What you need to know about the 'KRACK' vulnerability

You may have heard the news that WPA2 encryption has been “hacked”—but it’s a little more complicated than that.

Here is a (only slightly) technical explanation from our assistant vice president of security, compliance, and risk management, Joe Bazeley:

“The ‘KRACK’ vulnerability allows a hacker to break the WPA2 encryption used on almost all secure wireless networks, including Miami's,” Joe said. “Once the encryption is broken any wireless traffic that doesn't have additional encryption, such as the encryption provided by going to an https site, can be read by the hacker and they can even potentially modify that traffic. The vulnerability lies in how the underlying protocol was defined, so everyone who followed the protocol's specifications was affected.”Wi-Fi logo - blue lines in a fan shape

That might sound scary, but there are steps that Wi-Fi users (read: everyone) can take to protect their connections from the KRACK vulnerability, several of which we at Miami University are currently undertaking.

In order to correct the vulnerability, according to Joe, both your wireless client (your phone, tablet, or computer) and the wireless access point need to be corrected by their respective manufacturer via automatic update. In some cases, if the device doesn’t automatically update, you will need to apply the patch manually.

Here’s the good news: Microsoft patched the KRACK flaw in its latest round of October updates, and Google and Apple are working on patches. Here at Miami, we are working on scheduling the deployment of patches from Cisco onto the wireless access points that make up our network.

More information about which companies have released patches can be found at The Bleeping Computer. This list is being updated as more manufacturers complete patching.

Tips and tricks to stay secure

While you’re waiting for your device manufacturers to correct the vulnerability in their products, here are some Wi-Fi security best practices:

  1. Don’t share private data over public networks. In other words, don’t check your bank account while connected to the insecure network at your local coffee shop (this is a good rule to follow for physical security reasons, too—someone could be watching!).
  2. If you have to connect over a public network, make sure it's encrypted (using WPA2 Personal or WPA2 Enterprise).
  3. Make sure your home Wi-Fi has a strong password. Follow our password guidelines to make sure you’re doing that right.
  4. Another tip from Joe: As an additional step to keep yourself safe, consider installing the HTTPS Everywhere tool from the Electronic Freedom Frontier (EFF). This tool forces https instead of http where possible, which provides an additional layer of protection that will protect you from attacks like KRACK.

When it comes down to it: Just make sure you’re staying safe by protecting your network with a strong password and not logging into your bank account when connected to insecure public Wi-Fi. And don’t forget to keep checking The Bleeping Computer list to see which manufacturers have released patches for the hack.

Stay safe out there, friends!