When YOU SET up a new Wi-Fi network, you’re probably conditioned by now to check the “WPA2” box. You may not specifically know when or why someone advised you to do this, but it was solid advice. Wi-Fi Protected Access 2 is the current industry standard that encrypts traffic on Wi-Fi networks to thwart eavesdroppers. And since it’s been the secure option since 2004, WPA2 networks are absolutely everywhere. They’re also, it turns out, vulnerable to cryptographic attack.
A flaw in WPA2’s cryptographic protocols could be exploited to read and steal data that would otherwise be protected, according to new research from security researcher Mathy Vanhoef of KU Leuven in Belgium. In some situations, the vulnerability even leaves room for an attacker to manipulate data on a Wi-Fi network, or inject new data in. In practice, that means hackers could steal your passwords, intercept your financial data, or even manipulate commands to, say, send your money to themselves.
An attacker needs to be physically in range of a particular Wi-Fi network to carry out the assaults, an important limitation. But given the ubiquitous use of WPA2 on tens of millions of Wi-Fi enabled devices around the world, the problem has enormous scope.
“Any correct implementation of WPA2 is likely affected. To prevent the attack, users must update affected products as soon as security updates become available,” Vanhoef urges. “If your device supports Wi-Fi, it is most likely affected.”
A devastating flaw in Wi-Fi’s WPA security protocol makes it possible for attackers to eavesdrop on your data when you connect to Wi-Fi. Dubbed KRACK, the issue affects the Wi-Fi protocol itself—not specific products or implementations—and “works against all modern protected Wi-Fi networks,” according to Mathy Vanhoef, the researcher that discovered it. That means that if your device uses Wi-Fi, KRACK likely impacts it. Fortunately, major tech companies are moving quickly to patch the issue.
How does KRACK break Wi-Fi security?
KRACK (short for, uh, Key Reinstallation AttaCK) targets the third step in a four-way authentication “handshake” performed when your Wi-Fi client device attempts to connect to a protected Wi-Fi network. The encryption key can be resent multiple times during step three, and if attackers collect and replay those retransmissions in particular ways, Wi-Fi security encryption can be broken.
What devices are affected by KRACK?
If your device uses Wi-Fi, it’s likely vulnerable to the KRACK Wi-Fi security flaw to some degree, though some get it worse than others.
What happens when Wi-Fi security is broken?
For starters, the attacker can eavesdrop on all traffic you send over the network. “This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on,” Vanhoef says. For a deeper look at the potential impact, check out PCWorld’s article on what an eavesdropper sees when you use an unsecured Wi-Fi hotspot. It’s a few years old, but still illuminating.
The United States Computer Emergency Readiness Team also issued this warning as part of its KRACK security advisory, per Ars Technica: “The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others.” HTTP content injection means the attacker could sneak code into the websites you’re looking at to infect your PC with ransomware or malware.
So yeah, it’s bad. Keep your security shields active, just in case. PCWorld’s guide to the best antivirus software can help you select a reliable solution if needed.
Is Wi-Fi security being broken in the wild?
“We are not in a position to determine if this vulnerability has been (or is being) actively exploited in the wild,” Vanhoef says. US-CERT’s advisory didn’t include any information about whether KRACK is being exploited in the wild, either.
Now for some somewhat settling news: Iron Group CTO Alex Hudson says an attacker needs to be in range of your Wi-Fi network to carry out any nefarious plans with KRACK. “You’re not suddenly vulnerable to everyone on the internet,” he says.
How to protect yourself from KRACK’s Wi-Fi flaw
Keep your devices up to date! Vanhoef says “implementations can be patched in a backwards-compatible manner.” That means that your device can download an update that protects against KRACK and still communicate with unpatched hardware while being protected from the security flaw. Given the potential reach of KRACK, patches are coming quickly from many major hardware and operating system vendors. Up-to-date Windows PCs, for example, are already protected.
Until those updates appear for other devices, consumers can still take steps to safeguard against KRACK. The easiest thing would be to simply use a wired ethernet connection, or stick to your cellular connection on a phone. That’s not always possible though.
