When I started thinking about this column last week, today’s topic wasn’t even on the radar. But by now you may have heard of a newly disclosed major security vulnerability, called ‘KRACK” for Key Reinstallation AttaCK. KRACK compromises WPA2, the current protocol of choice for the vast majority of Wi-Fi security. Bad guys exploiting the KRACK flaw can impersonate YOUR Wi-fi network where they can then intercept (i.e. steal) its data in what’s known as a “man in the middle” attack. As that man in the middle, they could also drop malware code into Website visits, since they can sit between you and the Internet. Nearly everything that uses WPA2 is potentially affected – and again, that’s MOST Wi-fi; so this is a BIG DEAL and a significant threat to network and data security.
The flaw is in the WPA2 standard, so it’s present across every device using Wi-Fi, regardless of vendor, platform, price, etc. Android and Linux devices may be more exposed because of the way they re-use WPA2 encryption keys. Macs, Windows PCs and iOS devices are affected, though to a lesser degree. Routers and firewalls with built-in wi-fi will require patching.
So, how to avoid getting whacked by KRACK?
First, understand that to exploit this, the bad guy has to be within wi-fi range (300 feet or so from their target), and then, it takes some effort and some knowledge. So it’s not as though every device that’s vulnerable can be simultaneously hacked and compromised all at once. Yes, this is a BIG concern, but it’s not quite panic button time.
If you can hook up your usually wi-fi connected device (like a laptop) to a wired network connection, do it. No wi-fi in use, no problem. We’ve always said that when a wire is available, it’s better to use it for speed, reliability and security. This is one good reason why.
Don’t use public wi-fi. Ever. Even before KRACK, we advised against public wi-fi whenever and wherever there’s an alternative. It wasn’t ever safe; it’s less safe now.
For mobile devices like phones and tablets, turn off wi-fi and use your cellular data connection instead, if you have one.
If you must use wi-fi, use a VPN if available -- and only visit Websites using https:// which will secure information from prying eyes.
Upgrade your wi-fi using devices once patches are available and keep your devices updated regularly thereafter. Fortunately, KRACK was known to security researchers back in July and they shared their findings with many computer companies. Those firms had a lead in creating patches before KRACK was made known to the public. Microsoft’s monthly patching for October already included a security patch for this flaw.
Routers and firewalls with built-in WAPs (Wireless Access Points for wi-fi) are a significant potential target. Update your router or firewall’s firmware once it’s available. Know that patches are not available for every make and model in the computing universe, yet. And older models, defunct companies, product out of maintenance / support might not ever receive a patch. In that case, you may keep using the device and take your chances (NOT recommended, as though we even need to say that), or… turn it off and go without Wi-fi, or… get a different device to provide the Wi-fi service.
If you’re a CDS client, and we’re aware that you have wi-fi, we’re already at work on reviewing and remediating your potential issues. Our response priorities will be driven mostly by the availability of vendor-provided patches. If it looks as though you have devices that won’t have a corrective update issued, we’ll let you know and can discuss alternatives. Client or not, if you’re concerned about the potential exposure of your business’ Wi-fi to the KRACK exploit, please contact us; we’d be happy to talk.
