KRACKs: Five Observations on WPA Authentication Vulnerability

By on Oct 23, 2017

KRACKs are in the news. McAfee has already discussed these key reinstallation attacks that affect Wi-Fi setups in two posts:

Here are five observations that offer an easy-to-digest summary:

  • Don’t panic! Remember this is currently only a vulnerability. We have not yet seen any attempts to exploit it. Attacks may come, but they will be dependent on the difficulty of implementing code along with the hacker community’s requirement that any attacks must be sufficiently successful to give them a return on their “investment.”
  • An attack requires the actor to either be in close proximity or use an antenna large enough to both receive your Wi-Fi signals and send Wi-Fi packets to your router. This is a lower risk than remote exploits that can be conducted across the Internet, simultaneously affecting hundreds or thousands of devices.
  • Not all wireless devices are equal. Smart TVs, set-top boxes, and other wireless digital streamers are unlikely to be considered high-value targets. For devices containing sensitive data, consider switching to a wired network.
  • Although this potential attack vector does not benefit from weak site passwords or the router’s WPA2 password, a number of alternative vectors do exploit weak or default passwords. That danger has not changed. Your security is only as strong as your weakest link, so think broadly about your security rather than just focusing on the latest issue.
  • A consistent security best practice is to keep devices up to date to offer protection against known vulnerabilities. That advice remains true in this case, too. If your vendor releases a fix, apply it.

About the Author

Graham Clarke

Graham Clarke has over 20 years’ experience working in IT security, covering a range of threat and data protection products. He ran the engineering team responsible for McAfee’s first email appliance and currently runs the team responsible for McAfee’s Data Protection products (DLP, encryption and Database Security).

Read more posts from Graham Clarke

Similar Blogs

Subscribe to McAfee Securing Tomorrow Blogs