If you need to use a public Wi-Fi hotspot—even one that’s password protected—stick to websites that use HTTPS encryption. Secure websites are still secure even with Wi-Fi security broken. The URLs of encrypted websites will start with “HTTPS,” while unsecured websites are prefaced by “HTTP.” The Electronic Frontier Foundation’s superb HTTPS Everywhere browser plug-in can force all sites that offer HTTPS encryption to use that protection.
Alternatively, you can hop on a virtual private network (VPN) to hide all of your network traffic. Don’t trust random free VPNs, though—they could be after your data as well. PCWorld’s guide to the best VPN services can help you pick out a trustworthy provider. And again, keep your antivirus softwareup to date to protect against potential code injected malware.
Going forward, the Wi-Fi Alliance will require testing for the KRACK WPA2 vulnerability in its global certification lab network, so new devices will be protected out of the box.
Device and router Wi-Fi security FAQ
Is my phone at risk?
KRACK is a different sort of attack than previous exploits, in that it doesn’t go after devices, it goes after the information you use them to send. So while the data stored on your phone is safe from hacking, whenever you use it to send a credit card number, password, email, or message over Wi-Fi, that data could be stolen.
So my router is vulnerable?
That’s closer, but still not totally accurate. It’s not the device that’s at risk, it’s the information, so the sites you visit that aren’t HTTPS are most vulnerable.
Oh, so I should change my Wi-Fi password then?
Well, you can, but it’s not going to stop the likelihood of attack. The exploit targets information that should have been encrypted by your router, so the attacker doesn’t need to crack your password to implement it. In fact, it has no bearing on the attack whatsoever.
So all devices are at risk?
Now you’re getting it. However, while any device that sends and receives data over Wi-Fi is at risk, the researchers who uncovered the attack said Android devices were more at risk than other mobile phones.
Great, I have an Android phone. But I’m running Nougat so I’m safe, right?
Unfortunately, no. Newer phones running Android 6.0 or later are actually more at risk since there is an existing vulnerability in the code that compounds the issue and makes it easier to “intercept and manipulate traffic.”
However, a fix is available for some devices. Google has fixed the KRACK vulnerability in its November security patch ready for November 6, which is rolling out to Pixel and Nexus devices. But it could take weeks or even months for Android hardware makers and cellular providers to validate and deploy the patch to other phones and tablets. Many devices, especially older ones, may never receive the update.
So are my iPhone and Mac safe?
Safer than Android, but still not entirely safe. However, all current iOS, macOS, watchOS, and tvOS versions include a fix for KRACK, so go and update if you haven’t already.
What about Windows PCs?
They’re safe if you stayed updated. Microsoft released a Windows patch to protect against KRACK on October 10, before the vulnerability was made public.
I run Linux. I’m impenetrable to attack, right?
Not quite. Researchers actually found that Linux machines were the most vulnerable desktop devices, with a similar bug to the one found in the Android code. Now for the good news: An upstream Linux patch is already available, as are KRACK-blocking updates for Ubuntu, Gentoo, Arch, and Debiandistributions. A patch is also available for OpenBSD.
I have automatic updates turned on. How do I know if my mobile device has been updated?
The quickest way is to check the system’s software updates tab in your Settings app to see when the most recent version has been updated. More helpfully, Owen Williams is keeping a running list of companies that have distributed patches on his Recharged blog. It’s a stellar resource.
What about my router?
First, you should check to see if your router has any pending firmware updates. Most people aren’t as vigilant in updating their routers as they are with their phones or PCs, so log into your admin page and install any waiting updates. If there aren’t any, it’s a good habit to check back every day, since companies will be rolling out patches over the coming weeks, with some already being implemented.
Netgear, Intel, Eero, and business-focused networking providers already have KRACK router patches available. Eero’s is rolling out automatically as an over-the-air update. The popular DD-WRT open router firmware has designed a patch, but it isn’t available to download yet. Expect it soon.
So should I turn off Wi-Fi?
That’s probably not a viable option for most people, but if you’re completely panic-stricken, then the only way to be completely safe is to avoid using Wi-Fi until you know your router has been patched.
Ref
https://www.pcworld.com/
https://www.wired.com/
The above information is only for educational purpose. See Terms and Conditions
