The vulnerability named KRACK or WPA2 Key Reinstallation Attack was first discovered last year, and it came as a huge surprise to everyone. It was primarily a glitch that affected all WPA and WPA2 protocols that secure WiFi networks.
However, it came as a shock because unlike the work of bad actors, it was actually a flaw in how it was engineered. According to the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), if it was left undiscovered, it could have led to a complete loss of control of sensitive enterprise data.
This means that KRACK could have allowed bad actors to engage in “man-in-the-middle” attacks whenever they were within radio range to replay, decrypt, or spoof frames.
Unfortunately, this doesn’t mean that it’s limited to your WiFi router. Instead, it’s just about every piece of wireless hardware, including the Internet of Things, that was sold over the last few years.
The news quickly sent alarm bells ringing across the healthcare industry as it impacted the medication and supply management systems of BD Pyxis. According to ICS-CERT, this included 12 versions of the system such as the following:
- BD Pyxis Anesthesia ES
- BD Pyxis SupplyStation
- BD Pyxis Parx handheld
So if healthcare providers chose not to act, there is a real possibility of sensitive patient data being easily intercepted over hospital WiFi networks. This is because according to BD, KRACK can be exploited from an adjacent network without the need for any user interaction or privileges.
However, the good news is the fact that it would require significant technical know-how, the right set of tools, and proximity to a compromised WiFi access point to initiate a KRACK attack. To date, there haven’t been any reported instances of KRACK attacks targeting BD devices.
Since the news first broke, several vendors also came forward with patches. These include Apple, Google (for Android), Microsoft (Windows 7, Windows 8, Windows 8.1, and Windows 10, Cisco (for 69 wireless products), and Rockwell Automation (for Stratix wireless access points).
However, a year on, we still come across some businesses who have failed to get the memo on KRACK. In fact, they’re still vulnerable quite vulnerable to a KRACK attack.
So if this sounds like you, here’s what you have to do (immediately!).
Update! Update! Update!
All the wireless router manufacturers have released patches, so make sure to download them and follow the instructions on their respective websites. You can also adjust the default signals down to reduce the spillage beyond your property (and this can significantly lower the chances of a successful KRACK attack).
Once you’ve done that, make sure that you also update all your computer WiFi cards. Further, make sure that all the drivers for your network cards (and all installed third-party cards) are up to date. While you’re at it, update all the drivers on your laptops as well.
If your enterprise network supports mobile devices and has a BYOD program, take steps to ensure that all devices including smartphones are running the most up to date operating system.
Hyper Text Transport Protocol Secure (HTTPS) Everywhere
Regardless of the browser preferred by your staff, install the HTTPS Everywhere browser extension on computers connected to the enterprise network. When you follow this approach, it automatically ensures that the browser only uses the HTTPS version of a website (when both encrypted and unencrypted access is available).
This means that it will only choose encrypted versions of the site where all data going back and forth would be illegible to anyone who has managed to breach the system. This approach is common among online retailers and financial institutions and should be leveraged across all websites.
Use a Virtual Private Network (VPN)
A VPN means much more than protecting your location or pretending to access Netflix from another country. VPNs go a long way to help protect businesses because it effectively creates a tunnel between your devices and the data destination.
This means that the data will be heavily encrypted and would be useless to any bad actors who successfully compromise the system. However, it’s imperative that you only use an established, reputable service provider because you need to partner with a company that doesn’t actively maintain logs.