The KRACK Attacks and Libraries

Posted by on October 19, 2017 in Broadband privacy, cybersecurity, libraries, News and Updates, Privacy and Security | 0 comments

By Galen Charlton

Earlier this week Mathy Vanhoef of the imec-DistriNet research group at the Katholieke Universiteit Leuven announced his discovery of a set of related vulnerabilities in WPA2, a protocol used to encrypt communications over wireless networks. KRACK, as Vanhoef dubbed the vulnerability, expands to Key Reinstallation Attacks.

The vulnerability exploited by KRACK lies with how Wi-Fi devices set up keys for encrypted communications when connecting to a wireless access point. Under certain circumstances, an attacker who is physically in range of the wireless network can interfere with the process of installing a session key during the initial handshake.  In particular, it is possible to force a Wi-Fi client to reinstall the session key with previously-used cryptographic nonces. When that happens, depending on the particular WPA2 protocol options in effect, the attacker can then go on to decrypt or forge wireless frames. In turn, this can enable further attacks; for example, If the Wi-Fi device then (say) connects to a website over plain HTTP, the attacker could snoop on the traffic or potentially inject extra content.

The KRACK attack primarily affects Wi-Fi clients, but can also affect access points and routers, particularly if the 802.11r protocol for fast roaming is in use.

Linux and Android are particularly vulnerable to KRACK attacks, but Windows, macOS, and iOS are also affected. As of this writing, patches are available for all major Linux distributions and supported versions of Windows. Apple has issued patches for beta versions of macOS and iOS that should make their way into general release soon, and Google is reported to be working on patches for Android.  Manufacturers of access points and wireless routers have also started releasing patches.

Since attackers need to be in the same physical area as the network they wish to attack, many organizations can mitigate potential (external) KRACK attacks simply by attending to physical security and keeping visitors out.

Of course, many libraries operate public Wi-Fi services that use WPA-PSK or necessarily must allow patrons to be in range of protected networks for library staff. To avoid the potential for interference with library networks or snooping on patrons’ online activity, libraries can take the following steps to mitigate the risk.

  • Apply patches to library computers and network equipment as they become available.
  • Switch devices such as patron and circulation workstations over to wired Ethernet where possible.
  • If you use 802.11r (fast roaming) on your wireless networks, consider turning it off until you have an opportunity to patch your access points.
  • Promote the use of HTTPS Everywhere.
  • If your library offers technology training for patrons, consider offering sessions about managing software updates.

Some points about KRACK and the way it was announced point out general issues of concern for staff responsible for securing library networks and resources:

  1. Library skills regarding the evaluation of sources of information apply to security announcements, too.

Going by the headlines, the KRACK attack “destroys nearly all Wi-Fi security” (Ars Technica), is something not to worry about (Lawfare), or in any event is not worth burning the house down (Kevin Beaumont). A more nuanced take is offered by Bruce Schneier.

Who benefits from exaggerating the impact of a vulnerability — or downplaying it? Who has demonstrated expertise in network security — and who is just speculating or even posing? It can be hard to evaluate claims about computer security, and even more so when cryptography is discussed.

KRACK, since it involves a vulnerability in most implementations of a widely-used protocol, is serious, but the degree of your library’s exposure to it heavily depends on the specifics of which WPA2 protocol options you use and the devices that connect to them.  When evaluating your potential risk, first, don’t panic — but pay attention to security news, particularly bulletins from the manufacturers of your wireless network equipment.

  1. When in doubt, patch.

Regardless of the specific impact on your library, KRACK is certainly worth patching against. Patches can be expected for most supported devices and should be applied as they become available. CERT maintains a list of vendors and operating system providers that may have patches available.

  1. We do not live in the Platonic realm where mathematical proofs of the security of protocols can ignore implementation details.

Vanhoef’s KRACK cites a formal proof (Changhua He et al. 2005) of the correctness of various aspects of the IEEE 802.11i standard underlying WPA2 — then points out that while the proof remains correct, it was not complete as it failed to model the installation (and reinstallation) of keys.

The deficiencies in the model can presumably be corrected — but, of course, there’s no guarantee that every implementation will fully and correctly match the model that was formally validated.

