Security vulnerabilities: what you need to know

by Gavin Porter

Wi-Fi KRACK

Overnight, security weaknesses have been published in the WPA2 protocol used by most home and commercial Wi-Fi systems, including public Wi-Fi. The attack that exploits this weakness is called KRACK (Key Reinstallation AttaCK).

An attacker, within range of a victim, can use this technique to control the session key and read any information transmitted over the network that isn't protected by further encryption, such as HTTPS or a VPN.

Because the weaknesses are in the underlying protocol it works against all modern protected Wi-Fi networks and likely affects any device that can connect to Wi-Fi. It's a good idea to patch your devices immediately - install all available updates. Updates have been published for most operating systems and for some Wi-Fi hardware.

Android updates are expected to be published by Google in the November release. If you can't update your device, perhaps because you have an Android phone that is not actively supported by the manufacturer, you could use a VPN service to protect yourself.

Public/Private keys

A serious flaw has been identified in a code library used to generate public/private RSA key pairs. These are used in smartcards, security tokens, laptops, and other devices using cryptography chips made by Infineon Technologies. The flaw allows an attacker to determine the private key from the associated public key.

Such hardware typically uses proprietary software that is not easy to review or check. Catalyst's preference is to use open source software to generate cryptographic keys.

It's easy to test if a key is vulnerable to this type of attack - visit https://keychest.net/roca, or download the Python software for offline tests.

What to do next

We're already working to make sure all our clients are protected from these attacks.  If you're a Catalyst client and you have concerns, please contact your account manager.

For further information on KRACK, visit www.cert.govt.nz

For further information on the crypto key weakness, visit https://arstechnica.com/information-technology/2017/10/crypto-failure-cripples-millions-of-high-security-keys-750k-estonian-ids/