Krack Attacks: You use WPA2 to access the internet every day, and you could be vulnerable to a Krack Attack.
Virtually all modern WiFi networks employ WPA2 as a security protocol. A couple of months ago, a security researcher named Mathy Vanhoef discovered an existing vulnerability in all WPA2 WiFi network connections. He called this vulnerability a key reinstallation attack or KRACK. Hackers could possibly exploit this flaw to create a copy of data transmitted over the WiFi connection without having to know your device or WiFi password.
How Serious Are Krack Attacks?
As Larry David might say, this flaw could be pretty, pretty, pretty serious. Since almost all internet connections employ WPA2 as a security protocol, it really won’t matter if you get online with your laptop, Android or Apple phone, or any other device. Since the attacker doesn’t need a password, your secured device or router won’t help either.
If a hacker knew how to steal data with a Krack attack, his only limitation would be that he needs to physically be within the range of your online connection. If you’ve ever checked for internet connections on computer or phone, you already know that you are almost always within range of several secured or unsecured connections if you’re at home in your neighborhood or at work in your office.
The hackers steal data through your connection and not from your computer, tablet, or phone so all devices could be impacted. Dozens of name-brand router, computer, and device vendors have been impacted by and notified of the problem. The researcher said that Android and Linux were the most vulnerable. Still, the list of impacted vendors includes Apple, Microsoft, Cisco, and much more.
Are Vendors Fixing Their Systems Against Krack Attacks?
Vanhoef discovered the possibility of Krack attacks in July of 2017. He promptly contacted vendors but had originally planned to wait a month to publish his findings publicly. When Vanhoef started working with the vendors, the scale of the problem grew larger than was first expected, so he delayed his public announcement until October.
You might wonder why researchers don’t release this sort of security information to protect the public right away. Typically, when security researchers uncover vulnerabilities, they give vendors a chance to take action before they make the information public. Otherwise, hackers might get the information to make use of before the vendors can issue patches. There doesn’t seem to be a lot of information about any true attacks using this method, so in this case, the researcher may have stayed ahead of the criminals.
Status Updates for Krack Patches
At this time, Microsoft says they’ve already released a patch. Cisco has released patches for some devices but not all. Dozens of other vendors are working furiously on the problem. You can find a list of patches and status updates on ZDNet. The article said it would get updated with future announcements, but you might also check with your own product maker’s website.
As always, you would be prudent to apply any manufacturer’s updates as you get them. You can also set most devices to accept automatic updates.
How to Proceed Until Your Device Gets a Krack Attack Patch
These are some steps you can take to protect your own data:
- According to Vanhoef’s website, secure sites with a URL that starts with https: may offer some additional layers of protection; still, they managed to even bypass this security in certain situations. These situations included non-browser software, such as some Apple and Android apps.
- Hackers can use this method to steal data on secure or unsecured networks, but remember that they have to be within range. If your network doesn’t have other layers of protection, you may want to avoid public areas when accessing private data. Again, you can probably see a handful of other networks at home or in your office, so you know that this isn’t entirely foolproof either.
- Refer to your manufacturer’s websites for information on Krack attacks and instructions about how to proceed securely. If you can’t find the information online, and you need to use your device to access sensitive information, you may want to contact the manufacturer for instructions for your unique situation.
- Larger companies and other organizations might already protect themselves with multiple layers of protection, so a Krack attack can’t proceed. It’s likely that small businesses and personal users will be the most vulnerable.
The good news is that there isn’t much evidence that any hackers have actually exploited this flaw yet to steal data. It’s always a positive sign when security researchers discover security problems before criminals do. However, now that this information is publicly available, the situation could change. Vendors are under tremendous pressure to issue patches, but until you’re sure that you’ve received a patch, you should remain aware that your data may not be as secure as you thought it was.
Published on 20th October 2017 by Carl Fransen.