WiFi network equipment makers are issuing patches to address KrackAttacks, a "serious weakness" in WPA2 security that potentially allows hackers to attack all modern protected WiFi networks, a security researcher claims.
Among the nasty scenarios: An attacker leveraging KrackAttacks might be able to inject ransomware or other malware into websites, researcher Marty Vanhoef asserts.
Still, third-party experts are appealing for calm, asserting that the vulnerability is patchable -- though the number of patches required could be massive, according to Owen Williams, formerly editor of The Next Web. He says:
- Almost every mobile/desktop device on the planet is affected and needs patching;
- Fixing IOT devices and Android devices which rarely see updates anyway is going to be difficult at best;
- Your router will need a software update at some point; and
- Nobody will know how to update their router, or how to check if it's patched.
What steps should MSSPs and customers take? Opaq Networks offers three pieces of advice:
- The vulnerabilities impact multiple vendors, so CERT/CC is hosting a webpage with links to security advisory and patch information for each affected vendor. This page will be updated over time as new patches are released.
- Deploying a second layer of encryption can be a useful mitigation while patches are unavailable. The simplest way to achieve this is to require users on WiFi networks to employ their corporate VPN clients while connected to Wifi. An ACL or firewall rule could be used to block traffic destined from the Wifi network to every destination other than the VPN.
- Switching a WiFi network from WPA2 to WEP encryption is not advised as WEP has more significant security problems.