For the library IT worker who is not in a position to personally verify formal proofs, those proofs amount to a useful data point for selecting protocols to require, but the proofs can not replace testing and monitoring the implementations that are actually deployed.

  1. Defense in depth matters.

Depending on the specific WPA2 protocol options in effect, a successful KRACK attacker may be able to decrypt or forge packets between a wireless device and the access point. However, that doesn’t give the attacker any special way to decrypt HTTPS traffic as TLS encryption occurs at a higher protocol layer — although as demonstrated in Vanhoef’s video, an attacker may be able to force a client’s web browser to downgrade connections to HTTP if the secure website is not configured properly.

The lesson for libraries: efforts to promote the adoption of mandatory HTTPS across the board should continue, and can help mitigate weaknesses in other protocols.

  1. The Internet of Things (IoT) is going to remain a headache for library IT staff.

As Brian Barrett points out in Wired, while many computers, mobile devices, and routers will get patched against KRACK sooner or later, many will never be, including IoT devices.  A lightbulb that acts as a Wi-Fi range extender may have been made by a manufacturer that no longer exists or no longer supplies software updates — or never did. If updates are available, it may not be easy to apply them.

The potential impact of a compromised IoT device can vary widely. If an attacker manages to convince an IoT garage door opener to keep the library’s loading dock door closed; it can be a nuisance. If the door is instead induced to open up, the nuisance could turn into loss. Alternatively, a compromised device could become an entry point into the library’s network for snooping or bulk downloading of sensitive information — as apparently was the case for a casino operating an Internet-enabled fish tank.

What should a library do? For starters, keep track of all devices purchased by the library that can connect to networks. Bear in mind one lesson of the Wi-Fi light bulb: IoT devices can slip in through budget lines other than that of the systems department. Prefer manufacturers that credibly claim to provide software updates and a way for them to be applied automatically — but also budget for when those updates stop and it may be better to replace the devices.

To sum up, KRACK as a vulnerability in Wi-Fi encryption does represent a risk to patron privacy and the security of library networks, so patch early and often… but don’t panic.

Galen Charlton is Infrastructure Manager at the Equinox Open Library Initiative and a contributor to the Evergreen and Koha open source ILS projects. He can be found on Twitter as @gmcharlt.

Privacy News and Views for July 7, 2017 (The ICYMI Edition)

Posted by on July 7, 2017 in Uncategorized | 0 comments

This week’s edition of Privacy  News and Views  covers the past two weeks of privacy news, due to a hiatus for  ALA’s Annual Conference and the Fourth of July holiday.

CPW Logo, 332x221

Government Surveillance

How the government can read your email | Politico

Spy agencies seek permanent authority for contested surveillance program | Washington Post

The Supreme Court Phone Location Case Will Decide the Future of Privacy | Motherboard

Color of Surveillance Conference Highlights Monitoring of Immigrant Communities  | Free Press

DHS Is Starting to Scan Americans’ Faces Before They Get on International Flights | Slate

Corporate Surveillance

Internet Privacy Policies: Who Has a Right to Your Data? | Consumer Reports

Before You Hit ‘Submit,’ This Company Has Already Logged Your Personal Data | Gizmodo

FTC Halts Operation That Unlawfully Shared and Sold Consumers’ Sensitive Data | Federal Trade Commission

Libraries and Privacy

Omaha libraries loosen security footage policy for police  | Omaha World Herald

TSA and Reader Privacy

New TSA Policy May Lead to Increased Scrutiny of Reading Material  | American Civil Liberties Union

TSA Considers Forcing You To Take Books Out Of Your Carry-on Luggage  The Hill

Hands off my books, TSA. And leave my cookies alone.  | Sacramento Bee

Remove your shoes … and your books | Times Higher Education

TSA Doesn’t Want Your Books | Inside Higher Ed

TSA ends test of separate screening for books | CBLDF


Online Reviewers Face Feds Over Right to Stay Anonymous | Wall Street Journal

Geolocation / Tracking

Illinois “Geolocation Privacy Protection Act” Passes Both Houses, Headed to Governor’s Desk | Lexology

