This morning security researchers publicly announced a vulnerability in current wireless encryption standards (WPA2). The weaknesses are in the Wi-Fi standard itself, so any device supporting Wi-Fi is most likely affected.
The vulnerability identified uses key re-installation attacks (KRACKs). In order to exploit this vulnerability, an attacker must be within range of the target to manipulate the WPA2 key exchange (a 4-way handshake). It is unknown if this vulnerability is currently being exploited in the wild.
According to Cisco, 5GHz connections to the wireless access points on campus are not affected, while 2.4GHz connections are still vulnerable. All access points will be patched within the next few days.
At MIT, only about 30% of wireless devices are using the encrypted MIT SECURE network, which Information Systems & Technology (IS&T) recommends. The MIT and MIT GUEST networks are unencrypted.
The situation is evolving; many vendors have not announced whether their products are vulnerable or provided a timeline for patches. It’s important that you update your devices as soon as patches become available, including for Windows, macOS, iOS, and Android. Please keep your home networks in mind as well, and update any Wi-Fi enabled devices you use off campus.
If you have any questions, contact firstname.lastname@example.org.