In October 2017, Mathy Vanhoef and Frank Piessens from the University of Leuven in Belgium revealed the viability of what they term the “key reinstallation attack” (or KRACK). They demonstrated that it would be possible to interfere with the supposedly secure “four-way handshake” used to generate unique encryption keys for different users and during different sessions. This vulnerability could allow fraudsters to decrypt and steal sensitive information, especially on Android devices. The discovery of this threat led to renewed awareness of the security risks of the Internet – even password-protected Wi-Fi.
In response, the Wi-Fi Alliance® announced on 9 January that they will be rolling out improvements to the vulnerable, fourteen-year-old Wi-Fi Protected Access 2 (WPA2) security protocol – the root of the KRACK problem – immediately. A completely new protocol, WPA3, will be implemented in the longer term, and will offer further enhancements including “features [that] deliver robust protections even when users choose passwords that fall short of typical complexity recommendations”.
In the meantime, what measures can enterprises take to protect their Wi-Fi users?
- External-facing as well as internal, LDAP-based sites should use HTTPS only.
- Internal users should authenticate themselves using TLS when accessing LDAP-based sites.
- Links shared in e-mails should reference only HTTPS URLs.
- The enterprise website, blog and/or related pages should reference only HTTPS URLs.
- An app or TLS should be used for internal communication to retain confidentiality even when the Wi-Fi network is vulnerable.
Employees should also be encouraged to set up two-factor authentication (2FA) on their accounts outside of the workplace, such as for personal e-mail and social media, and to steer clear of public Wi-Fi whenever possible.