In case you missed the news, a vulnerability has been discovered in the wi-fi WPA2 encryption standard. (Some reports refer to it as KRACK – Key Reinstallation Attack.)
If you or anyone at your business uses a smartphone, laptop, or IoT device connected to a Wi-Fi network using WPA2 encryption, the information sent over that network could be at risk. Researchers have found a bug that lets attackers “break” WPA2 – the encryption that protects most wireless networks – leaving data you send exposed.
Here’s the relevant paragraph from the abstract of the research paper:
“All protected Wi-Fi networks use the 4-way handshake to generate a fresh session key. So far, this 14-year-old handshake has remained free from attacks, and is even proven secure. However, we show that the 4-way handshake is vulnerable to a key reinstallation attack. Here, the adversary tricks a victim into reinstalling an already-in-use key. This is achieved by manipulating and replaying handshake messages. When reinstalling the key, associated parameters such as the incremental transmit packet number (nonce) and receive packet number (replay counter) are reset to their initial value. Our key reinstallation attack also breaks the PeerKey, group key, and Fast BSS Transition (FT) handshake. The impact depends on the handshake being attacked, and the data-confidentiality protocol in use. Simplified, against AES-CCMP an adversary can replay and decrypt (but not forge) packets. This makes it possible to hijack TCP streams and inject malicious data into them. Against WPATKIP and GCMP the impact is catastrophic: packets can be replayed, decrypted, and forged. Because GCMP uses the same authentication key in both communication directions, it is especially affected.”
This should be of concern to your business and warrants further action.
Who is affected?
This isn’t just a problem with a specific device or manufacturer. It is a problem with the encryption standard nearly all Wi-Fi devices on the market use to scramble communications, prevent eavesdropping, and deter tampering. Especially concerning is that anyone at your business who uses a device to connect to a wireless network at work, at home, or on the road, this bug means they can’t rely on that connection being secure.
Can it be fixed?
The bug can be fixed with a security update or patch. Device manufacturers and software companies are aware of the problem and updates are rolling out now. Keep an eye out for authorized fixes from your device or software company.
What is safe?
Connections other than Wi-Fi (like your smartphone’s 4G/3G carrier connection or a connection with an Ethernet cable) aren’t affected. Consider using these instead of Wi-Fi until the updates are available.
What else should you do to ensure security?
This bug is a reminder that there is no single solution to secure your data. Here are other tips for protecting your sensitive information and security online:
- Keep up with the latest updates for your software and devices, including updates for your smartphone, computer, and any IoT devices you design or use in your business.
- Avoid sending sensitive information over public Wi-Fi.
- When you do send sensitive information to a website, make sure the address starts with “HTTPS” – this will at least ensure the data you send to that one website is encrypted. (This website is secure).
- A VPN (Virtual Private Network) app or service can give you another layer of protection for your personal data. VPNs encrypt traffic between your computer and the internet – even on unsecured networks. You can get a personal VPN account from a VPN service provider. If you decide to use one, be aware some VPNs are more secure and easier to use than others, so shop around. Read reviews from several sources, including impartial experts.
Need more tips? Download “10 Cybersecurity Tips for Small Business” PDF here >
