You may already have heard the buzz about KRACK. Last week, the United States Computer Emergency Readiness Team (U-CERT) disclosed that Wi-Fi-users are at risk for sharing unencrypted traffic with potential hackers due to a vulnerability of Wi-Fi protocols to KRACK — aka Key Reinstallation Attacks.
So what does KRACK mean for event planners?
“Imagine you have an event with 20,000 attendees and one advanced hacker in Wi-Fi range,” wrote Silke Fleischer, co-founder of ATIV Software, the developer of EventPilot conference apps. “When an attendee logs into your Wi-Fi, this attacker could intercept the traffic between the attendee’s devices and your Wi-Fi routers and inject code that modifies the web content presented to your attendee. For example, your attendees could be clicking on a changed link on your website that now directs to a malicious site that collects passwords and credit card details.
“While this is a pretty scary scenario,” Fleischer continued, “it’s not that new, as your Wi-Fi passwords are probably publicly available anyway — an injection like this was possible in the past. But KRACK is a good reminder of the risk that unsecured traffic can pose to you and your attendees.”
Fleishcher recommended the following to reduce risk:
1. Don’t blindly trust your event venue. Consider hiring a technical consultant.
Your venue’s Wi-Fi equipment may be running on outdated equipment with outdated firmware, but many meeting planners aren’t equipped with the technical knowledge to determine whether or not the Wi-Fi setup at a venue is secure. “In my experience, most venues do not firewall or even manage network connections outside of using basic bandwidth caps,” said Matt Thayer, director at Presentation Management Systems. “Event planners seem to trust their venues — often unquestioningly — to deliver secure technology solutions, but it is actually pretty rare to see a venue with a qualified network engineer on staff.” A technical consultant knows to ask about AES vs. TKIP protocols and may also help you negotiate the fastest speed for the best price.
2. Contact your event’s Wi-Fi provider and ask about KRACK.
Affected router vendors received information about the vulnerability months before the public announcement, so firmware updates and patches are either already available or will soon be made available. Ask whether your venue Wi-Fi provider has fully updated the firmware — or let your technical consultant ask.
3. Install software updates.
Check your devices’ operating systems (including your own mobile devices and your computers) to ensure they are fully updated, including any patches or updated drivers that are available. (Microsoft has already released a patch, the KRACK patch for Android is supposed to become available Nov. 6, and an Apple fix is in beta.)
4. Use secure [HTTPS] website links only.
While your organization may be able to control your own server security, your online meeting program is a repository of outbound links — many of which are not secure. While not offering 100 percent protection from KRACK, using HTTPS (Hyper Text Transfer Protocol Secure) traffic adds a layer of protection. In a recent project, ATIV saw 95 percent of the exhibitor links pointing to an URL using HTTP (Hypertext Transfer Protocol) instead of the secure HTTPS. Ask your vendors to only accept URLs starting with https when entered into the form fields by your exhibitor or speakers.
To make your own browsing more secure, install the “HTTPS Everywhere” browser extension. And the Chrome browser also shows you if a site is secure or not.
5. Require suppliers to use URLS that begin with HTTPS.
While your event suppliers likely have a secure server set up, they may inadvertently be distributing URLs that begin with the non-secure HTTP, via APIs or data exports to integration partners. EventPilot, for example, works with large medical meeting and scientific conferences, some of which have as many as 20,000 sessions and abstracts, along with hundreds of exhibitors and ATIV imports data sets from multiple abstract management systems, registration providers, exhibit management companies, and others. Ask your vendors to review any outgoing data to ensure that it only contains secure URLs beginning with HTTPS.
6. Confirm that your event app vendor uses SSL (secure socket layer).
At large meetings, apps are likely to be the main access point to your conference program. EventPilot apps are generally used 60 to 100 times during the event by more than 80 percent of attendees — and most likely while attendees are using the venue’s Wi-Fi. The data transmitted by the EventPilot conference app to and from EventPilot servers is done over SSL to keep user data secure. Ask your own app vendor to confirm that your app is communicating securely with the app provider’s server.
7. Use a VPN — virtual private network.
A VPN (virtual private network) adds a layer of security to all information transmitted over Wi-Fi. When using a public Wi-Fi in your hotel or at your conference, always turn it on. If your organization doesn’t provide a VPN, choose a VPN provider carefully —review their websites first to see if their software is up to date in regards to KRACK.
8. Connect to the internet using alternatives to Wi-Fi.
If you have a cellular data plan, you can share your internet connection with other devices and set up a hotspot. But hotspots are typically used over Wi-Fi, which is now vulnerable to this attack. To add security, share internet via Bluetooth or USB and turn off Wi-Fi off completely, using your device “Settings” menu. If your speakers present sensitive information, provide Ethernet cables for their presentation computers, so they can connect directly to a router.
9. Don’t forget the Internet of Things.
If you use Wi-Fi enabled gadgets like cameras to monitor attendee traffic at events, ensure that those devices are secure. Don’t forget to check for firmware updates for all your home devices.
10. Educate your attendees and regularly remind them about security.
Use your event app’s notification feature to provide tips for more secure browsing. Include reminders to install security patches and firmware and system updates on all devices; to connect to hotspots using Bluetooth; to use a trusted VPN provider; and to install HTTPS Everywhere.
While there’s no need to panic over KRACK, Fleischer advises, “meeting planners and event professionals must be fully aware of security risks that their attendees are exposed to. You can mitigate some of the risks with the tips above and help your peers implement them by sharing this article.”
A version of this article appeared on LinkedIn. Follow Fleischer for more articles about event technology and conference apps.