Is Your POS System Safe From The KRACK Attack?

As you get older, the things you are afraid of begin to change. When you have to file your own taxes and set up your own doctor appointments, suddenly the boogie man doesn’t seem so scary. However, there is a new ‘scare’ every adult should be aware of, and I’m not referring to the clown from the upcoming revival of IT. That’s right, the “KRACK-en” has been unleashed upon the tech world. (Insert terrified screams here!)

Maybe you’ve heard of Key Reinstallation Attacks (more commonly referred to as KRACK attacks) and maybe you haven’t. Either way, this threat effects you, your great-grandma in Buffalo, and your favorite coffee shop down the street. What’s more, it can affect your business too! Sorry to rain on your parade, but no one’s Wi-Fi enabled devices are safe from this one. Seriously, this list of devices vulnerable to some variant of this attack is long. (Here are just some prominent names that jumped out at me: Apple, Android, Linux, Dell, Google, Hewlett Packard Enterprise, Intel, Microsoft, Sony, Oracle, McAfee, LG, IBM, Amazon, and Blackberry.) Like I said, no one is immune here. 

What Is A KRACK attack?

So now that I’ve alarmed you about who this threat effects, let’s discuss exactly what a KRACK attack is. On October 16, 2017, Mathy Vanhoef, a researcher at a Belgian university, released a report titled Key Reinstallation Attacks Breaking WPA2 by forcing nonce reuse. If you’re anything like me (not the biggest tech nerd out there), reading this title may have left you scratching your head. But after spending some time researching and speaking to some experts on the subject of this attack, Vanhoef’s report becomes more unnerving to me on a personal (and business) level. I’ll explain why.

The ultimate effects of this kind of attack are still in the speculation phase. However, it’s clear that, if ever carried out on a mass level, KRACK attacks could devastating to anyone who hasn’t taken the necessary security measures to protect themselves and their online information.

Vanhoef’s report opens with this less-than-encouraging paragraph explaining his findings:

We discovered serious weaknesses in WPA2, a protocol that secures all modern protected Wi-Fi networks. An attacker within range of a victim can exploit these weaknesses using key reinstallation attacks (KRACKs). Concretely, attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted. This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.

Yikes! Or as a kid who has to get creative with their cussing might say: “Oh KRACK!”

What’s even more alarming is the fact that WPA2 systems are everywhere. Since 2004, they’ve traditionally been viewed as the most secure option, but as evidenced in the paragraph above, that simply isn’t true anymore. Joy.

How Is A KRACK Attack Carried Out?

Above is a video (created by Vanhoef) that shows exactly how a KRACK attack utilizes weaknesses in the WPA2 protocol. But I’ll do my best to explain just what happens during a KRACK attack.

Whenever your wireless device connects to Wi-Fi, it participates in what is called a four-way handshake. This “handshake” verifies a user’s password and establishes an encrypted connection between the router and the device. Attackers who are close by (within around 100 ft) can use key reinstallation attacks to bypass WPA2 network security; they are then able to see information that is no longer encrypted and may be able to steal sensitive data as it passes through the network. Depending on your network configuration, attackers may even be able to add ransomware or malware to websites.

As I mentioned, attackers must be in close range to the Wi-Fi system they are trying to access. This makes it impossible for attacks to be carried out from miles away. And while it is possible for attackers to simply sit in a parking lot in front of a store and hook up high-powered wireless antennas, I’ve been told by a couple of experts that it isn’t likely to happen.

If you are interested in more in-depth information about how KRACK attacks work, check out Vanhoef’s report. I found The KRACK Wi-Fi vulnerability, explained like you’re five to be very helpful as well.

What Does This Mean For My POS System?

Some things may go without saying, but when it comes to the security of your POS system, you should never assume anything. If your POS system is operating via Wi-Fi and is sending/transmitting unencrypted data, it is no longer safe, even if your network is password protected. (You probably shouldn’t be sending unencrypted data over your Wi-Fi network anyway, but that’s just my two cents.)

If you are using a locally-installed POS system, you need to pay especially close attention to this form of attack. You may think that, because most legacy systems rely on wired networks, your system is safe. Such a misconception that could be potentially catastrophic. Take it from Mark Guagenti, an expert from Tidal Commerce:

“Security for [POS] systems has improved since 2004 [when WPA2 was introduced], however, that door is now open again. All it takes is one device or misconfigured network to open up the whole system.”

