Severe WPA2 Security Flaw May Put ALL Your Wi-Fi Devices at Risk

Security experts and researchers have identified and confirmed a severe WPA2 security flaw that could affect literally ANY Wi-Fi connected device, from computers, phones, routers, tablets, and more. The researcher, Mathy Vanhoef, named the bug “KRACKs” for Key Reinstallation Attacks and is based on the 4-way handshake of the WPA2 security protocol.

KRACKs Bug (1).jpg

The morning of October 16, 2017 at 7AM, The Department of Homeland Security Computer Emergency Readiness Team (DHS-CERT) issued Vulnerability Note VU #228519. The vulnerability note describes that WPA2 can be manipulated to induce nonce and session key reuse. An attacker within range of an affected access point and client may leverage the vulnerabilities to conduct attacks.

The attacker could decrypt packets of information and inject malware, hijack the device via TCP connection, and may bypass HTTPS in non-browser software, Apple iOS and OSX, Android Apps, banking apps, and even VPN apps.

 

Video Demo of KRACKs or Key Reinstallation Attacks

 

 

 


Here’s What to Do with the KRACKs Bug

Major device manufacturers will have to deploy new software and firmware updates. Once they have, Wi-Fi users must update any products that may be affected as soon as security updates are available. The researchers indicated that “if your device supports Wi-Fi, it is most likely affected.

Think of any device that might be affected from your home computer, to Wi-Fi connected security cameras, your Philips Hue lights and security systems, etc. These devices must be updated and if you can, press the manufacturer for an update on when the software update will be release if it hasn’t already been done!

Try to use your mobile network data while the major Wi-Fi and device manufacturers release patches. If you absolutely must use a Wi-Fi connection, you may want to consider a VPN connection. A reliable VPN application can encrypt all your web traffic, either by HTTPS or HTTP.

Looking for more tips on cybersecurity? Look no further. 10 Tips for Personal Cyber Security. 

Vendor’s With Identified Wi-Fi Vulnerability

Here are the vendors that have been currently marked as “affected”. Many more are being added or updated as their status is discovered. Be sure to check this website for updates: Vendor Information for VU#228519

According to Vanhoef, The Wi-Fi Alliance, plans to help remedy the discovered vulnerabilities in WPA2 with the following actions:

  • Require testing for this vulnerability within their global certification lab network.
  • Provide a vulnerability detection tool for use by any Wi-Fi Alliance member (this tool is based on my own detection tool that determines if a device is vulnerable to some of the discovered key reinstallation attacks).
  • Broadly communicate details on this vulnerability, including remedies, to device vendors. Additionally, vendors are encouraged to work with their solution providers to rapidly integrate any necessary patches.
  • Communicate the importance for users to ensure they have installed the latest recommended security updates from device manufacturers.

Free Security Assessment Tool

Did you enjoy this blog article? Share it with your friends or comment below.
 
.

About CIPHER

Founded in 2000, CIPHER is a global cybersecurity company that delivers highly accredited Managed Security Services holding ISO 20000 and ISO 27001, SOC I and SOC II, PCI QSA and PCI ASV certifications. We have received many awards including Best MSSP from Frost & Sullivan for the past five years. These services are supported by the best in class security intelligence lab: CIPHER Intelligence. Our offices are located in North America, Europe, and Latin America with 24×7×365 Security Operations Centers and R&D laboratories, complemented by strategic partners around the globe. 

Our clients consist of Fortune 500 companies, world-renowned enterprises, and government agencies with countless success stories. CIPHER provides organizations with proprietary technologies and specialized services to defend against advanced threats while managing risk and ensuring compliance through innovative solutions.

Recent Security Posts

Essential-Cyber-Security-Tips-Guide.jpg

Twitter Feed