Recently, the news of the Key Reinstallation Attack (KRACK) vulnerability allowing the decryption of WPA2 messages being the key exploit was announced. This may open up additional vulnerabilities toward a wireless client and the security and integrity of their browsing traffic.

KRACK is an attack against Wi-Fi infrastructure and clients, rather than against a specific wireless network. This means that eduroam is no more or less affected than any other Wi-Fi network, and there is nothing you need to specifically do for eduroam that you wouldn’t already need to do for any other Wi-Fi network.

While there are no reports of this being actively exploited, the upside is that this is not a remote attack so, it can only happen within proximity of vulnerable access points and clients. This is not a service affecting issue and eduroam authentication infrastructure will continue to function normally and your login credentials (username/password or certificate) continue to be securely transmitted.

It is recommended that technicians responsible for wireless networks closely monitor the availability of software updates for your vendor and patch as soon as possible. An intermediate solution is to disable 802.11r (aka Fast Roaming) until an update is available.Update your phone, tablet and laptop as soon as patches are made available from your manufacturer to protect yourself from this vulnerability which can occur on all WPA2 networks (including your home, café, airport and other enterprise wireless networks).

Legacy WPA & TKIP networks continue to be deprecated for a multitude of reasons and you shouldn’t re-enable this as it isn’t a solution to this problem and will cause issues. The best practice is currently (and remains) WPA2 + AES-CCMP.

Additional information on this vulnerability can be found at SANS and Mojo Networks. Thanks to SURFnet, AARNet and TENET for information used in creating this advisory.