KRACK wifi vulnerability affecting wireless devices.

Q: What is this wifi vulnerability affecting WPA and WPA2 (KRACK)?

Background: On October 16, 2017, security researchers disclosed a flaw in the WPA2 protocol used to secure wireless communications [1]. Impact: Any product that communicates over WiFi and uses WPA or WPA2 to encrypt that traffic is vulnerable. This includes nearly all mobile devices, computers, connected home devices, and wireless access points and routers. Communications between vulnerable devices could be decrypted and hijacked.

Platforms Affected: All operating systems for clients and access points are affected. If you have a device which uses WiFi, it likely needs to be patched.

[ 1 ] https://www.krackattacks.com/

Q: How does this affect me?

Any product that communicates over WiFi and uses WPA or WPA2 to encrypt that traffic is vulnerable. This includes nearly all mobile devices, computers, connected home devices, and wireless access points and routers. Successful exploitation of this weakness, depending on the network environment, could allow for communications between vulnerable devices to be decrypted and hijacked.  This would allow for an attacker to obtain sensitive information such as financial data, passwords, emails, and more. 

Q: What can I do to protect myself?

  • Install operating system patches and firmware updates as soon as they're available to any affected wireless device (computer, laptop, tablet, phone, Internet connected device, etc). Firmware updates are usually manual and may not be provided for all devices.
  • Until an update is available for your device take steps to mitigate potential risks by using strong encryption (HTTPS-Anwhere, VPN, etc) to protect data in transit
  • Contact your department IT support staff or the Information Service Technology Desk with any additional question or for further help.

Q: What is the University is doing?

Information Services is evaluating the university's network infrastructure and are taking steps to ensure its security.  Information on the vulnerability is being shared with the university community to allow them to take steps to update their personally managed devices. 

Q: Is my device vulnerable?

All operating systems for clients and access points are affected. If you have a device which uses WiFi, it likely needs to be patched expeditiously. Contact your vendor or check the vendor's website for more information. 

Q: What if there are no security updates for my router?

"Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates. We strongly advise you to contact your vendor for more details. In general though, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming). For ordinary home users, your priority should be updating clients such as laptops and smartphones." source: https://www.krackattacks.com/

Q: What if  security updates for my device (computer, laptop, tablet, phone, etc) are not currently available to address this vulnerability?

Actively make use of strong encryption to minimize what data could be readily exposed as result of this vulnerability.

  • Use a VPN when communicating with a vulnerable or untrusted wireless device. This is good practice for any public, unsecured WiFi.
  • Install and use the browser plugin "HTTPS Everywhere" from the Electronic Frontier Foundation to prevent attackers from redirecting you from HTTPS sites to unprotected HTTP versions of those sites: https://www.eff.org/https-everywhere.
  • Continue to check for updates from the device vendor so that the update can be readily installed as it becomes available.

Q: What can IT staff do to help to address the vulnerability and mitigate associated risks?

  • Actively identify affected resources and push out updates as they become available

  • Communicate with end-user about the issue and provide assistance to update personally managed devices

  • Web server admins can add an HSTS (HTTP Strict Transport Security) header to their web server config (Windows IISApache).  The HSTS header informs the browser that the site should always be loaded over HTTPS, regardless of web link protocol.

Q: Are there additional resources for more information?

Q: Where can I find common OS vendor documentation on the vulnerability and available updates?

Details

Article ID: 41721
Created
Tue 10/31/17 2:38 PM
Modified
Wed 1/31/18 1:16 PM