Using Wi-FI? Here are three things you need to know about the KRACK in the system
Billions of people use Wi-Fi – in fact, you’re probably using it right now. But be warned: according to the United States Computer Emergency Readiness Team, there is a vulnerability in the Wi-Fi system known as KRACK or Key Reinstallation Attacks that could put your encrypted information at risk.
What is KRACK?
The modern Wi-Fi system uses the Wi-Fi Protected Access II (WPA2) protocol to authenticate and protect the connection between access points and devices, such as computers and smartphones. Two researchers Mathy Vanhoef and Frank Piessens have found vulnerabilities in the WPA2 system which allow attackers to eavesdrop on Wi-Fi traffic between devices and access points. Because the vulnerability is at the protocol-level, attackers can access encrypted information previously assumed to be secured, ranging from passwords, emails, credit card numbers, photos, and so forth. In some cases, attackers may also manipulate information such as by injecting malware into websites.
Who is vulnerable?
Most devices are vulnerable to attack, from Android, Linux, Apple, Windows, OpenBSD, to MediaTek Linksys operating systems. However, the severity of threat varies as companies respond to the vulnerability. Microsoft announced earlier today that it has provided a software update protecting customers against the KRACK vulnerability. Google has promised to address the vulnerability on its systems within the coming weeks, with Google Pixel as the first to receive an update. Currently, Linux and Android 6.0 or higher systems are the most susceptible to attack.
What can I do?
While it is unknown whether hackers are already exploiting the KRACK vulnerability, researchers urge users to implement safety measures when possible. They recommend that users should avoid connecting to Wi-FI until patches have been developed and can be safely installed on Wi-Fi clients’ devices and access points. Microsoft users, as mentioned above, should be safe. However, when Wi-FI is the only option, people should use HTTPS, STARTTLS, Secure Shell, and other protocols to encrypt online traffic as it passes between computers and access points. Users could also use a virtual private network (VPN) as an added safety measure. Fortunately, network providers are already starting to deploy security patches.
Vanhoef and Piessens will present their paper Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 on November 1, 2017 at the Computer and Communications Security conference in Dallas.
Are you conducting R&D to develop cyber-security measures to defend against potential security threats like KRACK? You could be eligible for the R&D Tax Credit and receive up to 14% back on your expenses. To find out more, please contact a Swanson Reed R&D Specialist today.
Swanson Reed regularly hosts free webinars and provides free IRS CE credits as well as CPE credits for CPA’s. For more information please visit us at www.swansonreed.com/webinars or contact your usual Swanson Reed representative.