KRACK: WPA2 Broken

Today's announcement ( of the KRACK attacks against WPA2 represents a serious security concern for all wireless networks. The de facto wireless encryption standard, which has resisted hacking attempts for 14 years, has finally fallen. Both personal and enterprise versions of the protocol are vulnerable.

The KRACK attack exploits a weakness in the way the protocol reissues packets as part of the '4-way handshake', used to negotiate and set up the encryption. Interception (eavesdropping) and potentially injection/modification of traffic sent from vulnerable client devices is reportedly possible. 

There is very little that can be done at present to protect against these attacks, which require vendor patching of client devices, for example mobile phones and laptops. This is a huge issue; many corporate networks have many hundreds of devices. It is unlikely that vendors will release patches for all devices; it is even more unlikely that all users will seek to update their devices. 

If you allow users to bring their own devices, this problem is not going away for many years. There is no way to verify whether or not a connecting client has been patched. Our only practical advice, in the short term at least, is to treat all wireless networks as an untrusted. All services directly accessible from wireless networks need to be adequately secured with transport layer security (TLS), or ideally, require use of a VPN connection to access.