By now you may have seen online or on other media that security researchers announced on Monday that a serious vulnerability has been found in the WPA2 encryption protocol that secures the vast majority of modern wifi communications.
While this is a critical flaw, it is important to note that it needs to be actively exploited, that exploits by and large need to be done locally (i.e. by someone on the same local wifi network), and that there do not yet exist any simple to use exploit tools. So while this is important, there is no reason to panic.
In addition, what is vulnerable is plain text communications – any web or other traffic that is already encrypted (e.g. web traffic to HTTPS sites) remains safe. In terms of services provided directly by the Co-op, in 2016 we took the step to ensure every service used HTTPS to ensure that the web traffic itself was encrypted. So while unpatched devices may still be vulnerable to snooping on other sites, we can assure members that their data and communications between patrons, staff, and these services remains encrypted and secure.
For libraries, both wireless access points and end-user devices need to be patched with new security updates that address this flaw. Most device manufacturers will be working to release this soon if they have not already done so. If your device is not set to receive security updates automatically you may need to manually download or invoke them. A list of companies who have patched their devices is being maintained at https://char.gd/blog/2017/wifi-has-been-broken-heres-the-companies-that-have-already-fixed-it, though it is neither exhaustive nor authoritative. It is advised that you seek out confirmation of your devices’ security updates via the manufacturers directly.
Please do not hesitate to contact the Co-op’s Privacy and Security Officer, Scott Leslie, at firstname.lastname@example.org if you have further questions or concerns.
- KRACK Attacks and Libraries – https://chooseprivacyweek.org/the-krack-attacks-and-libraries/
- useful FAQ from Aruba Networks – http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-007_FAQ_Rev-1.pdf