In light of the headline-making news regarding the major flaw on WiFi networks, dubbed “KRACK”, which stand for Key Reinstallation Attack, we wanted to take a moment and communicate a few important facts to keep in mind regarding this specific flaw.
It’s very important to first understand the nature and scope of this issue. The flaw is related to the WPA2 wireless communication protocol, which at its basic level is the way your device (a PC, laptop, cell phone, etc.) talks to a Wireless Access Point, or WAP. This isn’t about what happens with information that travels out to the web after it leaves your location, but the communication between your device and the device that connects you out to the web.
With that in mind, here are the key facts for you to know:
- As of the time of this writing, there are a limited amount of patches being released for impacted devices. Over time, we expect any supportable device using WPA2 to get a patch from the vendor.
- Remember, this is about the communication between your device and the access point, so this is a SHORT RANGE issue.
A practical concern based on this flaw would be, for example, being concerned over who is able to spy on your network traffic on a local WiFi network. Someone could exploit the WPA2 flaw to sit somewhere the wireless signal reached and read data that was normally meant to be private communication between your device and the access point.
Think about WiFi (even those that require passwords) at a coffee shop, hotel, airport, or some other guest network. If you are concerned about what you are communicating on those networks, consider a VPN solution to encrypt information regardless of wireless (we can provide a more personalized recommendation as needed). If you are working in a public area over wireless, and you care about the privacy of what you are doing, this is essential.
- To look at it another way, if you had a wireless network in the middle of nowhere, and nobody is around to “touch” your wireless access point signal, this threat is obviously much less significant in terms of risk.
- This flaw is completely independent of the typical security patches that are issued for things like Microsoft Office. It’s a much different kind of threat than the WannaCry ransomware vulnerability that was exploited earlier this year.
- This flaw is primarily about privacy, and less about data integrity, downtime or other factors that we often look at when it comes to cyber-attacks.
As always, it is important to exercise due diligence and scrutiny when operating technology. When in doubt, it is best to communicate with your colleagues and IT support about your concerns before it is too late. Prevention and awareness are the best things you can do, regardless of the threat, to avoid the consequences of a major security incident.
Contact us if you have any concerns or would like to discuss your specific situation.