Wi-Fi is everywhere—we can barely function at work, home or on the go without it. We live in a connected world and we ♥ wireless. It’s built into our phones, laptops, thermostats, cameras, locks, refrigerators, and more. The list goes on and on, welcome to the Internet of Things (IoT)!
Devices often connect wirelessly through WPA2—a security protocol most have heard of and many have even deployed (remember setting up that home router or wireless printer?). It’s just about everywhere.
Bad news: WPA2 has a great big hole in it.
Things changed this week with the discovery of a major vulnerability at the heart of WPA2. Experts say “if your device supports Wi-Fi, it is most likely affected.” In other words, the majority of Wi-Fi devices we’re using today are now open to attack. We’re not just talking wireless routers, we’re talking anything that communicates over Wi-Fi: Phones, laptops, TV’s...you name it.
Using what is now known as a KRACK attack—KRACK is short for short for “Key Reinstallation Attack”—an attacker can intercept and manipulate traffic between devices and routers. The bad guy can see and steal things they’re not supposed to (e.g. passwords, confidential emails, financial information) and potentially run malicious commands (e.g. transfer money, install malware) on our devices.
Good news: We have a fighting chance.
Unlike many of the recent attacks in the news, what we know right now is that an attacker needs to be in range of the network to perform a KRACK attack. Physically in proximity and armed with the right set of skills. Additionally, when traffic travels over HTTPS—as it does on many websites—an attacker can’t look at it.
Manufacturers are scrambling to develop and release patches to fix the security vulnerability in their devices. According to TechCrunch on 10/17/17, “Microsoft already published a KRACK fix, Apple and Google are working on it” and the community is moving fast to spread the word. For example, check out Here's every patch for KRACK Wi-Fi vulnerability available right now from ZDNet. But keep in mind, while some have made strides, there is a lot of work to be done given the sheer number of manufacturers, many of which need time to develop and test patches prior to release.
Don’t let this one slip through the KRACKs
- Be vigilant and get your devices updated ASAP. For example, Microsoft released a patch last week. If you’re running a Windows device, put those updates through now.
- Be aware and know that many devices don’t automatically update like some computers do. You may need to contact manufacturers and vendors to learn how to run an update manually.
- Get started with your wireless router and then move to every Wi-Fi enabled device (check out Bleeping Computer’s List of Firmware & Driver Updates and CERT’s Vulnerability Notes Database to see where device manufacturers stand).
- Consider using an extension like HTTPS Everywhere to improve safety when browsing the web.
While it’s rare something like this happens on such a large scale, the discovery of security “holes” in products happens every day. As you continue to install and use more wireless devices, remember to put updates through early and often and take quick action when weaknesses and risks are discovered.
Your Friends @ Launch Security