The KRACK attack: Is all Wi-Fi unsafe now? No, not really. But you’d better patch

Click to watch a video demonstration of the attack.

Belgian researcher Mathy Vanhoef announced some rather brilliant research on Monday which demonstrates that nearly all Wi-Fi in use today can be hacked. The tool for scrambling data as it’s transmitted wirelessly between your gadgets and routers, called WPA2, can be tricked into coughing up the secrets needed to unscramble it, he found.  Because the flaw is fundamental to the protocol, just about everyone and everything around the planet is exposed to the attack.

The Department of Homeland Security issued a warning about this so-caled KRACK attack on Monday. So this is serious. If your device uses Wi-Fi, it’s vulnerable.

But don’t panic.

First, a criminal who wanted to exploit this flaw would have to be in physical range of the wireless network, so that limits its practical use. Second, according to the Wi-Fi Alliance, there is no evidence the vulnerability is being used maliciously. But most important, for most consumers, security can be restored through a software update to their computers and phones.  It’s worth checking to see if your Wi-Fi router has a security update, but it’s not necessary.  According to Vanhoef, it’s not even necessary to change your router password (though, after you install any patch, that’s not a bad idea).

Critically, that also means you don’t have to avoid all public Wi-Fi, as some have suggested — though it wouldn’t hurt to stick with your mobile network and skip Wi-Fi if  you are an Android phone user, for now.  One flavor of the attack is substantially easier to exploit on Android and Linux devices, the researchers say.

The flaw comes from the way the routers and the gadgets talk, so you can protect yourself by updating your gadget. Of course, it’s always a good idea to be judicious when using public Wi-Fi — to avoid security-sensitive tasks like online banking, to use secure sites (signaled by https in the web address) or use a VPN for extra security.  It’s also worth looking around your coffee shop to see if anyone seems to be doing anything suspicious. But, at the moment, the skills needed to pull off such an attack are elite, so the risks posed are still low.

“For ordinary home users, your priority should be updating clients such as laptops and smartphones,” the researches say.

Bottom line for you: If you’ve been postponing software updates, stop what you are doing and restart your gadget to install any new security patches. Microsoft told The Verge that it has already patched against KRACK, so Windows users who install the latest update are safe. Google is still working on a patch for Android devices, The Verge said.   The status of any patch from Apple for iOS laptops and phones was not immediately available.

Enterprises might have a bit more to fear, as they have much more to lose. A criminal using KRACK could theoretically sit in a parking lot outside a retailer and hop on a Wi-Fi network to download a stream of credit card numbers. Doing so would be worth the investment of time.  And while even the researchers concede in their paper that some attack scenarios seem “impractical,” tools to weaponize the attack are certain to follow.  So IT workers should actively seek out router patches.  Recall the recent Equifax incident: CEO Richard Smith would still have his job today if his firm hadn’t waited month to install a critical security update.

The Department of Homeland Security’s Computer Emergency Response Team has a comprehensive list of impacted vendors here. 

AlertMe
If you’ve read this far, perhaps you’d like to support what I do. That’s easy. Buy something from my NEW LIBRARY AND E-COMMERCE PAGE, click on an advertisement, or just share the story.


About Bob Sullivan 1327 Articles
BOB SULLIVAN is a veteran journalist and the author of four books, including the 2008 New York Times Best-Seller, Gotcha Capitalism, and the 2010 New York Times Best Seller, Stop Getting Ripped Off! His latest, The Plateau Effect, was published in 2013, and as a paperback, called Getting Unstuck in 2014. He has won the Society of Professional Journalists prestigious Public Service award, a Peabody award, and The Consumer Federation of America Betty Furness award, and been given Consumer Action’s Consumer Excellence Award.

2 Comments

  1. ” CEO Richard Smith would still have his job today if his firm hadn’t waited month ” [a month, months] Proofing your own work is hard and I’ve yet to see a ‘smart’ word processor that actually is. You’re doing excellent work. As far as even approaching the quagmire that is power politics you’ve earned my admiration for…not doing so, despite what is probably a nearly-overwhelming temptation.

1 Trackback / Pingback

  1. Security newsround: November 2017 - BH Consulting

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.