The KRACK WiFi Vulnerability

You Should Have Always Been Careful Using WiFi

It’s always been risky to use public WiFi with your sensitive business data.  As one writer has noted, using public WiFi is like having unprotected sex.  WiFi networks are vulnerable to attacks.

There have been different encryption standards adopted to help secure WiFi.    WEP (Wired Equivalent Privacy) was replaced by a new, stronger standard called WPA (WiFi Protected Access).  WPA2 was designed to be even more secure and has been advised and adopted as the the strongest solution for WiFi security available.

WPA2 has become widely adopted. 

This week, it was announced that WPA 2 is more vulnerable than previously thought.  WPA 2 is vulnerable to KRACK.   KRACK or Key Reinstallation Attacks are a technique used by hackers to gain access to WiFi network traffic.  

The US Computer Emergency Readiness Team website claims that “US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven, will be publicly disclosing these vulnerabilities on 16 October 2017.”

Microsoft and other vendors have issues patches and it appears that this vulnerability would actually be difficult to exploit in practice.  Nevertheless, you should be careful using WiFi with valuable business data.

Some best practices include using a VPN, turning off automatic WiFi connectivity on your phone (or purchasing unlimited data so you never use WiFi at all) and then always requiring app-based two factor authentication for sensitive applications and websites so even if your credentials are stolen, access will be denied.