• Skip to Content
  • Skip to Main Navigation
  • Skip to Search

Indiana University Indiana University IU

Open Search
  • Personal Preparedness
    • Keeping data safe
    • Email & phishing scams
    • Secure data removal
    • IU passphrases
    • Using social media
    • Web privacy
    • Account privileges
    • Remote Desktop
    • Cybersecurity while traveling
    • Identity verification
    • Hardware & software security
      • Laptop & mobile device security
      • Malware, scareware, & ransomware
      • Storage drives
      • Wearable technologies
      • Protecting data in copiers and multifunction devices
      • Use of survey software
      • Solid State Drives
    • File sharing & copyright
      • Contesting copyright infringement notices
      • Disabling peer-to-peer file sharing
      • Copyright tutorial
      • Copyright infringement incident resolution
  • Information & IT Policies
    • The Policy Hierarchy explained
    • Privacy policies & FAQ
    • Acceptable Use Agreement
    • Information & IT Policy Process
    • Cyber Risk Mitigation Responsibilities (IT-28) Review
    • Federal & international regulations
    • Indiana Data Protection laws FAQ
    • IT-12.1 Mobile Device Security Standard
  • Information Security & Privacy Program
    • Safeguards
      • Risk assessment and treatment
      • Policy administration
      • Organization
      • Asset management
      • Human resources
      • Physical & environmental security
      • Communications & operations management
      • Identity & access control
      • Information systems acquisition, development, and maintenance
      • Incident management
      • Business continuity management
      • Compliance
    • Governance
    • Principles
  • Protecting Data & Privacy
    • Privacy matters
      • Privacy harms
      • Privacy principles
      • Understanding and protecting privacy
    • Sensitive data
      • Guidelines
    • Sharing institutional data with third parties
  • Resources for IT Professionals
    • Cloud computing
    • Audits & requirements
    • Data encryption
    • Back up data
    • Information security best practices
    • CIS Benchmarks
    • Disaster recovery planning
    • Managing employee data
    • Medical device security
    • Transferring data securely
    • Using SSH
    • Additional resources
      • Privacy Notice Generator
      • Training & awareness
      • Incident Response Webservice
      • Penetration test
      • SSL/TLS certificates
      • Vulnerability scanners
  • About
    • Glossary of Terms
    • Trustees Resolution
  • Contact
  • Report an Incident
    • Report Privacy Incident or Request Assistance
    • Emergency IT Incidents
    • Managing Incidents
    • Identity Theft
    • Reporting Suspected Sensitive Data Exposures

Information Security & Policy

  • Home
  • Personal Preparedness
    • Keeping data safe
    • Email & phishing scams
    • Secure data removal
    • IU passphrases
    • Using social media
    • Web privacy
    • Account privileges
    • Remote Desktop
    • Cybersecurity while traveling
    • Identity verification
    • Hardware & software security
    • File sharing & copyright
  • Information & IT Policies
    • The Policy Hierarchy explained
    • Privacy policies & FAQ
    • Acceptable Use Agreement
    • Information & IT Policy Process
    • Cyber Risk Mitigation Responsibilities (IT-28) Review
    • Federal & international regulations
    • Indiana Data Protection laws FAQ
    • IT-12.1 Mobile Device Security Standard
  • Information Security & Privacy Program
    • Safeguards
    • Governance
    • Principles
  • Protecting Data & Privacy
    • Privacy matters
    • Sensitive data
    • Sharing institutional data with third parties
  • Resources for IT Professionals
    • Cloud computing
    • Audits & requirements
    • Data encryption
    • Back up data
    • Information security best practices
    • CIS Benchmarks
    • Disaster recovery planning
    • Managing employee data
    • Medical device security
    • Transferring data securely
    • Using SSH
    • Additional resources
  • Search
  • About
  • Contact
  • Report an Incident
  • Home
  • Security Bulletins
  • WPA2 Vulnerabilities

Vulnerability in WiFi security (WPA2)

Monday, October 16, 2017

Background

On Oct. 16, 2017, security researchers disclosed a flaw in the WPA2 protocol used to secure wireless communications.

Impact

Communications between vulnerable devices could be decrypted and hijacked. This includes mobile devices, computers, connected home devices, and wireless access points and routers. Any product which communicates over WiFi and uses WPA2 to encrypt that traffic is vulnerable.

Platforms affected

All Operating systems for clients and access points are affected. If you have a device which uses WiFi, it likely needs to be patched.

Local observations

IU Wireless access points have already been patched. You will still need to patch your own devices.

UISO recommendations

Install operating system patches and firmware updates as soon as they're available to any wireless device.
Firmware updates are usually manual and may not be provided for all devices.

Because so many devices are impacted, it is not possible to keep an exhaustive list of patches available. A link is provided below.

Workarounds

Use IU's VPN when communicating with a vulnerable or untrusted wireless device. This is good practice for any public, unsecured WiFi.

Further reading

  • Key Reinstallation Attacks
  • Current Status of KRACK firmware patching
  • CERT Vulnerability Notes
  • Connecting to IU's SSL VPN

Information Security & Policy resources

  • Leading in Cybersecurity
  • IU Data Management

Indiana University

Accessibility | Privacy Notice | Copyright © 2020 The Trustees of Indiana University