KRACK Wi-Fi vulnerability affecting wireless devices

Overview

On October 16, 2017, security researchers disclosed a flaw in the WPA2 protocol used to secure wireless communications.

Any product that communicates over Wi-Fi and uses WPA or WPA2 to encrypt that traffic is vulnerable. This includes nearly all mobile devices, computers, connected home devices, and wireless access points and routers. Communications between vulnerable devices could be decrypted and hijacked.

Questions

How does this affect me?

Any product that communicates over Wi-Fi and uses WPA or WPA2 to encrypt that traffic is vulnerable. This includes nearly all mobile devices, computers, connected home devices, and wireless access points and routers. Successful exploitation of this weakness, depending on the network environment, could allow for communications between vulnerable devices to be decrypted and hijacked. This would allow for an attacker to obtain sensitive information such as financial data, passwords, emails, and more. 

What can I do to protect myself?

  • Install operating system patches and firmware updates as soon as they're available to any affected wireless device (i.e., computer, laptop, tablet, phone, Internet connected device, etc.). Firmware updates are usually manual and may not be provided for all devices.
  • Until an update is available for your device take steps to mitigate potential risks by using strong encryption (i.e., HTTPS-Anywhere, VPN, etc.) to protect data in transit
  • Contact your department IT support staff, USS regional zone desk, or the USS-Technology Service Desk with any additional question or for further help.

What is the university doing?

Information Services is evaluating the university's network infrastructure and are taking steps to ensure its security. Information on the vulnerability is being shared with the university community to allow them to take steps to update their personally managed devices. 

Is my device vulnerable?

All operating systems for clients and access points are affected. If you have a device which uses Wi-Fi, it likely needs to be patched expeditiously. Contact your vendor or check the vendor's website for more information. 

What if there are no security updates for my router?

From the Key Reinstallation Attacks website:

Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates. We strongly advise you to contact your vendor for more details. In general though, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming). For ordinary home users, your priority should be updating clients such as laptops and smartphones.

What if  security updates for my device (computer, laptop, tablet, phone, etc) are not currently available to address this vulnerability?

Actively make use of strong encryption to minimize what data could be readily exposed as result of this vulnerability.

  • Use a VPN when communicating with a vulnerable or untrusted wireless device. This is good practice for any public, unsecured Wi-Fi.
  • Install and use the browser plugin HTTPS Everywhere from the Electronic Frontier Foundation to prevent attackers from redirecting you from HTTPS sites to unprotected HTTP versions of those sites.
  • Continue to check for updates from the device vendor so that the update can be readily installed as it becomes available.

What can IT staff do to help to address the vulnerability and mitigate associated risks?

  • Actively identify affected resources and push out updates as they become available
  • Communicate with end-user about the issue and provide assistance to update personally managed devices
  • Web server administrators can add an HSTS (HTTP Strict Transport Security) header to their web server configuration (Windows IISApache). The HSTS header informs the browser that the site should always be loaded over HTTPS, regardless of web link protocol.

Are there additional resources for more information?

Where can I find common OS vendor documentation on the vulnerability and available updates?

Details

Article ID: 41721
Created
Tue 10/31/17 2:38 PM
Modified
Thu 11/3/22 4:20 PM