Although Wi-Fi is now integral to the operations of many businesses, it is inherently less secure than wired networks. The WPA2 (Wi-Fi Protected Access 2) security protocol helps protect Wi-Fi communications by encrypting data traveling over the network. However, a vulnerability discovered in October 2017 has spurred the development of a new protocol that provides more robust authentication and increased cryptographic strength.
The vulnerability, known as KRACK (Key Reinstallation Attack), gives attackers an opening to conduct man-in-the-middle attacks that could expose sensitive information.An attacker can record and reinstall a cryptographic key that’s already been used, then copy data packets that were sent previously. The hacker could also take the network offline and subject it to a “dictionary attack” by throwing thousands of common passwords per minute at the router until it finds the right one.
What makes KRACK especially troubling is that it’s a flaw in the Wi-Fi standard itself, and not just in individual products or implementations. That means virtually every Wi-Fi device in existence is at risk — although the attacker would have to be within range of both the network you’re connected to and the device you’re using.
The Belgian researcher who discovered the flaw gave vendors a heads-up before going public, so they would have time to develop patches for the vulnerability. Apple, Microsoft, Cisco, Intel and dozens of other affected companies have already developed patches for both network gear and client devices.
The new version of the Wi-Fi security protocol, WPA3, eliminates the KRACK vulnerability once and for all.It requires connected devices to exchange cryptographic keys on a live connection, and thwarts dictionary attacks by blocking offline password attempts after a single incorrect attempt. Additionally, WPA3 uses 192-bit encryption as opposed to the 64- or 128-bit encryption used by WPA2.
WPA3 was introduced in June, and the Wi-Fi Alliance has just started certifying products that support it. However, many manufacturers have announced plans to make WPA3 devices, and Qualcomm has already started making a WPA3 chip for phones and tablets. WPA3-certified routers and other devices should start becoming available in late 2018.
It’s unlikely that manufacturers will retrofit their existing devices, so you’ll need a new router to take advantage of WPA3. You’ll also need WPA3-compatible client devices. However, WPA3 is backward compatible with WPA2 to facilitate the transition to the new protocol.
Meanwhile, there are some simple steps you can take to limit your Wi-Fi risk.Make sure your wireless routers, as well as your smartphones, tablets and laptops, are patched and kept up-to-date. Specifically, you should update your router’s firmware — research shows that up to 80 percent of routers ship with security vulnerabilities. You should also consider changing the admin username and password on your router, just in case it has been compromised. And always be cautious when using public Wi-Fi networks.
We live in a wireless world. People have become accustomed to using multiple devices to access business applications and data across corporate Wi-Fi network. While the KRACK vulnerability presents a serious risk, a solution is on the horizon and there are stopgaps you can take in the meantime.
If you’re concerned about your ability to mitigate Wi-Fi risk, give us a call. We’ll be happy to evaluate your environment and make recommendations to help keep your sensitive data safe.