Key Reinstallation Attacks (KRACK)

Information and Security Recommendations

What You Need to Know:

This morning (October 16, 2017) several news agencies are covering the story on a recently disclosed Wi-Fi vulnerability that affects anyone using wireless computer networks. The threat is called “Key Reinstallation Attacks” or KRACK for short. The vulnerability is a weakness in the process all wireless devices use to secure information being sent. The vulnerability can be exploited to gain access to all data being sent between a client (laptop, mobile device, tablet) and an access point (AP) or wireless router. This flaw affects both Albright issued equipment and your personal devices.

What We Are Doing:

Albright IT Services has created a response team to work through inventorying our affected assets, checking on vendor responses, applying patches, and communicating with our community. We have reached out to our security partner GreyCastle Security and will be drawing on their experience and expertise. Wi-Fi is pervasive across our campus and in our lives outside Albright. We realize that this issue will require a multi-pronged approach that can take weeks/months to resolve and we are planning for it.

What You Should Do:

Please be mindful of communications from IT Services about KRACK; To protect college and personal data, we will need your engagement and assistance. Our communications will also include information that will be helpful to you in protecting your personal devices. When IT Services becomes aware of patches from vendors like Apple, Google, Linksys, Microsoft, or Net Gear, we will pass along guidance on actions you should take to protect your information as well as campus data.

  • Update all wireless devices to address the vulnerability. This will depend on vendors creating and releasing the updates for various devices including routers and access points as well as phones, tablets and laptops. As we identify solutions, we will add them to this page.
  • Limit any potentially sensitive activities performed on wireless networks.
  • Ensure any activities on that must be performed on wireless networks are done via secure channels (HTTPS websites, SSH, S-FTP). Avoid unencrypted channels such as HTTP websites, Telnet, FTP.
  • Watch for suspicious individuals in a close proximity to your wireless network.
    • Update Microsoft Windows
      • Microsoft has reported that this vulnerability is addressed in their October 2017 Windows Updates. We will be pushing this update out to Albright computers by the end of October 16, 2017. Please be sure to run Windows Updates on your computer to get these updates.
    • Updating Your iMac or MacBook
      • If your MacBook or iMac is running macOS Sierra 10.12 or macOS High Sierra 10.13, then you do not need to take any action. Apple has already addressed this vulnerability in the macOS Sierra 10.12 beta.
      • If your MacBook or iMac is running any earlier versions of OS X (10.7.5 through 10.11) then please follow these directions:
        1. Back up your files or run Time Machine on your Mac
        2. Open the Applications folder in the Go menu and choose the App Store
        3. In the App Store on the main page you will find an image for macOS High Sierra, click on that image
        4. When you’re ready, click the Download button at the upper left. The download will take a few minutes. The installer software is over 5GB.
        5. When the download finishes, the installer will automatically launch. You can quit (Command-Q) if you want to run the installer later. It will be saved to your Applications folder. Click Continue if you want to proceed.
        6. Read the software license agreement and click Agree.
        7. Select your Mac’s startup drive and click Install.
        8. You must enter the username and password for the new “helper tool” that the installer wants to install. Enter this information and click Add Helper.
        9. The installer will tell you it needs to restart the Mac to proceed. Click Restart.
        10. If you have other applications open, the installer will ask to close those apps. Click Close Applications.
        11. Your Mac will restart and proceed with the installation. When it’s done, you’ll have High Sierra on your Mac.
        12. If you have an older OS version and have not upgraded to Office 2016 for Mac, you may find that you will need to contact Client Services to upgrade to Office 2016.
    • Updating Your iPhone/iPad/iPod
      • If your iPhone/iPad/iPod are already running iOS 11, then you do not need to take any action. Apple has already addressed this vulnerability in iOS 11.
        • The following iPhone, iPad, and iPod touch devices are supported by iOS 11:
          • iPhone 5s, iPhone 6, iPhone 6 Plus, iPhone 6s, iPhone 6s Plus, iPhone SE, iPhone 7, iPhone 7 Plus
          • iPad Air, iPad Air 2, iPad 9.7-inch, iPad Pro 9.7-inch, iPad Pro 12.9-inch, iPad Pro 10.5-inch
          • iPod touch (sixth generation)
      • If your iPhone/iPad/iPod is running any earlier versions of iOS 11 then please follow these directions.
        1. Before you update to iOS 11, it’s a good idea to back up your device’s data through iTunes on your computer or iCloud.
        2. Connect your device to a Wi-Fi network.
        3. Open the Settings app on your device and tap on General.
        4. Tap Software Update, and wait for a notification about iOS 11 to appear. Then tap Download and Install.
        5. Alternatively, tap Install Tonight or Remind Me Later to schedule the installation for a more convenient time.
    • Android 
      • At this time there has not been a patch made available for Android. Google has announced that there will be a patch released on November 6, 2017, although depending on your cell phone provider it may not be released until a later date. There are also several Amazon products that run android-based operating systems (Fire Stick, Fire TV, ECT.). It is our suggestion that at this time to refrain from using your device to transmit and access sensitive data until the patch has been released.

Vendor responses to this security vulnerability:

For additional information:

We, the staff of Albright College Information Technology Services strive to provide timely, seamless information services and technology support to our campus community. We would love to hear from you if you have comments or suggestions.