Aegis Compliance & Ethics Center, LLP
You may have read about the Wi-Fi vulnerability known as KRACK (Key Reinstallation Attacks) which was publicized on October 16. While the risk of an attack exploiting this vulnerability is mitigated by a several factors (explained below), there are nonetheless some basic precautions that can and should be taken. Below is a summary of what you should know, what we have done and further steps you can take to ensure you stay secure. At minimum, please carefully review the last section entitled “what do I need to do?”
What is KRACK?
KRACK is a vulnerability that was discovered in the WPA2 security protocol used by most wireless networks. WPA2 is a protocol that encrypts data between a device and a wireless router or access point that the device connects to. Whenever a secure Wi-Fi connection is established, the device and the router/access point go through a series of “handshakes” to authenticate each other. KRACK makes it possible for someone listening in on the network to intercept part of that handshake and decrypt the data sent over the Wi-Fi connection. After doing so, the hacker would be able to read data sent over the network and could inject malicious code into unencrypted web connections leading to other ransomware or malware attacks.
Who is Affected?
Because this vulnerability resides in a widely-used networking protocol rather than in any specific software, just about all devices that use Wi-Fi are potentially affected. That means computers, phones and tablets as well as wireless access points, routers and connected “smart” devices like TVs, lights and appliances.
What are the Mitigating Factors?
Fortunately, carrying out an attack using this vulnerability requires that the attacker be within range of your wireless network and exploiting the vulnerability is still a fairly complicated and time consuming process. This means that any attack would need to be motivated and targeted rather than opportunistic and blanketed as are many other attacks.
In addition, much of the data traveling over Wi-Fi is already encrypted regardless of the security of the Wi-Fi connection itself.
What is the Fix?
The vulnerability can be fixed with software patches. Most major device manufactures have already released patches or will be doing so in the coming days.
- Windows got out ahead of this and had a patch available on October 10, before the vulnerability was made public. You should review your records to be sure that all your company computers received this patch.
- Apple has announced that current beta versions of iOS and MacOS include fixes and will be available to all devices soon.
- Google has indicated that a patch is forthcoming on November 6.
Importantly, though, Wi-Fi routers and access points (i.e., the devices through which other devices connect over Wi-Fi) also need to be patched. This is accomplished through an update of the device’s the firmware.
What do I Need to do?
There are several things you should do to ensure both company data and your personal data remain secure.
- Keep your devices up to date. Be on the lookout for updates to your phones, tablets and computers and install them right away.
- Avoid connecting to public Wi-Fi. It’s never a good idea and this vulnerability just underscores that. Use a cellular signal instead, a mobile hotspot or tether via your phone.
- Make use of the your company’s VPN to secure all data sent to and from your computer. If your company does not have a VPN, consider obtaining one through a reputable third party. The VPN should be used on any network for which you are not certain of the security and can of course be used even on secure networks to provide an additional layer of protection.
- Avoid going to unsecured websites. Always look for the “s” in “https” in the address bar to indicate that your connection to the page is encrypted.
- Update the firmware on your home network devices including routers and IoT/smart home devices. This is likely not as a straightforward as updating computers, phones and tablets. Some will update automatically (like Eero’s Wi-Fi system), but others will require a manual process and they’re all different. The best advice I can give is to contact the manufacturer to see if a patch is available and to get help on installing.