A weakness in a security protocol that Wi-Fi devices rely upon, has put wireless-enabled devices at risk of attack. Wi-Fi Protected Access II (WPA2) encryption is used to encode Wi-Fi traffic to protect and secure communications between routers, mobile devices, and Internet of Things (IoT) devices. The Key Reinstallation Attack, or “KRACK” can allow an attacker within range of a Wi-Fi network to gain access to unencrypted traffic sent over the internet.
There are currently no reports of this vulnerability being exploited by cyberattackers. However, all modern protected Wi-Fi networks are affected due to weaknesses in the Wi-Fi standard itself, and not in individual products or implementations.
Attackers can use KRACK to read information that was assumed to be safely encrypted. This can be abused to steal information such as credit card numbers, passwords, chat messages, emails, photos, etc. Depending on the network configuration, it is also possible to insert and manipulate data. It should be noted that it has always been possible to attack WPA2. KRACK is an attack vector that can be deployed quickly and can spread rapidly.
Vendors were informed ahead of the public disclosure to give them time to prepare patches and prevent the vulnerability from being exploited. Microsoft, Google and Apple have issued or plan to issue updates. However, KRACK can have a serious impact on Linux and Android 6.0 or higher. The attack could also be devastating for IoT devices, as vendors often fail to implement acceptable security standards or update systems. It should be noted that the updates are not fixes. It may be up to 12 weeks to fully contain this. A list of vendor statuses can be viewed at https://www.kb.cert.org/vuls/id/228519
The Cybersecurity Working Group is advising the community to take the following precautions:
For the Public:
- Try not to connect to unsecured Wi-Fi networks such as hotels, coffee shops and other public spaces. You can tell if a network is secure by a little padlock next to it when you're selecting the network.
- Make sure you have a password on your Wi-Fi network. Always use a strong passphrase for your key to prevent dictionary / bruteforce attacks (Minimum 16 character all keyboard, upper / lower & symbols).
- Ensure all your devices remain up to date. It may take some months for fixes to be available so turn on automatic updates for best protection.
- If the router has been supplied an ISP, ask the company when their device will be patched.
- Where possible plug devices into a network rather than using Wi-Fi.
- When sending information online such as personal or credit cards information check to make sure the website address starts with ‘https’ or the lock symbol is on in the corner.
- When possible turn Wi-Fi off when not using it. This includes appliances, webcams TVs and baby monitors.
For Corporate users:
- Follow best industry practice and guidelines. Double check intrusion routes to ensure Wi-Fi does not leave core networks vulnerable.
- Update all machines, servers, devices and Wi-Fi routers when advised to do so by manufacturers.
- Minimize public Wi-Fi use. Avoid core IT systems using Wi-Fi if possible.
- Mandate Virtual Private Networks (VPNs) for corporate Wi-Fi users and ensure VPN software is updated too.
- Monitor networks for intrusion. If possible authorize access by Media Access Control (MAC) address.
- Once all the fixes have been delivered, switch off the old insecure Wi-Fi modes and replace devices that are no longer supported.