By now, you’ve heard of the KRACK WPA2 infiltration of WiFi. Basically, a vulnerability in the WPA2, the standard for most WiFi communications between your mobile phone, computer and anything else that connects to a wireless access point, is a wide-open door for cyber attackers. When a cyber attacker exploits the WiFi vulnerability, they can intercept any device using the WiFi network. It affects everyone.
This kind of widespread WiFi vulnerability serves as a good reminder that we need to be especially careful using public WiFi, like that at your local coffee shop, or when traveling – at airports, hotels. As our virtual CIO / IT vendor recommends, “If you can use a Virtual Private Network (VPN) vs public WiFi, that’s a better option to help secure your communications.”
Over the weekend, we received several communiques from various IT vendors with whom we work. A partner of ours, Convergence Networks, forwarded a great eletter to me that shared the following excellent tips.
Who does the KRACK infiltration affect?
If you use WPA2 encryption to secure your WiFi communications (and you likely do), you’re probably affected. That said, Android devices are the most widely exploited.
Does this mean someone can get my Wi-Fi password?
No. The WiFi vulnerability could allow an attacker to intercept Wi-Fi communications between a device and a wireless access point, but doesn’t compromise your Wi-Fi password.
How is the KRACK vulnerability being fixed?
Vendors are working on or have already released patches to fix the vulnerability:
- Microsoft has released patches for supported Windows operating systems (Windows 7 and higher).
- Apple is working on a patch for MacOS and iOS devices, expected to be released in November.
- Android vendors manage their own patching schedules. Google Pixel devices will receive updates by November 6. Other Android vendors are expected to release patches later.
- Fortinet firewall and wireless access point vendor has shown very limited exposure to this attack, but vendors are gathering information on any devices affected.
- Cisco has already released a patch for its Meraki wireless access points.
What should I do?
If you have an IT vendor for your information systems support, check with them on their patch schedule for Windows systems. They should automatically patch during the next maintenance window if not sooner.
As an individual, it’s strongly recommended that you immediately apply software and security updates to your mobile devices – particularly Android devices. Do so as soon as you’re notified that an update is available – don’t swipe the notification away!
For businesses using off-the-shelf consumer level WiFi like Linksys or Netgear, look into business-class wireless. You’ll get better timing on security updates.
Home-based WiFi? Call your ISP provider or the company that makes your wireless access point (router, firewall, etc.) to see when they are updating the firmware.
This is an excellent time to be sure that your wireless devices are updated, too. If your devices are so old that there’s no fix available, it’s time to part ways.
Particularly check your IoT devices – don’t forget wireless home security cameras!
Should I not use WiFi?
Good question. Convergence Networks had this advice: “While the KRACK WiFi vulnerability is serious, it requires an attacker to be in range of your wireless device to execute it, it requires time, and is not yet an easy vulnerability to exploit. While the vulnerability affects most Wi-Fi devices, the overall risk to a device is not high, and in most cases Wi-Fi can still be safely used. If you’re an Android user, consider disabling Wi-Fi on the device, limiting connectivity to cellular service, until the November patch has been applied to your device.”