KRACK, drop us a note. You can also sign up and see just how easy our RADIUS-as-a-Service functionality is to use risk free. Your first ten users are on us.