Illinois: Geolocation Privacy Protection Act “among the first of its kind” |  DataGuidance

Broadband Privacy

Why almost every state is partially or fully rebuffing Trump’s election commission | Washington Post

California bill aims to revive broadband privacy rules that were killed by Trump and Congress  Los Angeles Times

Trump took away your internet privacy. A California legislator wants to give it back  Sacramento Bee

Blackburn privacy bill hits Democratic wall Politico

Student and Minors’ Privacy

Children’s Online Privacy Protection Rule: A Six-Step Compliance Plan for Your Business  | Federal Trade Commission

Complying with COPPA: FTC Releases Updated Six-Step Compliance Plan for Businesses | Lexology

Data Breach Response Training Kit | U.S. Department of Education

In Rhode Island, Some Schools Think They Have the Right to Spy on Students With School Laptops |  ACLU of Rhode Island


Let’s Encrypt brings free wildcard certificates to the web |  xdnet

Australia advocates weakening strong crypto at upcoming “Five Eyes” meeting | Ars Technica

Five Eyes agree to engage with industry on terrorists’ use of encryption | The Globe and Mail

Perils of Back Door Encryption Mandates | Human Rights Watch

What If Apple Is Wrong? | MIT Technology Review

This Week in Data Breaches

Email Phishing Scam Causes UC Davis Health Data Breach  | CBS Sacramento

Hacker Steals Millions of Accounts from Internet Radio Service 8tracks | Motherboard

Massive WWE Leak Exposes 3 Million Wrestling Fans’ Addresses, Ethnicities And More  Forbes

Loews Hotels Warns Customers of Data Breach  NBC10

Texas Association of School Boards Data Breach Exposes Teachers’ Social Security Numbers  Government Technology

Indiana Medicaid patients warned of possible data breach | The Indy Channel

The Medicare machine: patient details of ‘any Australian’ for sale on darknet  | The Guardian

A Republican contractor’s database of nearly every voter was left exposed on the Internet for 12 days, researcher says | Washington Post

Privacy News and Views, June 11 – 17

Posted by on June 16, 2017 in Choose Privacy Week, News and Updates | 0 comments


Privacy @ ALA Annual 2017 | Choose Privacy Week

The Color of Surveillance: Government Monitoring of American Immigrants |  Georgetown Law Center on Privacy & Technology
A live workshop on June 22, 2017 with available livestream

Libraries and Privacy

Privacy vs. Security:Council debates merits of library video surveillance system | Planet Princeton (NJ)

Woman says librarians know who hit her car but can’t tell her | WSB-TV (GA)

Government Surveillance

Opposing Trump, conservative bloc demands reforms to internet spy law  | Reuters

Senate Considers Potential Changes to ECPA to Ease Access to Electronic Data Across Borders | National Law Review

Company Lost Secret 2014 Fight Over ‘Expansion’ of N.S.A. Surveillance | The New York Times

Hands off my books, TSA. And leave my cookies alone.  | Sacramento Bee

FISA Court Releases 18 Opinions Regarding Section 702 | Lawfare

Consumer Surveillance

Database Marketing and the Tragedy of the Commons  | The Scholarly Kitchen

Consumers Uncomfortable With Smart TV Data Collection: Survey  Multichannel News


Ending The Endless Crypto Debate: Three Things We Should Be Arguing About Instead of Encryption Backdoors  | Lawfare

Biometric Privacy

Former Mariano’s employee sues over fingerprint data | Crain’s Chicago Business

 Essays and Scholarship

Online Privacy and the Invisible Market for Our Data | Penn State Law Review, 2016, Forthcoming via SSRN

We Californians have a right to privacy. But what does it mean in the digital age?  | Sacramento Bee

The Digital Privacy Paradox: Small Money, Small Costs, Small Talk  | National Bureau of Economic Research (fee for download)

This Week in Data Breaches

Credit Card Info Stolen From 12 Restaurants Nationwide  | Beachwood Patch

One million people affected by WSU data breach  | KUOW

Georgia official discounts threat of exposed voter records  | Seattle Times