Manfra, assistant secretary for cybersecurity and communications at DHS, said that the Software Engineering Institute’s CERT Division alerted DHS on the WPA2 exploit technique dubbed Key Reinstallation Attack, or KRACK.
She added that KRACK could likely affect any standards-compliant implementation of WPA2 since the vulnerabilities are in the 802.11i protocol.
Threat actors can use KRACK to exploit Wi-Fi networks within range and view network traffic that WPA2 encryption is expected to protect, according to Manfra.
She noted that attackers could also access user information such as emails, chat messages, pictures, credit card numbers and passwords if additional security measures like HTTPS are not implemented.
Following the publication of CERT report, DHS’ US-Computer Emergency Readiness Team released a public alert in an effort to provide information on KRACK to a wide audience.
DHS also sent a directive to all federal departments and agencies that requires the use of cybersecurity best practices to secure websites and email messages.
The department worked with the FBI to issue a joint technical alert on advanced persistent threats against critical infrastructure, especially the energy sector.