Yesterday it was publicly disclosed that the WPA2 encryption used by every modern protected Wi-Fi network and computer was vulnerable to attack. The Proof of Concept for the Key Reinstallation Attacks vulnerability was published here:
At the present time there is no known exploit in the wild. The good news is that a hacker needs to physically be in range of your network (or a network you are on) to attempt to steal the packets your machine sends over the network. The bad news is that nearly every device that gives you internet access or uses WiFi is potentially vulnerable.
There are 2 aspects to this vulnerability:
1) The device you’re using.
a) Windows users should do their Windows Updates NOW. Microsoft patched this last week.
b) Apple is working on a patch for all Apple devices. It is in beta now and should be available in the next few weeks. Until then, there is nothing to be done.
c) Android phones appear to be the most vulnerable to this attack. In the attack, Android browsers can be forced to drop a secure https connection to an unsecure http connection. If this happens, all of your data sent over the web is unencrypted and can be stolen by a bad actor capturing data packets.
CNET has a good article by manufacturer of devices affected.
https://www.cnet.com/news/krack-wi-fi-attack-patch-how-microsoft-apple-google-responding
2) The devices that give you network access: WiFi Access Points, home cable WiFi routers, Airport Extreme/Express base stations, etc.
a) Your home routers, network switches and hubs are likely all affected.
b) If you rent your router from your cable service, wait for direction from your cable service (Comcast, RCN, etc). Some may even push a patch out to your equipment without your intervention.
c) If you bought your router yourself, consult the manufacturer’s website for software patches. It can take a few weeks.
Again, CNET has a good article by manufacturer of devices affected.
https://www.cnet.com/news/krack-wi-fi-attack-patch-how-microsoft-apple-google-responding
What can WiFi users do in the meantime?
1) All MIT users on campus should use the encrypted “MIT Secure” WiFi network. Folks should discontinue use of the “MIT” and “MIT Guest” Wi-Fi networks immediately. IS&T will be patching the WiFi Access Points around campus over the next several weeks. Word from Cisco is the 5GHz connections are not vulnerable but the 2.4Ghz connections are. Virtually all new laptops that use WiFi will always try to connect to the 5Ghz connections first.
2) When off campus, all users should in general use the MIT VPN when conducting any and all transactions that involve a username and a password. This includes but is not limited to purchases and banking.
3) Android users are recommended to turn off the WiFi on their phones until a patch is ready.
General best practices:
1) Do NOT trust public networks. If you have to use them, do not conduct any transactions that requires a username and a password. Assume there’s a bad guy on the network capturing data packets trying to steal your information.
2) Use VPN when off campus ALWAYS. If you are concerned about the security of your data or the data you’re entrusted with at any time, use VPN anytime you have to touch it. There is no harm leaving VPN on whenever you do anything over the Internet.
3) If you have a choice between using wired Internet and WiFi, use wired internet. It’s faster and best of all, it’s not affected by the KRACK exploit.
Please let us know if anyone has any questions or concerns.