It was announced today that a new WiFi vulnerability has been discovered and published called the Krack Attack. Since we all use WiFi in our homes, offices, and nearly every job we work on, I thought it would be something worth looking into together.
WHAT IS IT?
Security researcher Mathy Vanhoef publicly disclosed a serious vulnerability in the WPA2 encryption protocol today. Most devices and routers currently rely on WPA2 to encrypt your WiFi traffic, so chances are you're affected. Attackers can't obtain your Wi-Fi password using this vulnerability. They can just look at your unencrypted traffic if they know what they're doing. With some devices, attackers can also perform packet injection and do some nasty things. This vulnerability is like sharing the same WiFi network in a coffee shop or airport.
WHAT CAN I DO TO PROTECT MY CLIENTS FROM IT?
Vendors have known of this since July (It was just published today). So most vendors will have updates and patches that will fix this. Check with your vendor. You need to update all of the WiFi enabled things you can (laptops, WiFi enabled routers, WAPs, tablets, etc.). The important thing to consider is that both clients and WAPs need to be patched against the Krack Attack, so there are a lot of vectors to consider and when you talk about all of the little devices out there on WiFi, you get the picture of what a mess this is.
Add to that the client's BYOD & IoT products that are added by clients to your WiFi networks daily. Regrading IoT devices, consider which of those devices pose the most serious risk if unencrypted traffic is intercepted. Say, for example, a connected security camera that doesn't encrypt traffic when you're on the same WiFi network - well, that could allow attackers to snoop on raw video footage inside your home.
IF YOU ARE CONCERNED;
- Take action accordingly - e.g. by pulling the most risky devices off your network until their makers issue patches. And be sure to keep an eye on the kinds of devices your kids might be connecting to your home network.
- Use the HTTPS everywhere extension. You can mitigate risks by prioritizing encrypted internet traffic over unencrypted traffic. The EFF has released a neat browser extension called HTTPS Everywhere. If you're using Google Chrome, Firefox or Opera, you should considering installing the extension. There's no need to configure it, so anybody can do it.
- Consider using Ethernet wherever possible to replace WiFi. Especially in high security deployments.
- Utilize a VPN server tunneling to your end-point devices.
- Separate traffic into disparate VLANs (i.e. put devices that cannot be patched into a VLAN separate from your regular network traffic.
The Network Guardian does provide protection in the form OF VPN, and VLAN separation.
Please feel free to CONTACT US with your questions!