www.krackattacks.com KRACK

Oh boy. This one is bad. In a year full of security vulnerabilities and hacking news, KRACK, the latest to be announced, is really bad. Revealed to manufacturers and US-CERT back in July (so they could prepare fixes) news about KRACK finally went public this morning.

Unlike a lot of the other major security vulnerabilities in this and past years, keep in mind: KRACK AFFECTS YOU.

I mean, unless you live in the woods and don’t use WiFi for anything. If you use wifi and have a device, it’s a problem that you need to fix.

What is KRACK?

Basically, it’s a vulnerability in WiFi security, but it doesn’t represent a failure in any specific phone or computer or WiFi router. It’s a flaw in the actual standard, so that means it affects EVERYTHING. The discovery is credited to security researcher Mathy Vanhoef of KU Leuven in Belgium and was revealed on Monday. So keep in mind that in addition to all the things that you normally think of using the internet, it’s also a lot of things you might not think of…like that cool new smart doorbell, smart camera, smart TV….basically all of the Internet of Things too.

If you want the nitty gritty details, KRACK (short for Key Reinstallation Attack) takes advantage of a vulnerability in WPA2, the security protocol that most everyone uses for WiFi. There are some older protocols like WPA and WEP that are laughably insecure by today’s standards and are also subject to the vulnerability. Mathy Vanhoef, the researcher that discovered the flaw, has a very comprehensive and surprisingly easy to understand website and you can get the details straight from him.

But basically, a KRACK attack (it’s a new class of attack not a specific piece of malware like WannaCry for example) takes advantage of a vulnerability when a device joins a wifi network. Instead of using a brand new security key, the attack forces the device to re-use an old one, or in the case of Android and Linux devices, an all zero encryption key. This last part is especially bad as it makes it especially easy to insert malware (like ransomware) into web browsing traffic.

“Our attack is not limited to recovering login credentials (i.e. e-mail addresses and passwords). In general, any data or information that the victim transmits can be decrypted. Additionally, depending on the device being used and the network setup, it is also possible to decrypt data sent towards the victim (e.g. the content of a website). Although websites or apps may use HTTPS as an additional layer of protection, we warn that this extra protection can (still) be bypassed in a worrying number of situations. For example, HTTPS was previously bypassed in non-browser software, in Apple’s iOS and OS X, in Android apps, in Android apps again, in banking apps, and even in VPN apps.”
-Mathy Vanhoef, www.krackattacks.com

Don’t Panic!

First of all, realistically, attackers would have to be in range of your wifi access point. Also, keep in mind that this vulnerability has likely been around for as long as WPA2, so at least 13 years. So, in a way, don’t stress too much, because the barn door has been open for a REALLY long time. Also, manufacturers have been aware of this since July and in some cases have developed a patch or have already rolled it out unbenknownst to you (if you autoupdate your devices).

What to do?

First of all, the obvious thing is to avoid using WiFi as much as possible. I know that sounds crazy today, but one of the highest value targets for an enterprising hacker would be businesses, medical offices and even your local coffee shop. However, there are some practical ways you can limit your risk:

  • If you’re not on a low limit data plan for your mobile phone, just turn off WiFi on your phone wherever possible, at least until everything gets patched (hopefully in the next couple of weeks)
  • Along with that, if you have the option to tether to your mobile, you can use your phone’s internet connection when you’re working on your tablet or laptop
  • Not very practical for most people, but using a wired connection is much more secure. Of course my new MacBook Pro doesn’t even have an ethernet port, and realistically this is only going to be an option in an office or next to your home router.
  • Use a VPN. This is a bit of a double-edged solution. While VPNs can be extremely secure, it all depends on which one you use and whether or not the company providing the service is reputable. Another option that isn’t for everyone is to roll your own VPN server like OpenVPN, which actually comes bundled with some routers. I haven’t tested any of these myself, but PC Mag has an up-to-date comparison of the best VPN services of 2017

If you’re the lucky person in charge of the internet router at home or in the office, CNET has a fairly comprehensive article about which manufacturers have released fixes or have made official announcements. To point out the highlights: Apple has tested a patch in beta for both iOS and macOS (and their other OS’s), Microsoft pushed out a patch already for Windows, everyone else either hasn’t made a comment or is working on a fix but doesn’t have a hard ETA.

The most critical thing for most people is to patch your WiFi access point as soon as one is available.

Manufacturers release firmware updates periodically, and unfortunately 90% of home users never perform this critical task. If you have a semi-managed device (Eero as an example) these get updated automatically so as soon as a fix is published you’ll get it eventually. For everyone else, you’ll need to get into your router admin page and click on a couple of buttons to update the patch (that’s usually all you have to do).

Also, while it’s never a bad idea to change your wifi network password, it has no real bearing on this vulnerability. KRACK attacks don’t reveal the WiFi password so in that regard it doesn’t matter.

Other than that, check for security updates every so often for the next few weeks, the manufacturers can’t ignore this issue and will get patches out soon. The problem will be with manufacturers of IoT devices, who often ignore security best practices and from my own communications on this issue, discount the danger. In particular, if you’re using Android or Linux, make sure you update your device when possible, as you are in particular danger from this new attack.

Again, keep in mind that a hacker would need to be in range of your WiFi network so unless you see some stranger parked outside of your house or office for an extended period of time, you’re probably not in any imminent danger, at least not from a KRACK attack. Get your devices patched ASAP, but don’t panic.