If you haven’t already heard about the KRACK (Key Reinstallation Attack) vulnerability announced today, head over to the information page at https://www.krackattacks.com/ as quick as your fingers will take you because Mathy Vanhoef of imec-DistriNet has found a vulnerability in the WPA2 protocol which has a very wide impact.
The challenge here is that for this isn’t a bug in any particular implementation or commonly-used library; rather, it’s a vulnerability in the protocol itself which means that any correct implementation of the protocol is vulnerable. This also does not just apply to wireless access points; remember that most cell phones can also act as wireless APs for purposes of wireless tethering, so they may be vulnerable too.
Impressively, a number of vendors have released code which has been patched for the vulnerability today, and a number of vendors included fixes before today’s public announcement. However, those are useless if people don’t install the upgrades. I strongly advise going now and finding what your wireless vendor has done, and installing any available patched code.
Since I know you’re all following my Ubiquiti experiences, I’ll note that UBNT released code this morning for my Unifi AC-AP-PRO access points, and I upgraded them before breakfast this morning. The only minor annoyance is that this code release has not been pushed to the current stable 5.5.24 controller yet, so until that happens it’s necessary to trigger a manual upgrade for each device. Also, if you have enabled automatic updates, turn them off before you upgrade or you may find the 3.8.x release undoing the manual upgrade to 3.9.3 (yes, the 5.5.24 controller believes that it should
upgrade the APs from 3.9.3 to 3.8.x). The push will hopefully occur shortly, but Ubiquiti usually waits about a week while early adopters install the code so they can be confident that it did not introduce any other issues (i.e. regression testing).
My 2 Bits
It sucks when a vulnerability like this hits the wire, but I give respect to Mathy Vanhoef for following a responsible disclosure process and allowing vendors some time to prepare patches before the vulnerability was shared publicly.