New KRACK Vulnerability Affects Encrypted Wireless Connections on All Devices | Information Technology | University of Pittsburgh

New KRACK Vulnerability Affects Encrypted Wireless Connections on All Devices

Monday, October 16, 2017 - 16:58

Computing Services and Systems Development (CSSD) is aware of a new vulnerability in current wireless encryption standards, which is making news today. The Key Reinstallation Attack, dubbed KRACK, allows an attacker within range of a wireless device to read information that was previously assumed to be safely encrypted.

An attacker who successfully exploits this vulnerability could intercept sensitive information that a device is transmitting over the wireless network, including credit card numbers, passwords, chat messages, emails, and photos.

The vulnerability that makes this attack possible exists in the wireless standard itself, not on specific devices. While CSSD is working to protect our network and devices against this vulnerability, you should take the steps below to help protect yourself:

  1. Understand that the https protocol used by many online banking and commerce site prevents an attacker from viewing your Internet activity. Sites that use https usually display a padlock in the address bar of your web browser.
  2. If possible, use a cellular connection to connect your device to the Internet rather than a wireless connection.
  3. If you have your own wireless network:
    1. Ensure you have set a password for it.
    2. Check for updates to your router, as patches may be available to mitigate this vulnerability. If an update is not currently available, continue checking periodically until an update does become available.
  4. Install any available security patches for your specific device as soon as they become available.
    1. If a patch is not yet available for your device, consider using a "virtual private network" (VPN), which will protect all communications transmitted by your device.
  5. When available, always choose using the WPA2 protocol for your wireless network. It remains the most secure protocol for wireless.

Please contact the Technology Help Desk at 412-624-HELP [4357] if you have any questions regarding this announcement