Back in 2013, when Target’s data breach affected 41 million customers, hackers gained access via the HVAC system (which was on a network that had access to the internal systems)! And in 2007, attackers were able to steal the information of 45.7 million credit and debit cards from a major retailer simply because T.J. Maxx didn’t update their data encryption system. Whoops.

Hopefully, we won’t see any huge, KRACK-based POS data breaches soon, especially since there is an easy fix. But merchants should take this threat seriously. Double and triple check your systems to ensure safety. As Guagenti warns:

“An attacker [would be able to] wreak real havoc on an unsecured register, especially if the software is outdated. They could poke and prod at the registers API, possibly run fraudulent transactions, open/close the cash drawer, etc. They could also possibly get into other systems like the back office computer.”

Most newer iPad/Android-based cloud-based systems could also be affected by the attack. Fortunately, the damage should be minimal; transactions are usually fully encrypted end-to-end. As long as your POS vendor is employing SSL/TLS (also known as HTTPS) encryption and you take advantage of the necessary updates and patches, your POS system should be safe!

Can I Protect My POS System From The KRACK Attack?

I know I’ve painted a pretty grim picture. But before you throw all your Wi-Fi routers onto a bonfire, grab your pitchforks, and dust off your pillaging attire, you should know that—despite what you may read in some articles—this WPA2 vulnerability does not signify the end of the world. 

WPA2 is still a secure protocol. You can protect yourself from the KRACK attack by patching your devices with the security update for the KRACK exploit. As long as you use the patch, your system will not be vulnerable to this attack. This vulnerability cannot be fixed by changing your Wi-Fi password. You must use the security update patch first. Then you can (and should) change your Wi-Fi password.

Take if from Guagenti:

“Patch! Patch! Patch! Reach out to your POS vendor and ask for an update on the status of new patches for the KRACK exploit. This is also a time to call in IT to make sure that both your hardware, like iPads, wireless terminals, and wireless access points have the latest firmware available. As with most security news, now is [also] the time to check and make sure that your systems are encrypted with strong encryption, have the latest software, use the best practices, and are segmented to PCI standards so cardholder data exposure is minimal if any…[B]usiness owners [should] move to wired connections if possible, disable wireless access points, and wireless clients to prevent attacks.”

Look on the bright side. In some ways, this vulnerability can be a good thing! It provides a chance for everyone to do some pre-holiday security maintenance and tuning up. (Besides, when has beefing up your POS system security ever been a bad idea?)

POS Security Precautions Checklist

• Reach out to your POS vendor about patches for the KRACK attack. (Here is every patch for the WPA2 exploit currently available.)
• Patch any and all Wi-Fi devices/routers for the new KRACK exploit. (Here is the list of Wi-Fi routers that have patched the WPA2 flaw so far.)
• Switch to a wired internet connection (if possible) until all patches are installed and security precautions have been taken.
• If you are using a hybrid-POS system, switch to offline mode until the patch is made.
• Call IT and make sure all wireless hardware and wireless access points have the most up to date firmware.
• Conduct a thorough audit of your entire network environment.
• Verify that all software and firmware is up to date.
• Double check all communication and security settings.
• Update all wireless devices used for business (smartphones, iPads, tablets, laptops, etc.).
• Verify that your POS provider is following PCI compliance standards.
• Make sure all your transaction data is transmitted over SSL/TLS encryption.
• Ensure that your POS vendor employs HTTPS.
• Alert your staff to be on the lookout for customers with laptops or smartphones who stand close to POS systems for suspiciously long periods of time.

Final Thoughts

When it comes to security and your POS system, you really cannot be too careful. Unlike the cracks we avoided stepping on in the third grade (for fear of causing serious back problems for our mothers), not taking this KRACK attack seriously can have real consequences.

I highly recommend taking the security steps provided in this article as soon as possible. Don’t end up being a victim on a small scale. More importantly, don’t risk a major data breach because you didn’t use a simple patch or undergo a routine security check-up. Learn what steps you can take to keep your personal devices safe from these attacks too. Better safe than sorry!