[NOTE: Senior Advisor Kris Constable submitted this to HuffingtonPost, but due to the time zone differences and the severity of the issue, we have decided to post the article here in the interim]
When you connect to a wireless access point (AP), your device (the client) most likely negotiates that connection using the industry standard, WPA2. A couple of hours ago, 2am PT, the website Krack Attacks was born and it will keep the best of industry and security administrators busy for some time. This means, after reading this, we can assume it will be short under until there is an exploit in the wild that can be used against all of us using WiFi, or more specifically, WPA2.
Someone who uses this exploit will be able to do what is called a man-in-the-middle attack (MITM), at which point they can eavesdrop on everything you’re doing over wifi; they can log and record it, they can hijack your connection, or they can inject things into your traffic streams and you’re likely not to be able to tell if what you’re intending to view or download is in fact a trojan from an attacker.
Unfortunately solutions are scarce at this time. If you’re nerdy enough use OpenBSD, unfortunately they were given a really early heads up, so it’s been patched there.
There’s a KRACK mega thread on Reddit that has been started, which intends on listing the vendors that have been patched. As of writing this, Mikrotik and Ubiquiti are the only two listed. Considering Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys and others are listed as vulnerable, let’s hope we see some of those listed sooner than later.
In the interim, I recommend you use a wired connection where possible, and this is probably a good time to remind ourselves of what life will be like if the Internet Of Things (IoT) is ever successful. If you can’t keep your wifi off, make sure that any websites you’re connecting to are using SSL/TLS with no errors, this means the URL starts with https:// and not http://.
It’s also worth checking to see if your email is secure, if you’re not using web based email, is your email using imaps and/or pop3s, or is is it using just pop3/imap? Make sure it’s the former, with valid certificates!
What else are you doing online besides web and email? Are those protocols forcing encryption? This should be a best practice regardless of today’s announcement, so take the time to learn while you’re offline or on a wired connection. If you have any questions, feel free top drop me a message on Twitter as cqwww.
[Note: Customers with active PrivSec Lockbox, Safe, or Vault plans, have active mitigation policies in place in advance of this article]