NOTICE: WiFi vulnerability requires updates and caution

Tuesday, October 17, 2017

10/17/17 update: ITS has received confirmation from the vendor of the university's wireless infrastructure that our wireless infrastructure devices are not vulnerable to the KRACK vulnerability. Please note that WiFi clients (computers, smartphones, and so on), as well as non-university WiFi routers, will still need to be updated as vendors release updates/patches.


10/16/17: The information below was sent via email to the IT Security Community and Frontline Notify groups on October 16, 2017.

Summary

A vulnerability in a WiFi core encryption protocol puts the majority of WiFi connections at risk. Vendors are working to release updates and patches to address the vulnerability, and these should be applied, after appropriate testing, when they are available.

ITS is working with the vendors of its network technology to determine impact and, as necessary, obtain and apply appropriate updates to the university's wireless networks. In the meantime, be cautious in your use of WiFi and instead use a wired connection or your smartphone's cellular connection whenever possible.

Problem

The vulnerability affects a core encryption protocol, Wi-Fi Protected Access 2 (WPA2). Security researchers have announced a proof-of-concept exploit called KRACK, which is short for Key Reinstallation Attacks. Attackers could exploit the vulnerability to decrypt sensitive data that's normally encrypted by the nearly ubiquitous Wi-Fi encryption protocol and eavesdrop on Wi-Fi traffic passing between computers and access points. An attacker must be physically in range of a particular WiFi network to exploit the vulnerability.

Threats

The vulnerability could be exploited to read and steal data that would otherwise be protected. However, an attacker must be physically in range of a particular WiFi network to exploit the vulnerability.

Affected Systems

WiFi routers as well as any device that uses WiFi, including laptops, smartphones, smart watches, TVs, wireless point-of-sale systems, and more. Researchers are saying the potential attack could be most severe on Android and Linux devices.

Action Items

  • When vendors release updates and patches, update devices (WiFi routers, laptops, smartphones, and so on), after appropriate testing.
  • Use a Secure Internet Connection:
    • Use wired or cellular networks when possible as your first network choice.
    • Use secure wireless networks, such as MWireless.
    • Try to avoid public WiFi networks, such as those in hotels and coffee shops. If you must use a public network, do not access or transmit sensitive information, and use a Virtual Private Network (VPN).

Technical Details

The vulnerability works by exploiting a four-way handshake that's used to establish a key for encrypting traffic. During the third step, the key can be resent multiple times. When it's re-sent in certain ways, a cryptographic nonce can be reused in a way that completely undermines the encryption.

Information for Users

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Use a Secure Internet Connection on the U-M Safe Computing website.