This morning, the ICASI released a statement alerting the technology industry to a series of vulnerabilities used by nearly every modern network. These vulnerabilities are at the protocol-level and affect a large number of wireless infrastructure devices and clients using WPA and WPA2.
What is the vulnerability?
The weakness is in WPA and WPA2 – a protocol that secures all modern protected Wi-Fi networks. The exploit takes advantage of a four-way handshake between a router and the connecting device. When properly executed, the third step of the handshake can be compromised which results in the re-use of an encryption key.
An attacker within range of a victim can exploit the weaknesses by using key installation attacks (KRACKS) to read information that was previously assumed to be safely encrypted.
What does this mean for you?
For vulnerable clients and access points, WPA and WPA2-encrypted Wi-Fi traffic is no longer secure until certain steps are taken to fix the problem. This means that all data in the Wi-Fi stream CAN BE intercepted, decrypted, and modified – including passwords, credit card numbers, and personal data! Depending on the network configuration, it is also possible to inject and manipulate data. (Ex: an attacker might be able to inject Ransomware or other malware into websites.)
If the wireless device is communicating with a network host that uses HTTPS or TLS, then the data is encrypted a second time separately and offers a greater level of protection, but there is still a chance of vulnerability.
How to protect yourself until patches are issued:
- Apartment buildings, businesses, and thickly-settled areas are at higher risk for attack. Keep your eye open for patches for your computers, routers, and other Wi-Fi gear – and implement it as soon as the patch becomes available!
- Avoid public Wi-Fi while patches are being rolled out.
- Avoid transmitting data to non-HTTPS sites.
- Consider not having a publicly broadcasted network name. A less visible network is less likely to be attacked than a publicly broadcasting one.
- To secure a home network, ensure that servers and NAS devices all have non-default passwords for file sharing and other services.
- Use Ethernet whenever possible.
- Monitor your network for rogue access points.
- Use a VPN client to secure Wi-Fi traffic if you cannot ensure that your network connections are secured.
WatchGuard’s Wi-Fi access points and Wi-Fi enabled appliances ARE affected by these vulnerabilites. WatchGuard has put together a detailed FAQ that contains information about the vulnerabilities, which products are affected, and timing for patches.
If at any point you need assistance, please reach out to our team by phone at 404.633.2551.