News and Views

October 17th 2017 - Widespread WiFi security vulnerability (KRACK)

What is it, why should I be concerned?

Since Monday morning of this week, 10/16/17, news outlets have been reporting on a newly discovered vulnerability in nearly all devices that use WiFi to communicate. The analysts who discovered it have named it 'KRACK'. This vulnerability affects many brands of laptops, tablets, phones, etc. This is likely the largest security vulnerability of this kind discovered to date, considering that it affects hundreds of brands of products and platform variations, which adds up to at least millions of devices.

This vulnerability can provide hackers the ability to steal anything you may send over WiFi networks, including credit card numbers, passwords, IM messages, emails, etc. The vulnerability is really in the WiFi standard, not the devices we use, however, since the WiFi standard is used in our devices, the devices are affected! The good news is that (most of) our devices can be updated to fix this issue.

What is the University doing?

Many people are still unsure of what this means to them personally and what, if anything they should or can do about it. Members of our Cal State East Bay community may also wonder what it means to them when connecting to our University WiFi network.

First, concerning the University WiFi network, as of Tuesday morning, 10/17/17, the campus WiFi network was patched to fix this vulnerability. As the wireless platform Cal State East Bay utilizes is common to most to CSU campuses, it is likely that other campuses you visit in the system are also patched. This means that the University and most CSU WiFi networks are generally not susceptible to this vulnerability.

However, the issue does not stop there, the personal devices we all use still likely need to be updated. Note that University owned devices are being updated by the University ITS department. However, if you have a concern about your University owned device please open a ticket with the Service Desk at either servicedesk@csueastbay.edu or 510-885-HELP(4357).

What can I do?

Concerning personally owned devices of students, faculty and staff. Please refer to the URL in the References section below to find your device and see what the manufacture has done or is planning to do regarding your device(s). In some cases, there are patches already available. Once you have patched your device(s), it has been said that they are no longer vulnerable, even if the WiFi network you connect to has not been patched.

Note that your home router also needs to be patched, you can find those manufactures in the list within the reference section below. There is also a link the reference section on securing your home router, describing some steps on how to keep it safe in general.

In the meantime between now and when you are able to patch your device(s), please observe the following guidance on how you should interact with WiFi hotspots:

1. Try to avoid public WiFi hotspots, such as those in coffee shops, airports, mass transit and/or city-wide style hotspots.

2. If you can, subscribe to a VPN service and use it when connecting to public WiFi hotspots.

3. Whether using a VPN or not, always utlize the secure version of a web site by typing 'https://" in front of it. For example "https://www.csueastbay.edu"

4. Until your devices are patched, avoid using public hotspots when accessing sensitive personal data such as bank accounts, credit cards, student record(s), etc.

If you have any questions about this vulnerability, or any other IT security related issue, please contact us at infosec@csueastbay.edu

References