If you’re in IT, you woke up to a flurry of articles related to a WPA2 encryption vulnerability. If you’re not in IT, you’ll still probably hear about it; it’s that big of a story.
Essentially, there’s a vulnerability where an attacker can place themselves as a man-in-the-middle, and by impersonating the access point a device connects to, they could decrypt and replay (and potentially inject) traffic between a device and the access point.
That’s the bad news. The good news is that many wireless and device vendors have released patches to mitigate this. But that again is where the bad news may live. Every. Device. Needs. An. Update. Every device. Including access points, IoT devices, everything that ever connects to or broadcasts wifi will need some sort of update.
We’re obviously monitoring the situation very closely, but reach out to your engineer or account manager if you have any questions.
Am I affected?
Yes. Every device that connects to, or broadcasts wireless will need an update.
Should I change my wifi password?
No, changing the password does not mitigate any risk in this situation.
We authenticate with WPA2-Enterprise using 802.1x, are we affected?
Yes, as the vulnerability is prior to the authentication.
Is this a hard attack to accomplish?
Physical presence is required, as the attack has to be placed between the client device and the access point. Being early in the timeline it will require a hacker with wifi and cryptography skills and custom tools and software. This threat is absolutely big, however the risk I would consider medium currently. That being said, people being people, someone will write software to make this attack easy to execute at some point.
What’s the worst that could happen to me?
All the traffic from your device to the access point would be compromised. No credentials are at risk, unless typed on the device during the attack, but anything transmitted or received would be seen. Worst case (rare) is that an attacker could also inject something in the traffic.
So what are you doing?
Everything we can. We’ll be updating device software when we know it’s tested and mitigates risk for our managed service and retainer clients. This includes network updates, as well as device updates manually, or through our service OttoBot for Mac.
I have more questions.
Ok, reach out to your engineer, account manager or simply email firstname.lastname@example.org and we can talk more.
See the Vulnerability Note