When approaching the issue of the latest news of the new found vulnerability in the industry's WPA2 standard, I knew we'd need to interview one of amt's experts, a Technical Account Manager (TAM). Jon Van Cleve was more than willing to clarify the issue in the most straight forward and to-the-point manner. Below is a quick review of what to know, do, and prepare for when approaching the possible vulnerabilities within your network.
What is “KRACK”? – KRACK stands for Key Replacement AttaCK and is a flaw in the WPA2 wireless security standard. WPA2 has been the main method of securing wireless networks since 2005 or so, and is very common.
How can it affect my network? - It can allow someone who is connected to your network to see all non-https traffic on your network. This includes sites visited, passwords typed in, and any other information between you and the non-https site.
What can I do to protect myself and my work environment? - You can update all your devices, phones, laptops, PCs. Unfortunately, many devices won't see updates such as older devices and hardware. Apple and Windows automatically updated IF you are in-line with current updates and newer systems. Double check all carriers and devices to be sure they are covered and updated.
How is the WPA2 standard vulnerable and what is the "4-way handshake"? – Part of WPA2 is built-in encryption, which is supposed to keep your data private. However due to a flaw in WPA2, someone already connected to the wireless network can get the encryption key during authentication, more specifically in phase 3 of the 4-way handshake. Once they have this key, all internet data is potentially vulnerable across all devices on the network.
What does it mean to be patched and how can I make this process happen? - The best process would be to research your device model and KRACK attack procedures. To be patched means having the latest updates of your manufacturing device/network and maintaining suggested standards of security. Microsoft, Apple, and others have release patches.
For more information you can check out this Wired article that does a good job at approaching the issue. If you're one of our clients, please contact us if you have further questions and concerns.