So, you’ve probably been reading about new vulnerabilities with wi-fi in the news this week. So have we, and a lot of this information is either a little vague or way too technical. Let’s walk through this recently-discovered vulnerability, known in shorthand as KRACK, and find out what it means for you:
What is KRACK?
KRACK stands for key re-installation attacks, and it is a serious weakness in the WPA2 security protocol that protects almost all modern wi-fi networks. If you use a password to connect your computer, phone or other smart devices to the Internet, chances are the wireless connection is protected by WPA2. In short, attackers could exploit this bug to connect to, eavesdrop on and inject malware into a local wireless network. Think of it as a master key to access your home or business network without using a password, in order to spy on your traffic. Think about what information travels across your network each day – credit card numbers, e-mails, passwords, photos, business documents and more. This is not an insignificant risk.
Could I be affected?
If your device has wi-fi built in, it could be vulnerable. That’s billions and billions of products we use every day. But unlike other recent security bugs that can travel across the Internet, an attacker would have to be physically within range of your local wi-fi network to attempt a KRACK attack.
It does seem that some devices are more susceptible than others right now. One security architect points out in a blog that recent Windows (version 7 and newer) and Apple mobile devices (with iOS 10.3.1 or later) are mostly immune to KRACK. Unfortunately, devices running Android 6.0 (Marshmallow) and newer, as well as PCs and devices running the Linux operating system, are especially vulnerable to KRACK. This is according to the person who discovered the issue.
As of the writing of this blog, there have been no actual attacks based on the KRACK vulnerability going on out in the wild, and it would be incredibly hard (but not 100% impossible) to do so. Still, it is important to pay attention to this flaw and take precautions against it.
What can I do to stay safe?
The most important thing you can do is watch for and install any new firmware or security updates that may come out for your Internet-connected devices, especially if they are fixes designed to stop KRACK. Technology manufacturers were notified of this bug back in July, well before it was made public, so many have already taken steps to guard against it. Google is expected to patch the issue in Android in the coming weeks. Apple has patched against KRACK in recent beta versions of all its operating systems, so those permanent fixes will filter down to everyone in the near future. Windows users should make sure Windows Update is enabled and up-to-date, as an October 10th update contained a KRACK patch. Amazon is also expected to patch its technology products soon.
There are a few other tips for staying safe from a KRACK attack. Most importantly, do not stop using WPA2. Older wi-fi security protocols like WEP were replaced for good reason, and going without password protection is even more dangerous. If possible, connect to the network with a wired (ethernet) connection instead of wi-fi. Stay off of public wi-fi hotspots or any wi-fi networks you don’t know – even if it requires a password to access them. Users concerned about protecting sensitive data may also want to use a reputable VPN (virtual private server) service to shield their online traffic from eavesdroppers.
Some things to remember
Note that changing passwords won’t do anything to protect against KRACK. Since the vulnerability allows hackers to gain access to your network without a password, a password change won’t make a difference. Secondly, just going to sites that use the secure HTTPS protocol, like those that collect credit card information, doesn’t shield you from a KRACK attack. Though in general, it’s a good practice to watch for HTTPS on sites that collect sensitive data.
Also bear in mind that some devices, including older, obsolete electronics and so-called “Internet of things” devices with wi-fi (like baby monitors), may never get patched, according to security researchers. Luckily, patched devices can still communicate with unpatched ones. The most important takeaway is to make sure you stay on top of updates for all your wi-fi connected devices.
What do I do if I need help?
Technology is rapidly and constantly changing, and in tandem with the open Internet, there will always be bugs and bad actors intent on exploiting them. That’s why it’s more important than ever to have a technology expert you trust. If you have any questions about KRACK or need help improving and securing your network, give Suess Electronics a call at 920-733-6464. We sell and install industry-leading Pakedge network hardware for homes and businesses.