Here’s what you can do to protect yourself from the KRACK WiFi vulnerability

Security News ThreatsCybercrime Uncategorized

Security researcher Mathy Vanhoef shared a serious vulnerability in the WPA2 encryption protocol. Most devices and routers currently rely on WPA2 to encrypt your WiFi traffic, so chances are you’re affected.

But first, let’s clarify what an attacker can and cannot do using the KRACK vulnerability. The attacker can intercept some of the traffic between your device and your router. Attackers can’t obtain your Wi-Fi password using this vulnerability. They can just look at your traffic. It’s like sharing the same WiFi network in a coffee shop or airport.

The attacker needs to be in range of your WiFi network. They can’t attack you from miles and miles away. The attacker could also take control of a zombie computer near you, but this is already a much more sophisticated attack. That’s why companies should release patches as soon as possible because chances are most attackers just learned about this vulnerability today.

There’s at least a theoretical possibility that this vulnerability could be exploited by hackers to make it more scalable as an attack vector in future — thinking of, for example, how worms have been developed and released that spread from one insecure IoT device to another to build a zombie botnet. But currently this is not the case.

So here’s what to do now that the WPA2 protocol is vulnerable…

Update all the wireless things you own

Good news! Your devices can be updated to prevent the KRACK vulnerability. Updated devices and non-updated devices can co-exist on the same network as the fix is backward compatible.

So you should update all your routers and Wi-Fi devices (laptops, phones, tablets…) with the latest security patches. You can also consider turning on auto-updates for future vulnerabilities as this won’t be the last one. Modern operating systems have become quite good at auto-updates. Some devices (ahem Android) don’t receive a lot of updates and could continue to pose risks.

The key point is that both clients and routers need to be fixed against KRACK so there are lots of potential attack vectors to consider.

Look to your router

Your router’s firmware absolutely needs updating. If the router has been supplied by your ISP, ask the company when their branded kit will be patched. If they don’t have an answer, keep asking. You can make sure your router is up-to-date by browsing the administration panel. Find the user guide for your ISP-branded router and follow the instructions to connect to the admin pages.

If your ISP is not quickly putting out a firmware update to fix KRACK, it may be time to consider switching your ISP. A less drastic option would be to buy a WiFi access point from a responsible company that has already issued a patch. Plugging a WiFi access point into your ISP router and disabling WiFi on your ISP junk is a good alternative.

Here’s a list of some of the router makers that have already put out fixes (Ubiquiti, Microtik, Meraki, Aruba, FortiNet…).

Use Ethernet

If your router doesn’t yet have a fix, and you don’t have a patched WiFi access point that could be used for wireless instead, you could Ethernet into your router and turn off its wireless function until it’s patched (assuming WiFi can be disabled on your router). Turn off WiFi on your device as well so that you’re sure all traffic goes through that sweet Ethernet cable.

If you still want to keep WiFi for some devices, consider switching to Ethernet for your essential devices. For instance, if you spend hours every day on a computer and use a ton of internet traffic from this computer, buy an Ethernet cable.

Consider using cellular data on your phone

Your phones and tablets don’t have an Ethernet port. If you want to make sure nobody is watching your traffic, disable WiFi on your device and use cellular data instead. This isn’t ideal if you live somewhere with a spotty network, pay extra for mobile data, or if you don’t trust your telecom provider.

Devices running Android 6.0 and later are more vulnerable than other devices. It is trivially easy to perform a key reinstallation attack because of a bad implementation of the handshake mechanism in the WiFi stack. So Android users do need to be more careful.

What about Internet-of-Things devices?

If you own a lot of IoT devices, consider which of those devices pose the most serious risk if unencrypted traffic is intercepted. Say, for example, you own a connected security camera that doesn’t encrypt traffic when you’re on the same WiFi network — well, that could allow attackers to snoop on raw video footage inside your home. Erk!

Take action accordingly — e.g. by pulling the most risky devices off your network until their makers issue patches. And be sure to keep an eye on the kinds of devices your kids might be connecting to your home network.

At the same time, if an attacker can intercept traffic between your smart lightbulbs and your router, it’s probably fine. What are they going to do with this information anyway? It’s fair to say that Edward Snowden wouldn’t want even info about how his lightbulbs are being turned on and off getting into the hands of a hacker, and with good reason. But most people aren’t at risk of such an extreme level of state-sponsored surveillance. So you should determine your own level of risk and act accordingly.

Tagged