KRACK Attack Update
A serious weakness in the most popular wireless encryption standard was publicly announced today. Known as the “KRACK Attack,” this vulnerability allows an attacker to read information that is sent across a wireless connection, ranging from user names and passwords to credit card information and sensitive company files. This weakness affects the base wireless standard, so all manufacturers and all devices are potentially vulnerable. This means that not only do you have the need to update your wireless access points, but also each and every device that uses wireless internally or externally. One mitigating factor is that this does not compromise SSL-encrypted data, so a device exchanging traffic with a bank site will still likely have data between that site and the device encrypted, just with a better chance that it can be captured and decrypted. This attack also does not break or hack wireless passwords, therefore changing a wireless password does nothing to fix the issue.
The potential threat was discovered recently but was kept secret to allow hardware and software companies some time to release fixes. There are some systems that will not be patched due to age, however, and their use should be examined and limited depending on circumstances. Naturally, CyberStreams recommends patching or replacing any vulnerable systems, and our engineers have already started doing that when updates are available. We do not touch your home network, however, and advise caution with home wireless provided by Comcast or third-party companies such as Apple (AirPort) Linksys and Netgear. Depending on setup of home wireless, home networks will be vulnerable until updated. We advise against simply going out and buying a new device as a fix as they typically will sit on the shelves in a store or warehouse for months and will not have updated firmware to close the vulnerability.
Microsoft Windows from version 8.0 forward are already protected from this threat as of last week and an update for Windows 7 was released today (October 16). Apple has a patch in beta testing that it says will be released in a few weeks. Google Pixel phones will have an update available on November 6, but other Android devices will lag behind, depending on how fast each carrier updates their customer version of Android. Some Android devices will not receive an update – the best practice will be to contact your carriers with questions about any company-owned devices. Comcast has indicated they will release a statement on updates to their home modems with wireless “soon” but we have been unable to find anything for CenturyLink or other providers at this time.
In summary, while serious, we believe this can be managed with updates and smart behavior. We recommend employees check the model number of their home wireless device to see if it is still supported and likely to receive updates and if not plan to upgrade and update in the near future. If you have any questions or concerns, please do not hesitate to reach out to your support engineer, account executive, or helpdesk!