Breaches are becoming increasingly common as hackers gain more access to personal information such as social security numbers, credit cards, etc. Now another attack could be under way as researchers have discovered a key flaw in the WPA2 Wi-Fi encryption protocol. This flaw could allow hackers to intercept credit card numbers, passwords, photos, and other sensitive information.
The new exploit is called KRACK, short for Key Reinstallation Attacks. The vulnerability affects the core WPA2 protocol itself and is effective against devices running Android, Linux, and OpenBSD, and to a lesser extent macOS and Windows, as well as MediaTek Linksys.
Timothy Crosby, Senior Security Consultant for Spohn Security Solutions, says that because the flaw is in the Wi-Fi standard and not specific to any particular products, nearly every router, smartphone, and PC out there IS impacted - especially attacks against Linux and Android 6.0 or greater devices.
“The biggest thing is making sure everyone goes back to their manufacturers and gets their systems patched as quickly as possible,” Crosby said.
If a company comes under fire by a breach, large chunks of data depending on what’s on the network could be compromised.
According to Crosby, many Point of Sales (POS) systems use Wi-Fi to process credit cards – so using debit/credit cards at restaurants, clothing stores, etc. are risky until the flaw is fixed.
“I will be careful where I use my Debit/credit cards for a while,” Crosby said.
Because there isn’t a “return on investment” on security products, Crosby explained, every time companies implement a security countermeasure, it could make things less efficient, therefore businesses are becoming vulnerable and spending more money when they eventually get hacked.
“It’s a carminative effect all the way down and a lot of organizations choose not to be security aware because it’ll cost them more money than just keeping their head in the sand,” Crosby said.
He recommends companies run vulnerability scans, on systems required to push secure data over Wi-Fi, put in a VPN layer to provide end to end encryption, and on systems with Pre-Shared Keys (PSK) make sure the PSK/Password is changed after patches are applied.
“They don’t realize it doesn’t take someone with a degree in programming to exploit some of these things,” Crosby said. “If companies not taking the time to patch systems and validating that the system has been patched, they may be vulnerable without even realizing it.”