Security Update - WPA-2 Vulnerability
Overnight, news was released of a security vulnerability affecting most wifi networks. The vulnerability has been titled Krack, and when exploited, allows wifi traffic encrypted using WPA-2 keys to be accessed.
This vulnerability only occurs within a wifi network, so there are no updates Tesserent can provide at the firewall level to address this. To address this vulnerability you will need to apply firmware updates for your devices as they are made available. Microsoft released updates for Windows 10 in its October 10th update, so if Windows Update is enabled, those systems will already be protected. For other vendors, check their websites for updates.
Some key points on this vulnerability:
- It is limited to wifi only, so an attack can only come from within wifi range
- Changing your wifi password will not mitigate this risk; it is an issue with the random keys exchanged for each session
- The attack is especially effective against Linux systems and Android devices. So much so that it is possible to insert fake websites and collect sensitive information. But again, only via wifi and within wifi range
- The encryption used when accessing websites via https is not at risk. So even if the wifi encryption is compromised, the https encryption is still in use
Our recommendations are simple. Apply the vendor updates as soon as possible. And until that occurs, treat your internal wifi as you would a café hotspot.
A more detailed explanation from CRN can be found here - https://www.crn.com.au/news/krack-wi-fi-flaw-leaves-nearly-all-networks-vulnerable-475528