There's a lot of coverage over the recent KRACK vulnerability (CVE-2017-13080), and there are reasons to be worried. The biggest reason to utter "Seriously?" is because this WPA2 open standard for cypto is used on every wireless device on mother earth. The top three reasons to stay rational about this vulnerability and reassure your users are...
- The most important piece of this vulnerability is that in order for this man-in-the-middle attack to be successful both devices need to be vulnerable. Since the vast majority of computing portfolios are portable, it's only rational to effectively patch the user's machines. Many hardware vendors have not issued firmware patches for access points at this point, and, obviously, any computers/mobile devices jumping on public Wi-Fi networks will be exposed.
- Microsoft already issued a patch silently on Oct 10th (KB4041676). Apple has provided a patch for Beta versions of macOS, iOS, and tvOS, but has not yet issued a Security Patch in production. This blog will be updated below, as soon as Apple officially releases the required patch, and we advise pushing updates seamlessly via Addigy.
- In the overall space of vulnerability attacks, the initial attack surface is minimal and requires a pretty sophisticated process. Obviously, the user has to be in proximity and even when they're able to gain access to over-the-air data, any HTTPS SSL traffic is still encrypted end-to-end. Over time, the number of exposed HTTP (non-SSL) sites with confidential data will be actually quite low.
We will keep you updated below as soon as Apple releases a patch and urge you to patch your users as soon as it's released.
Keep I.T. Real,
The Addigy Team.