Two researchers at the Katholieke Universiteit Leuven in Belgium recently announced a major exploit in the security protocol used by most Wi-Fi connected devices around the world.
Called Key Reinstallation Attack, or KRACK, the vulnerability affects any Wi-Fi device which uses the WPA2, or Wi-Fi Protected Access II, security protocol, which is implemented on virtually every device on the planet.
While this sounds scary, manufacturers are already developing or have developed patches, and the vulnerability’s design makes it difficult for attackers to access a user’s information.
In an email, the Rutgers’ Office of Information Technology said, “Attackers can use this so-called KRACK vulnerability to access information that was previously assumed to be safely encrypted, including credit card numbers, passwords, photos and protected health information. Any device that supports Wi-Fi is potentially affected.”
What Does This Mean?
WPA2 acts as a guard, protecting a user’s information as it is sent from a computer, smartphone or tablet to the wireless router.
Attackers can insert malware into a network between a router and a computer or steal information as it is sent from one device to another.
In other words, WPA2 is the bouncer at a bar, allowing legal adults, or information sent by a user, into the building while keeping underage drinkers and unruly guests— in this case, malware.
Someone using the KRACK vulnerability needs access to the network and can then either steal information— kidnapping the bar’s would-be patrons in front of the bouncer in this scenario—or inserting malware, which would be like tricking the bouncer into allowing in an unruly person.
Is My Information At Risk?
Several aspects of this vulnerability help most users. An attacker needs to be in <g>range</g> of a network they are trying to steal data from or insert malware into. If this attacker cannot be connected to the network— for example, to a home network— they cannot act maliciously.
In addition, this information only impacts users who send private information on these networks, and even then, it only impacts those networks which have been compromised.
However, it is impossible to know which networks have been compromised. Users who purchase items and input credit cards or other personal information on a public network may be at risk.
Another mitigating aspect is that most websites accept data using end-to-end encryption. In other words, while an attacker might steal some information, they would be unable to tell what that information is.
OIT’s email points out that “all data can be decrypted,” but for many cases, information sent using any form of end-to-end encryption is likely safe.
Rutgers IT Director of Communications and Marketing Allan Hoffman said that while the vulnerability is serious, it is similar to the dangers faced by anyone who uses an open Wi-Fi network.
What Should I Do?
In their email, <g>OIT</g> recommends that all users update their devices as soon as an update is available. PC Maga has a list of companies which are creating updates.
As cybersecurity researcher Brian Krebs points out, if a user is trying to update their wireless device settings, they should pay careful attention to the instructions. Otherwise, their computer could lose the ability to connect to a network at all.
Hoffman said anyone with concerns or questions about updating their devices can reach out to their department’s IT group or the New Brunswick OIT Help Desk. He also recommended that people turn on automatic updates for their devices.
Rutgers is home to several major wireless networks, including RUWireless and RUWireless_Secure. The University is working with Cisco Systems to update its infrastructure.
“Cisco is issuing a patch for this vulnerability, and the patch will be applied as soon as it’s available,” he said.
Nikhilesh De is a contributing writer for The Daily Targum. He is a School of Arts and Sciences senior. Follow him on Twitter @nikhileshde for more.