If there’s good news regarding the recently revealed KRACK and ROCA encryption holes, it’s that many systems have already been patched to fix the problems. The better news is that there’s no evidence that either have been exploited by hackers. But don’t breathe out that sigh of relief just yet, because these are potentially very serious.
The KRACK vulnerability affects anyone or any system using WPA2 encryption on their WiFi networks. Since WPA2 is the only WiFi encryption method that’s considered reasonably secure, this is a big deal. It’s even a bigger deal because it potentially affects nearly everyone.
The ROCA vulnerability attacks versions of RSA encryption using key lengths of 2048-bits and shorter. It can be used to produce fake signed certificates for things like software updates and can even be used to bypass the security of the TPM (trusted platform module) where encryption keys are stored.
Both vulnerabilities affect a wide range of platforms including Windows-based computers. However, the ROCA vulnerability only affects those devices with Infineon chips, which includes computers made by HP and Lenovo. Some Chromebooks are also affected.
Microsoft has already released updates to fix both of these vulnerabilities as has Lenovo for computers it makes that use those chips. The KRACK vulnerability requires patches from hardware and software makers that depend on WiFi. At this point, it’s not clear if Apple has included a fix in its most recent update to iOS. Google has not yet provided patches for Android.
However, there’s more to WiFi than your computers and endpoints. WiFi devices including routers and access points are also vulnerable and they also need to be updated. The infrastructure patching can be daunting, if only because you have to start by tracking down every point on your company network where WPA2 encryption or decryption takes place, then either patch it or replace it.
While an attacker must be within WiFi range to exploit the KRACK vulnerability, that should not be much comfort for your organization. For one thing, you only need a single unpatched AP for hackers to exploit an encryption hole. For another, WiFi can cover a much larger area than you probably realize—in some cases reaching out for miles—so distance can’t be relied on for protection.
The problem with patching every available access point is that some may be hard to find, especially in a company where employees sometimes set up their own APs or routers. To be really safe, you’ll need to track all of those down and either eliminate them or at least make sure that they’re updated.