Recently, it was publicly disclosed that a serious vulnerability in the WPA2 wireless encryption protocol had been discovered.
WPA2 is the most common encryption used on routers and other wireless devices to encrypt WiFi traffic. As a result, there’s a HIGH probability this affects your IT network.
An attacker can intercept some of the traffic between your mobile device and your wireless router. If traffic is encrypted properly using HTTPS, an attacker CANNOT look at this traffic. Nor can they obtain your Wi-Fi password using this vulnerability. Unencrypted traffic is vulnerable to snooping.
Always use HTTPS for all devices. It’s another layer of protection against attacks. In a more sophisticated attack, it is possible, with some mobile devices, that a packet injection attack will be utilized. A hostile player needs to be in range of your WiFi network to vector such an attack. The likelihood of this is a LOW concern.
Check with each vendor of every wireless devices on your network. Chances are, you will be directed to firmware patches for the KRACK vulnerability.
Your IT team should update all routers and Wi-Fi enabled devices (laptops, phones, tablets, etc.) with the manufacturers’ latest security patches. You can also consider turning on auto-updates for future vulnerabilities, since this won’t be the last security update you’ll need to address. Modern operating systems are reliable for auto-update implementation.
Your network router firmware absolutely needs updating. If the router has been supplied by your Internet Service Provider (ISP), ask the company when they will supply and or apply the update. If they don’t have an answer, keep asking or consider a new router. If your ISP is not immediately providing a firmware update to fix KRACK, consider buying a WiFi access point from a company that has already patched this vulnerability. Plugging a WiFi access point into your ISP router and disabling WiFi on your ISP router is a good alternative.
You can connect hardwired Ethernet into your router and turn off its wireless function until its patched. WiFi can be disabled on most routers. Turn off WiFi on your device as well, so that you’re sure all traffic goes through the Ethernet cable, thereby avoiding the known KRACK vulnerability.
If you still want to keep WiFi for some devices, consider switching to hardwired Ethernet for your essential devices. For instance, if you spend hours every day on a computer and use significant or continual internet traffic on this computer, buy an Ethernet cable.
Since phones and tablets don’t have an Ethernet port, disable WiFi on your device and use cellular data instead. This isn’t ideal, however will secure data from anyone who may be snooping. As always, be aware that an attacker needs to be in range of a device so the threat is much higher in human congested areas.
Devices running Android 6.0 and later are more vulnerable than other devices. iPhones on the most current 11.0.3 iOS are already protected since Microsoft released a patch earlier this week.
All laptops should update automatically; however, you should check Windows Updates just to be sure.
If you own IoT devices, consider which of those devices pose the most serious risk if unencrypted traffic is intercepted. For example, if you own a network connected security camera that doesn’t encrypt traffic when you’re on the same WiFi network, that could allow attackers to snoop on raw video footage inside your home or business.
Remove the riskiest devices from your network until the manufacturer issues patches and they are applied. In addition, be sure to keep an eye on the devices your kids might be connecting to your home network.
This is a good opportunity to audit your connected device collection and consider end of life for any WiFi device whose makers do not quickly issue a patch — they could pose a long-term risk to your network.
You can mitigate risks by prioritizing encrypted internet traffic over unencrypted traffic. The EFF has released a browser extension called HTTPS Everywhere. If you are using Google Chrome, Firefox, or Opera, you should consider installing the extension. There is no configuration necessary, so anyone can install and use it.
If a website offers unencrypted access (HTTP) and encrypted access (HTTPS), the extension automatically tells your browser to use the HTTPS version to encrypt your traffic. If a website still relies exclusively on HTTP, the extension cannot do anything about it. The extension is no use if a company has a poor implementation of HTTPS and your traffic is not properly encrypted. Nevertheless, HTTPS Everywhere is one step toward proper protection.
Traffic encapsulated on a virtual private network (VPN) is fine; however, the connection between the mobile device and wireless access point remains as a weak link. Be aware of what WiFi networks you are connecting to for the near future.
The good news is that security cameras, PC workstations, and recording appliances can be updated to prevent the KRACK vulnerability. There’s no issue with updated devices and non-updated devices being able to co-exist on the same network. The fix is backward compatible, allowing co-existence of devices at varying stages of update.
Contact the Vision team immediately for priority support regarding your security and video surveillance systems.