Heard about the KRACK Attack? Larry Allhands, CEO of FIREFX has, and he's got some advice. For more from Larry, check out community.cedia.net.
What is it?
Security researcher Mathy Vanhoef
has publicly disclosed a serious vulnerability
in the WPA2 encryption protocol. Most devices and routers currently rely on WPA2 to encrypt your WiFi traffic, so chances are you're affected. Attackers can't obtain your Wi-Fi password using this vulnerability. They can just look at your unencrypted traffic if they know what they're doing. With some devices, attackers can also perform packet injection
and do some nasty things. This vulnerability is like sharing the same WiFi network in a coffee shop or airport. What can I do to protect myself and my clients from it?
Vendors have known of this since July (it was just published this week). So most vendors will have updates and patches that will fix this. Check with your vendor. You need to update all of the WiFi enabled things you can (latops, WiFi enabled routers, WAPs, tablets, etc.). The important thing to consider is that both clients and WAPs need to be patched against the KRACK Attack, so there are a lot of vectors to consider and when you talk about all of the little devices out there on WiFi, you get the picture of what a mess this is.
Add to that the client's BYOD and IoT products that are added by clients to your WiFi networks daily. Regarding IoT devices, consider which of those devices pose the most serious risk if unencrypted traffic is intercepted. Say, for example, a connected security camera that doesn't encrypt traffic when you're on the same WiFi network -- well, that could allow attackers to snoop on raw video footage inside your home.
If you are concerned:
- Take action accordingly; e.g. by pulling the most risky devices off your network until their makers issue patches. And be sure to keep an eye on the kinds of devices your kids might be connecting to your home network.
- Use the HTTPS everywhere extension. You can mitigate risks by prioritizing encrypted internet traffic over unencrypted traffic. The EFF has released a neat browser extension called HTTPS Everywhere. If you're using Google Chrome, Firefox or Opera, you should considering installing the extension. There's no need to configure it, so anybody can do it.
- Consider using Ethernet wherever possible to replace WiFi. Especially in high security deployments.
- Utilize a VPN server tunneling to your end-point devices.
- Separate traffic into disparate VLANs (i.e., put devices that cannot be patched into a VLAN separate from your regular network traffic).