On Monday, it was announced publicly that Wi-Fi security, specifically the WPA2 standard, was essentially broken. The culprit is a bug named KRACK (Key Reinstallation Attack) which takes advantage of fundamental flaws in how WPA2 operates, and has exposed many shortcomings in how the industry responds to such attacks as well. WPA2 (Wi-Fi Protected Access II) is hugely prevalent, as it is the current generation of authentication used on wireless networks. That means that almost every wireless device could be affected by KRACK, as most devices use WPA2. This includes everything from laptops and phones to routers and IoT (Internet of Things)/Smart devices.
KRACK is a Wi-Fi vulnerability with a scope almost impossible to measure, and no easy resolutions. We can only learn from it going forward.
First of all, it’s important to explain how it’s technically possible to take advantage of this vulnerability. Simply put, when a device is connecting to a Wi-Fi point, they have to authenticate. This is accomplished using something called a four-way handshake, where the password that the user provided is checked and the encrypted connection between device and network is established. This verification process uses (you guessed it) WPA2, and this is the bit where a hacker or person with malicious intent can inject themselves into the proceedings. Hackers can interfere with the initial handshake in a way that allows them to decrypt the traffic you exchange over Wi-Fi. The hacker doesn’t even have to be on the network themselves to take advantage of this, just be in physical proximity to the wireless signal.
So once the hacker has decrypted your traffic, what could they actually do? Well, they would be able to see any data being transmitted, and even modify or forge it. Hackers could, for example, use this to inject ransomware into seemingly harmless websites as you browse them. This could lead to severe malware infections, even for the most careful of clickers. They could also use this to access any shared storage on the network if they are not password-protected. One positive point here is that even if a hacker does use KRACK to decrypt your traffic, they still wouldn’t be able to see traffic between your device and a website using SSL/HTTPS, or over a VPN. They can still listen to the conversation, so to speak, but won’t be able to understand it.
KRACK was actually discovered months ago, by security researcher Mathy Vanhoef, who disclosed the issue to relevant software companies and vendors, to give them time to come up with a fix before the issue went public. The fix for this issue is pretty simple, manufacturers need to create a security patch to close off the vulnerability, and then the user needs to apply the patch (or have it automatically applied, if their device supports it). Unfortunately, this is also where the scope of the problem is revealed to us.
Many devices use Wi-Fi, and each of them will need a patch in order to secure them. Industry giants like Microsoft and Apple have already created patches for their operating systems and devices, which will be available for download shortly. However, for most devices, the fix for this issue won’t come with the next update. Take, for example, the Android platform. Google develops Android, on which other phone manufacturers such as Samsung or HTC build. Google is already working on a security patch for Android, but only their own line of devices (Nexus and Pixel) actually run “stock” Android. All other Android devices will have to wait for their respective manufacturers to push out their own patches, which can typically take months after an official Google update.
If you then consider the Internet of Things and just how many different types of IoT devices exist out there, you start to see how long we could be vulnerable to KRACK. People are buying all kinds of “smart” items now, from smart fridges, TVs and thermostats to smart garage doors and lightbulbs. Each one of these would need its own separate patch applied. Does the average user know how the apply a security patch to their fridge? Probably not. And what happens when you own a smart device that is no longer supported, or that was made by a manufacturer that no longer exists? The likelihood of those devices ever receiving a security patch is next to zero, meaning that the impact of KRACK could last for decades. The best advice going for these devices is to simply purchase new devices that include protection against KRACK from day one. Expensive, but unfortunately the only way to be sure you’re protected.
So What Can I Do to Prevent KRACK From Affecting My Devices?
Patch them. Manufacturers will be scrambling to develop fixes for this issue, but that doesn’t mean anything if you don’t apply them to your device. Patching has proven time and time again to be one of the single most effective means to protect against all manner of malicious attempts, yet home and business users alike often neglect to patch their devices because it is inconvenient. ISPs will need to develop fixes for routers, but primarily KRACK is used to target client-side devices (i.e. your laptop, your phone, etc). You can check here to find out if your device manufacturer currently has a fix, or when they’re likely to have one ready. And if you own a smart device that isn’t going to get a patch, you may need to look at replacing it.