By December 20, 2017Uncategorized

Wi-Fi Key Reinstallation Attack (KRACK) and Its Potential Effects on IT Companies in Ottawa

All Ottawa computer services users, should be aware of a vulnerability found within the
Wi-Fi protocol. Revealed in a paper published on October 19th 2017, this vendor-neutral
attack, which affects most if not all Ottawa IT companies and computer services users in
Ottawa, should update all Wi-Fi capable devices. Below is a short list of FAQs about the
attack, it’s potential for damage and security tips for end users.

What is KRACK ?

KRACK in it’s most basic terms, is an attack where a copy of what is supposed to be a
unique cryptographic key is given to a second user(an attacker). They can then use this
key to decrypt your encrypted traffic while it travels across a Wi-Fi network. The
implications of this on Ottawa IT companies and users of computer services in Ottawa
are of high severity.

What does this mean?

It means you can not trust Wi-Fi networks. Unless you know your devices have been patched
or you have other secure protocols in use (which will be discussed below), you should not
send out any sensitive information across a Wi-Fi network. Ottawa IT companies should
inform their staff and users of their computer services in Ottawa to treat all Wi-Fi networks
as if they were open Wi-Fi networks.

Will changing my password help?

Nope. The reason this attack is creating such a stir is because it is the first successful
attack against WPA2, that is not just password guessing. It is an attack against the protocol
and not a weak password, which is unprecedented.

Is there anything I can do to fix this?

Yes there is. follow this link (https://github.com/kristate/krackinfo#vendor-response-complete),
and see if the vendor(s) of your device(s) have issued a patch, then install the patch.

My vendor has not issued a patch, what can I do while I wait?

There are a few things you can do to make sure your transmissions are safe:

  1. Ensure that you are using HTTPS instead of HTTP. You can do this by checking to see if
    there is a lock icon in the URL bar in you web browser. This is a good idea when online in general. All Ottawa companies IT service providers should inform clients and their staff about HTTPS
    through end-user awareness training or security bulletins.
  2. If you are running Firefox, Chrome or Opera, there is an extension you can download
    from the Electronic Frontier Foundation, called HTTPS Everywhere. HTTPS Everywhere
    establishes a HTTPS connection with a website if they have the capability to do so.
    Although it can not establish HTTPS communications with all websites, it is better to
    have it installed than to not have it installed.
  3. Using a virtual private network solution like OpenVPN, so you can browse the internet
    securely and anonymously.

All Ottawa companies need to address this issue, whether it be for their own data
confidentiality, or that of their clients. Ottawa companies using IT, especially those using
wireless networking in any way, shape or form, need to ensure that they are doing everything
within their power to not fall victim to this attack.