On Monday a fairly significant flaw in the WPA2 wireless encryption protocol was uncovered and since it’s a flaw in the original design, it affects all modern protected Wi-Fi networks.
Primarily the issue affects client devices (laptops, PCs, mobile phones, etc.) with devices running Linux and Android 6.0 and above particularly at risk.
Microsoft have already released a fix in their October security updates and Apple have fixed the flaw in iOS 11.1 beta 3, which is expected for public release imminently.
What is the issue?
In short an attacker within range of a victim can exploit the WPA2 weaknesses using key reinstallation attacks (KRACKs). In a key reinstallation attack, the adversary tricks a victim into reinstalling an already-in-use key.
They can then read information that was previously assumed to be safely encrypted to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. Depending on the network configuration, it is also possible to inject ransomware or other malware into websites visited on the device.
For more detailed information visit https://www.krackattacks.com/
What we are doing for our customers
We will be updating the wireless drivers on all of the PCs and laptops covered by our Managed Desktop service.
What you should do
- Keep using WPA2.
- Once updates are available:
- Update all your client devices
- Patch your access points
- Changing the password of your Wi-Fi network does not prevent the attack. Nevertheless, after updating both your client devices and your router, it’s never a bad idea to change the Wi-Fi password.
What to tell your staff
- The risk to you personally is incredibly small.
- There are unlikely to be any signs if they are compromised by this hack.
- Where their traffic is already encrypted (such as Citrix or HTTPS/SSL websites), this will still be secure even if the Wi-Fi security does get hacked into.
- Keep your personal devices updated (mobile phones, laptops, PCs, tablets etc.).
- Update the firmware of your home router (speak to the manufacturer if you need help). Not all routers will require security updates, so your priority should be updating clients such as laptops and smartphones.