KRACK – Securing Your Wifi Network

Given the release of the KRACK vulnerability, it is becoming very clear you need to take additional steps to make your Wifi network more secure. You should take this as a wake up call to understanding the risks inherent with a Wifi network and just how easily it can be used to gain access into your infrastructure.

Its important to consider, that unlike physical wire networks, wifi networks have an inherent security weaknesses, in that they broadcast in all directions, 24×7, the traffic; so with a suitably powerful aerial you can remotely eavesdrop on a Wifi network and take your time breaking into it. You can even just record the encrypted traffic so then when you have later cracked it, replay all the traffic… Plus, as KRACK has shown, weaknesses in the underlying protocols of Wifi do pop up from time to time and need to be immediately addressed. This is one of many reasons why in the PCI DSS security policies, Wifi comes in for ‘special’ treatment to avoid credit cards just being ‘sniffed’ out of the air…

We recommend you at least do the following:

  1. Update immediately all clients (laptops and servers) and WiFi Access Points, plus any Wifi providing Routers to the latest release. If you have devices which cannot be updated seriously consider taking them off the Wifi network until they can be updated.
  2. Change your Wifi Passwords to ensure no older or no longer used devices can be used to gain access to the network. Yes, this will be an inconvenience to all staff, but much better than suffering your network being hacked.

We would also recommend you looking at doing the following:

  1. Segment the wifi network such that it only has access to a minimal set of office services it needs to be useful.
  2. Do all your staff needs access to the corporate Wifi network or do they just need generic Internet access. If so set up another Wifi network with just access to the Internet and move them across.
  3. Strongly consider putting in active networking monitoring and intrusion detection – there are various ways to do this.
  4. Setting up per staff member wifi password login details and ‘bin’ the common Wifi password for good.

Note: From our perspective, if you have any sensitive data that is critical to your business operations, the last thing you should be doing is having it going over a wifi network ‘in the plain’; i.e. use an in house VPN (Virtual Private Network) that operates over the Wifi network, so even if the Wifi network is breached, the VPN will still be secure.

Note#2: Consumer grade Routers with Wifi will typically NOT auto update themselves, you need to log in as the admin and either kick start the upgrade process, or visit the manufacturers website and find the upgrade you need and apply it via the admin update screen (upload update) – refer to your device documentation for details on how to do this. Also take this as an opportunity, if you haven’t done already, to change the admin account password to something secure; rather than the default.

Also something else you need to take into account, is such network vulnerabilities can have an impact on your PII (Personally Identifiable Information – see here for more info) compliance – i.e. a wifi network could be used to get access to PII and therefore put you at an operational business risk plus a large fine. Also, as mentioned before, if you process credit cards through your network, the way you have your Wifi network set up could impact on your PCI compliance and therefore if you are in breach or not…

If you would like any help with securing your network, please do get in touch .

Resources