Security Update October 2017

Wi-Fi Alliance® provides trusted security to billions of Wi-Fi® devices and continues to support Wi-Fi users

As with any technology, the robust security research necessary to remain ahead of emerging threats will occasionally uncover new vulnerabilities. Security researchers identified vulnerabilities in some Wi-Fi devices and immediately brought their discovery to the Wi-Fi industry. There is no evidence of the vulnerability being used against Wi-Fi users maliciously, and Wi-Fi Alliance has taken immediate steps to ensure users can continue to count on Wi-Fi to deliver strong security protections.

  • Wi-Fi Alliance now requires testing for this vulnerability within our global certification lab network
  • Wi-Fi Alliance has provided a vulnerability detection tool for use by any Wi-Fi Alliance member
  • Wi-Fi Alliance is broadly communicating details on this vulnerability and remedies to device vendors and encouraging them to work with their solution providers to rapidly integrate any necessary patches

This issue can be resolved through a straightforward software update – a process much like the software updates Wi-Fi users regularly perform on their mobile devices – and major platform providers have already started deploying these patches. The software updates do not require any changes that affect interoperability between Wi-Fi devices. Users can refer to their device vendors’ websites for more information.

As always, Wi-Fi users should ensure they have installed the latest recommended updates from device manufacturers. Security is a dynamic endeavor, and Wi-Fi Alliance will continue to maintain strong security protections for Wi-Fi users.

Relevant Identifiers:

  • CERT case ID: VU#228519
  • CVE-2017-13077
  • CVE-2017-13078
  • CVE-2017-13079
  • CVE-2017-13080
  • CVE-2017-13081
  • CVE-2017-13082
  • CVE-2017-13084
  • CVE-2017-13086
  • CVE-2017-13087
  • CVE-2017-13088

Relevant research:

Wi-Fi Alliance members may download the vulnerability detection tool here.

krack

Frequently Asked Questions

What is the potential impact of this vulnerability on consumers?

There is no evidence that the vulnerability has been exploited maliciously, and consumers should expect an orderly update cycle for affected devices. We recommend all users install the latest recommended updates from end-device and network equipment manufacturers. It is important to note, that many consumer routers are not affected by this vulnerability, so consumers may not see an update available for their particular router. For those devices that have been affected, many vendors have already issued patches or will issue them shortly. Wi-Fi Alliance recommends checking the vendor’s website for information on specific vendor updates. Users can expect all their Wi-Fi devices, whether patched or unpatched, to continue working well together.

Is the identified vulnerability a WPA2™ protocol issue or on issue related to specific device implementations?

When considering the question of whether a vulnerability is a protocol or implementation issue, the purpose is often to determine the vulnerability’s broader implications, such as the pervasiveness of the vulnerability, the ease of addressing the vulnerability, and the ability to maintain interoperability between patched and unpatched devices. In this instance, the issue can be resolved through straightforward software updates that retain interoperability across Wi-Fi devices. Major device and platform providers, including major operating systems, have already started deploying updates, protecting a substantial number of affected devices. The Wi-Fi industry is evaluating whether additional clarity or guidance on implementing the protocol is necessary in the standard.

How will vulnerabilities in existing devices be fixed?

The issue can be resolved with a straightforward software update – much like users regularly perform on their Wi-Fi devices already. Major platform vendors have already started distributing updates to their users, and updates will continue in the coming weeks. Wi-Fi Alliance now requires testing for this vulnerability within our global certification lab network and has provided a vulnerability detection tool for use by any Wi-Fi Alliance member.

Will the fixes to address this vulnerability create interoperability issues between Wi-Fi devices?

The software updates do not require any changes that affect interoperability between Wi-Fi devices. Users can expect all their Wi-Fi devices, whether patched or unpatched, to continue working well together.

Will the vulnerability detection tool be made available for non-Wi-Fi Alliance member companies?

Wi-Fi Alliance is making its vulnerability detection tool available exclusively to Wi-Fi Alliance members in the interest of protecting Wi-Fi users. Similar to the concept of responsible disclosure, it is important to give vendors an opportunity to distribute patches before tools for detecting the vulnerability become readily available. Wi-Fi Alliance may consider making the tool available to non-members after a reasonable period of time.

How will I know if my device is affected?

Users should refer to their Wi-Fi device vendor’s website or security advisories to determine if their device has been affected and has an update available. As always, Wi-Fi users should ensure they have installed the latest recommended updates from device manufacturers.

What will Wi-Fi Alliance do to prevent these types of issues moving forward?

Events like this are rare, but security is never static. Maintaining strong security protections will always be an ongoing effort. Wi-Fi Alliance encourages responsible disclosure of any discovered security vulnerabilities, as was the case with this particular scenario, to ensure the best possible outcome.