Widespread security threat affects all WiFi-enabled devices

People using cellphones

The multitude of devices that connect to wireless networks are vulnerable to a new kind of attack, information security researchers announced Oct. 16.

The newly discovered "KRACK" vulnerability opens the possibility for cybercriminals to steal a wide array of data from laptops, tablets, phones and any other device that connects to WiFi — even on networks that seem secure.

"If you have a computer or other device that uses WiFi, it is almost certainly affected," said Jon Miyake of UO's Information Security Office, a unit within Information Services, the central information technology department.

An attacker can use WiFi to steal sensitive information, such as passwords, credit card numbers and emails, exploiting a vulnerability in the way wireless networks are secured.

UO Information Services is evaluating the university's network infrastructure and taking steps to ensure its security. However, individuals still must take action to prevent attacks on their personal devices or on any university devices they manage.

The most important way for members of the campus community to protect themselves, according to Miyake, is to install updates to operating systems on all of their wireless devices. That includes devices running Windows, macOS, Android and iOS, as well as other computers, smartphones, connected home devices, and anything else that supports WiFi.

Some companies, such as Microsoft, have already released updates to address this vulnerability. However, many others have yet to do so. Miyake encourages members of the campus community to stay alert to updates that may be released in the coming days and weeks for all of their devices, and to install those updates as soon as they become available.

One tool that can provide some measure of protection is the browser plugin HTTPS Everywhere from the Electronic Frontier Foundation. Available for certain common browsers, this plugin makes the user's web browsing more secure by encrypting communications with many websites. However, it is by no means a comprehensive shield against KRACK attacks.

Anyone who has questions, would like assistance updating their devices, or would like to learn more about security technologies such as VPN, virtual private networking, should contact IT staff in their department or the Technology Service Desk at 541-346-4357 or through the new UO Service Portal.

—By Nancy Novitski, University Communications