Letter from DTC’s Director of IT on WPA2 KRACK Vulnerability
WPA2 Key Reinstallation Attack (KRACK) is now a public exploit in the WPA2 protocol that allows attackers to sniff and inject data into wireless links between client devices and access points.
While most current Windows and Apple devices are not affected by this exploit, Microsoft has released a security update on October 10, 2017 to address this issue. Customers who have Windows Update enabled and applied the security updates are protected automatically. Apple has a fix included in beta version of IOS 11.1 that is not yet released.
This vulnerability means that an attacker can read any data transmitted over the WiFi link that isn’t encrypted at a higher layer. Https/ftps/scp/sftp are some examples of higher level protocols that will keep data safe. The attacker can inject data into the stream as well.
Both a router and a client device must be susceptible to the KRACK Attack vector for the assault to succeed. If either are patched, then no data can be gleaned from the man-in-the-middle method publicized on Monday morning.
Attackers cannot obtain your Wi-Fi password using this vulnerability. The attacker needs to be in range of your WiFi network.
To ensure the security of YOUR information transmitted over wireless links, be sure all websites visited are using the HTTPS:// at the top of the URL. This ensures data privacy and security.
Here at DTC we use Ubiquiti Wireless APs and legacy SonicWall Wireless. DTC has already updated its Ubiquiti APs to prevent client-side attacks for unpatched devices. This means if you have a DTC UBNT AP in your office you are safe. SonicWall will be releasing the same patch ideally here in the next few days to cover unpatched client devices as well. Please note this only affects SonicWalls with wireless capabilities.
Currently we are all relying on our vendors to patch the exploit on client devices. If you have an Android or another Linux based operating system please accept the update to your device as soon as possible. If you have any IoT (Internet of Things) devices – Amazon Alexa, Google Home, Nest Thermostat, etc. – please keep an eye out for an update or patch from the manufacturer to be sure any information transmitted from these devices is secure.
To put it briefly, we’ve got you covered.
If you have any questions about what wireless device(s) is being used in your network please email [email protected] and a technician will respond as soon as possible to the request.
Thank you and have a great rest of October.
Scott Leister
Director of IT