US-CERT is poised to announce the discovery of a new way hackers can bypass basic security measures in Wi-Fi (a.k.a. wireless) access points. This will allow them to listen in to all your traffic, which means snooping on email, messaging, posts to websites, files transferring across your networks, and any other data that is not encrypted by some other means. It also gives hackers an essential toe-hold into your network to perform more sophisticated attacks that allow them to setup deep, clandestine shop on your systems.

Who is at risk?

If you or your employees access your company systems over WiFi networks that use the WPA2 authentication protocol (the default), then you are at risk. If you use WiFi at home or at another location, you are at risk.

How can you protect yourself?

In the short run, make sure every website or web-based system is accessed using HTTPS://. The “S” on the end engages another layer of website encryption. Email programs should also be configured to send and receive email over secure channels. For sensitive information that cannot be accessed using alternate encrypted channels like these, consider not using WiFi at all. A virtual private network (VPN) is another alternative that can provide broad encryption to otherwise insecure systems, but locating the endpoints in the right places takes some level of expertise.

Patch your WiFi access point or router. The manufacturers will be releasing updates soon (days? week?) and you will need to update the firmware (a special type of software) with this new version. Locate the model number of your access point or router, go to the manufacturer’s website and find the support page for your model number. Check this page daily for updates. You will want to apply the update as soon as it is available, so start planning for some emergency WiFi down-time when you apply the update.

When using WiFi at a coffee shop, friends house, or any other location you should assume it has been hacked and that someone is listening to everything you do. The above tips apply and the VPN option, in this case, is likely the best solution to provide broad coverage. Make sure you involve a professional to help with the VPN setup. VPN’s are easy to install, but they are hard to configure correctly if you do not understand the finer points of network topology.

What The Future Holds

Once announced, KRACK will touch off an arms race between you and the hackers. The bad guys will be figuring out how to build tools that allow them to automate attacks. You will be racing to patch your systems, configuring secure channels, and exploring VPN’s. Miniature arms races like this are typical of the Wild West phase of cybersecurity in which we currently live. It also illustrates how the cybersecurity landscape can change almost overnight. The solution is to manage the big-picture of risk which is what we, at Threat Sketch, help small businesses do. We offer a high level, strategic cyber risk assessment that helps manage the problem and a book that explains what you, as a business owner, should do to manage your company’s cyber risk.

If you want to learn more about the details of KRACK, there is a good news article and US-CERT will be releasing details at 8am on Monday October 16, 2017.

UPDATE: 8:38am – The WiFi Alliance has posted a statement.

UPDATE: 8:42am – The researchers have setup a website to discuss the technical details.