A serious vulnerability was discovered in the WPA2 (IEEE 802.11i) encryption protocol used in Wi-Fi networking. The latest vulnerability known as KRACK (key reinstallation attacks) allows attackers, within proximity, to view unencrypted traffic on a wireless network. This is traffic that was previously assumed to be encrypted by WPA2. This could give hackers visibility to personal information such as credit card numbers, passwords, messages, email, photos, and more. Depending on the configuration of the network it is also possible for hackers to inject malicious threats such as ransomware or other malware into websites. As scary as this attack sounds, there are several mitigating factors at work here. The most importantly is that this is not an attack that can be pulled off remotely: An attacker would have to be within range of the wireless signal between your device and a nearby wireless access point. This issue can be resolved through straightforward software updates, and the Wi-Fi industry, including major platform providers, has already started deploying patches to Wi-Fi users.
Please note that most device manufacturers have a patch for this, and if they don’t they will soon. We also recommend that you have a robust security posture that includes endpoint protection and VPN connectivity where applicable. The key in this instance is not to panic, or overreact, but to understand how this new vulnerability may create exposure for your business, and take the appropriate actions to mitigate it.
Our research suggests that the most recent versions of Windows and Apple’s iOS are either not vulnerable to this flaw or are only exposed in very specific circumstances. Android devices, on the other hand, are likely going to need patches applied.
Our recommended actions:
GSC IT Solutions is working to take a proactive approach to addressing this with our customers. If you have specific questions or would like to better understand your potential exposure, please contact us at 603-485-7100 or email at firstname.lastname@example.org.