The KRACK Vulnerability: What You Need to Know
For Security Liaisons and IT Personnel.
What is the KRACK vulnerability?
KRACK exploits a vulnerability in the implementation of the WPA2 protocol used by most modern wireless devices. An attacker could potentially use the vulnerability to decrypt wireless communications, to modify data sent to a device, or to transmit malware.
What is the scope of the issue?
The vulnerability affects most devices using Wi-Fi.
What steps have been taken to address the issue?
Many vendors have created updates to address the vulnerability. Simply changing Wi-Fi passwords won’t protect users. Firmware updates for affected access points (APs) and client updates for users’ devices are required.
What is the likelihood that this vulnerability will be exploited?
A man-in-the-middle attack is required to execute this attack, and the attacker must be within wireless range of the affected device. Devices automatically applying updates for major platforms such as Microsoft, macOS and iOS have already been patched. At this time, there are no known exploits in the wild.
Even though the overall risk has been minimized, APs and devices should be updated to fully address this issue.
What is the impact for patching requirements at Penn State?
Penn State has already patched centrally-managed access points. Units that operate their own wireless should update firmware; if an AP is found that has no updates available, the device should be disabled in favor of newer equipment. OIS encourages units to search for legacy APs. There are many known cases where unused legacy APs are still unnecessarily operating.
At the device level, many vendors have already released updates. Devices not receiving automatic updates should be manually patched. A list of vendor firmware and driver updates for this vulnerability can be found below.
If you have any questions, please feel free to contact OIS by email at firstname.lastname@example.org
For Non-Technical Personnel.
What is the KRACK vulnerability?
KRACK exploits a vulnerability in the WPA2 protocol used by most wireless devices. An attacker could potentially use the vulnerability to decrypt and view wireless information, to modify data sent to a device, or to transmit malware.
What is the likelihood that I may be attacked?
An attacker must be physically within wireless range of the affected device in order to exploit this vulnerability. On campus, Penn State’s infrastructure including its wireless hubs have been secured. Patches have also been released for consumer wireless products that you might use at home. Check with your wireless router’s manufacturer (if you own your own router) or your internet service provider (if you rent directly from your provider) for more information.
How can I protect my devices?
Non-technical personnel can reduce the risk of attack by ensuring that they have turned on automatic updates for their personal devices such as cell phones, tablets, and laptops. Device manufacturers like Apple and Microsoft have will provide patches for ongoing security threats through their software updates, so make sure you download the latest version of software as it becomes available. You can also choose to switch to a wired internet connection or to use cellular data.
As always, never send personal information over a public wi-fi network.