Use a Fingbox to help whack the KRACK attack
There’s not a great deal to add to the excellent job done by the researchers who revealed the KRACK attack to the world some weeks ago now. I would wholeheartedly encourage you to go read up at the Manny Vanhoef Key Reinstallation Attacks site.
In brief, Manny discovered that the WPA2 protocol could be exploited by an attacker within range by using something he calls key reinstallation attacks or KRACKs. While most major router vendors have already rolled out firmware patches to fix this, not everyone updates their router firmware manually and not all routers do so automatically. Unpatched routers, and other networked devices, are most likely to be still at risk when they are in the domain of the consumer.
As Manny says “to prevent the attack, users must update affected products as soon as security updates become available. Note that if your device supports Wi-Fi, it is most likely affected. During our initial research, we discovered ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attacks.”
So what can be done for the home user to help mitigate the risk, if they are not the firmware updating type. Well, obviously, educating them as to why they should be is the prime method. Failing that though, apps and gadgets that have shiny LED lighting always do well on the home user engagement front in my experience.
So it was, that I found myself recommending Fing the app, and Fingbox the hardware, to a few friends and family members during this last month on the basis that, in the case of KRACK, network device discovery is your friend.
These users don’t need to know that a KRACK attacker will be able to send de-authentication packets to mobile devices to force a reconnection, and thereafter send a ‘channel switch announcement’ that forces a connection to a rogue access point. After which the key reinstallation attack can be deployed.
What they do need to know is that something can be done to prevent this, by knowing what devices are connected and getting alerted when things change. Such evil twin attacks are appropriately named, and notoriously difficult to spot unless you know what you are looking for. Or have a Fingbox.
I wish a Fingbox were cheaper, because at £125 it’s out of the reach of most home users with a ‘meh’ security mentality. For those willing to make the investment, it’s worth every penny in my never humble opinion. At least the Fing app is free, and the two work together in a seamless enough fashion. Again, the average user doesn’t need to know that the hardware sits on the network and grabs IP and router info by way of DHCP so monitoring the wired network itself and any wireless devices attached to it. They do need to know that to install it all they have to do is plug it into the back of the router and wait for the light circle on the top of the device to turn blue, then fire up the app.
It only detects devices on the same subnet, so more complex networks involving segregation are going to be a non-starter for the Fingbox. That said, being warned by email or smartphone notification as soon as any new device connects to the network, is really useful. Especially when away from the home or office, and doubly-especially when coupled with an easy ability to suspend that connection or boot it from the network. Ditto being notified when devices you’ve flagged as important go offline.
For the home user who’s looking for a little more control without having to go to network security evening classes (although that might not be a bad thing for many folk) the Fingbox ticks many boxes. Not least that it can detect the type of man-in-the-middle attack that catch people out all too often. Namely, courtesy of the Wireless Intrusion Detection System (WIDS) ability to alert users about ‘evil twin’ and ‘rogue’ access points, and disable them; and therefore an ability to mitigate a potential KRACK attack before it can do any damage.
I quite like the fact that the Fingbox developers are on top of their patching game. Earlier this month they rolled out the Internet Security 2 firmware (and associated app) update that brought reporting of new ports discovered since the previous scan was made and an ability to close down these ports via UPnP. And, of course, that aforementioned KRACK attack detection and evil twin access point protection. Oh, and an ability to add trusted gateways that prevent alerts on routers that need to change network gateway frequently, which is cool.
As I say, it’s not really aimed at the network nerd, nor the cybersec guru. It’s aimed squarely at those people most likely to find themselves in the middle of a cyber threat scenario, the average consumer. Sure, it won’t help everyone with every threat. It is, however, another layer in the defensive onion and one that doesn’t need any great ‘skillz’ to deploy or use. As I say, again for keen eyed readers, what a pity it can’t be a lot cheaper as the investment is going to be one too far out of reach of the real target market that needs such stuff.