Update: Both Apple and Microsoft have released patches for this WiFi security vulnerability. If your wireless devices are not set to download updates automatically, we suggest you update them immediately. The university’s Office of Information Security strongly suggests that all users enable automatic updates for all applications that offer it. Learn more about the status of vendor patching for this vulnerability.
A vulnerability has been identified which affects almost anyone using Wi-Fi. This attack impacts all modern implementations of current wireless encryption standards (including WPA-1 and WPA-2). These vulnerabilities have been dubbed KRACKs, which stands for key re-installation attacks. Attackers can use this new vulnerability to read information relayed over wireless networks that was previously assumed to be safely encrypted. This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks.
The Office of Information Technology (OIT) is monitoring the situation and working with its vendors. It is expected that all devices (e.g., desktops, laptops, smartphones, etc.) will require a security patch to protect against this vulnerability. It is likely that a patch will be required for home wireless devices as well. OIT will send out a notice to the campus when patches are available.
In the meantime, OIT recommends that you use the campus VPN when connecting to wireless hotspots from off-campus. Individuals who handle highly-confidential data (e.g., SSNs, credit card numbers; loan and bank account numbers; protected health information; and student information about disability, race, ethnicity, citizenship, legal presence, visas, or religion) should only do so on trusted wired networks on campus or while using the VPN from off-campus.
If you have questions about this vulnerability or need assistance installing the campus VPN, please contact the IT Service Center at help@colorado.edu or call 303-735-4357 (5-HELP from a campus phone).
Reference:
- https://www.krackattacks.com/
- https://papers.mathyvanhoef.com/ccs2017.pdf
- CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake.
- CVE-2017-13078: Reinstallation of the group key (GTK) in the 4-way handshake.
- CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the 4-way handshake.
- CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake.
- CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake.
- CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it.
- CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
- CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.
- CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
- CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.