- Posted October 17, 2017
- ByMatthew F. Fox
Reports of a recently discovered WiFi vulnerability have been all over the Internet. It’s nearly impossible to log in to Facebook or watch the news without hearing about the problem, and for a very good reason – all WiFi-enabled devices are at risk. Yes, ALL.
When we say all, we mean ALL. Your phone. Your laptop. Your iPad. Your home wireless router. Your Alexa. Your Phillips Hue light bulbs. Your home stereo and refrigerator with the fancy screen on the front. Your smart TV. Your Raspberry Pi Smart Mirror (what, you don’t have one of those? We do…and now we have to update it).
Give Credit Where Credit is Due
Matty Vanhoef, of the IMEC-DistriNet Research Group, discovered and publicly disclosed the vulnerability in the WPA2 protocol, which is used by nearly all modern protected WiFi networks. Thank you to these crusaders for finding this critical bug.
Have You Been Affected?
Probably not, at least, by THIS particular exploit. First, it requires the bad guy to be physically near your network (in range of your WiFi,) and the exploit hasn’t had enough time in the wild to be too widespread. Paranoid? First do the updates required (keep reading), then change passwords. Don’t change your passwords via a potentially exploited network, as that kind of defeats the purpose!
The Technical Stuff
The vulnerability, dubbed KRACK, allows an attacker within range of a wireless network to use key re-installation attacks to bypass WPA2 security and read information that was previously assumed to be encrypted, allowing them to steal sensitive data. From passwords and credit card numbers to personal information, it’s all at risk.
It’s the Protocol, Not Your Device
The weaknesses exploited by the vulnerability are a part of the WiFi standard, and not individual devices.
Many companies, including Microsoft, have already started to release software updates to fix the problem. Microsoft says that the Windows updates released on October 10th protect customers against the vulnerability, and “withheld disclosure until other vendors could develop and release updates.”
With the scope of the vulnerability understood, there are several ways to protect yourself online.
The good news is that all of your devices can be updated to protect you from the vulnerability. All devices – desktops, laptops, tablets, mobile phones, etc. should be updated with the latest available security patches. For more information, visit the manufacturer websites of devices you own.
Ultimately, all wireless devices need to be patched against KRACK, and your computer and mobile devices aren’t the only ones to keep in mind.
If you have IoT devices, you’ll need to consider which pose a serious risk if their traffic is intercepted. Devices, particularly security-based ones like wireless cameras or doorbells, must be reviewed immediately – unless you don’t mind someone snooping on you while you make dinner.
Don’t Forget Your Router
Unlike your laptop and mobile phone, your router isn’t a device that you interact with, directly, on a daily basis. As with your other devices, visiting your router’s manufacturer’s website will provide with you with information and software updates to protect you. If your router was supplied by your ISP, call their support desk for more information. If they don’t have an answer, keep asking questions – or consider using an ISP that makes your security a priority.
Use an Ethernet Cable Instead of WiFi
If you haven’t yet updated your wireless router, then we recommend using a network cable whenever possible. Disable WiFi on the router and your computer, and be confident that all traffic is flowing over that secure Ethernet cable. Sure, this may seem like an inconvenience, but it’s much less of a headache than having your personal information stolen, right?
Switch to Cellular Data on Your Mobile Phone
Since mobile phones and other, similar, devices do not have Ethernet ports, consider using cellular data on your phone until your devices have been patched. While this may not be an ideal solution, it will help prevent others from snooping in on your traffic.
HTTPS is Your Friend
This vulnerability exploits an ability to view unencrypted traffic. If a website offers encrypted access via HTTPS, use it. It can be a pain to remember to do this, so the folks over at the Electronic Frontier Foundation did the Internet a solid by releasing HTTPS Everywhere – a browser extension that automatically tells your browser to use HTTPS wherever possible. The extension is available for Google Chrome, Firefox and Opera. (Sorry IE/Edge/Safari folks).
Be Proactive, KRACK is Whack
You now have several ways to defend yourself, and your personal information, against this recently discovered vulnerability. Of course, this is only one vulnerability and there are plenty more to come. In order to remain protected, be proactive and be sure to keep all of your devices up-to-date with the latest security updates. Sure it may be a pain to do, but a small investment in time now to ensure that you are keeping yourself protected will save a lot of time, and anxiety, later.