KRACK Attack: Serious flaw in WiFi Protected Access II (WPA2) has been discovered

News

A vulnerability with WiFi protected access II (WPA2) has been identified. The form of attack has been labeled KRACK (Key Reinstallation AttaCKs).

What does this mean?

WPA2 is a protocol that secures all modern protected Wi-Fi networks. The security built into WPA2 has been compromised and an attack within the range of an affected access point or client could take advantage of the various security flaws. This could allow the attacker to steal sensitive data (credit card numbers, passwords, chat messages, emails, photos, etc.) or potentially inject code into the network stream.

How does it work?

KRACK Wi-Fi security flaw explained:
http://www.bbc.com/news/av/technology-41641814/krack-wi-fi-security-flaw-explained?utm_source=dlvr.it&utm_medium=twitter&utm_campaign=sunnyhoi

What is affected?

Any computer or device that uses Wi-Fi is vulnerable, however Windows and iOS are at a lower risk than Linux and Android. To reduce vulnerability keep computers and devices patched and up-to-date.

McGill Status:

The McGill Wireless Infrastructure has been updated with the patch from the vendor and any risks have been addressed. McGill IT Services continues to monitor the situation and work with its vendors to ensure all vulnerabilities are mitigated and resolved. 

As an additional cautionary measure, we recommend that you update all your wireless devices (smartphones, laptops, tablets, etc) as soon as possible.

Recommendations:

  • Patch all Wi-Fi devices (smartphones, laptops, tablets, etc.) as soon as updates become available from vendors. This also includes your wireless router at home.
  • Use VPN when accessing a public Wi-Fi network.
  • Verify that you are only accessing secure HTTPS sites.

Resources:

Wireless best practices:
http://kb.mcgill.ca/it/easylink/article.html?id=1214

KRACK Attacks website:
https://www.krackattacks.com

BBC Wi-Fi security flaw explained:
http://www.bbc.com/news/av/technology-41641814/krack-wi-fi-security-flaw-explained

Homeland Security Vulnerability Note:
http://www.kb.cert.org/vuls/id/228519

Statement from the International Consortium for Advancement of Cybersecurity on the Internet:
https://www.icasi.org/wi-fi-protected-access-wpa-vulnerabilities/