News of a new vulnerability surfaced this week in an issue that will affect ALL users that access the internet using WiFi, whether on your laptop, desktop, tablet, phone, etc. The vulnerability, named KRACK, is a weakness identified in the WPA2 protocol which, until now, has been deemed virtually bulletproof. The WPA2 wireless protocol is configured on nearly every single home wireless device and a vast majority of small and medium business wireless devices.
The vulnerability allows hackers unauthorized access to your network without the WiFi password and can allow strangers to eavesdrop on your wireless connection, obtain passwords, credit card info, etc. Now, with that said, as long as you’re accessing secure websites (i.e. those that show https:// in the URL) your information should be safe.
The good news is that the hacker needs to be physically close to the wireless network that you’re using to exploit the vulnerability. Thus, public WiFi is inherently more dangerous than your home’s wireless. The bad news is that virtually every single WiFi device that you have is using WPA2 to secure your connection. Thus, everyone needs to pay attention to this problem.
This is mostly a client-side attack, meaning that it’s most important to update your wireless endpoints than your wireless router. Thus, keep Windows and Mac OS X updated on your laptop/desktop; download/apply updates on Android phones and iPhones, iPads and other tablets as well as readers such as Kindles. While all of these endpoint makers are scurrying to update their software, manufacturers of wireless routers and access points are in the process of pushing out updates, many of which must be manually applied. Check the BleepingComputer link for updates on your equipment.
How to Protect Yourself:
The best way to protect yourself is not breaking news, as we’ve heard this for years: make sure that you install all updates and security patches on all of your devices. Many manufacturers have already pushed out patches. In fact, Windows was patched in Microsoft’s October 10th Patch Tuesday release. Other devices are reliant on their manufacturer’s software release schedules. For a list of updates by major manufacturers, take a look at BleepingComputer’s list.
Other steps you can take:
- Avoid public WiFi at all costs: this is nothing new, but it is even more imperative with the KRACK vulnerability. I have not used public WiFi for years, opting instead to use my Verizon hotspot. Public WiFi includes coffee shops, hotels, free municipal WiFi, etc.
- Only connect to secure sites: as discussed above, avoid sites that begin with http:// and NEVER EVER enter your credit card info, social security numbers, passwords or any other sensitive information on websites that are not secure. And if you encounter a website that shows a red slash through
https://, close the page and check back later.
- Continue using the WPA2 wireless security protocol: despite the vulnerability, it’s still the safest security profile for home and small business users and should be patched very quickly.
- Use a wired connection if you can: if your wireless router or switch is accessible and you can connect you laptop via ethernet cable, do this until the WPA2 protocol is fixed. Devices that are connected via ethernet are not susceptible to this problem. This is not always convenient, but it’s better to be safe than sorry.
- Use a VPN if possible: if you absolutely must use public WiFi, connect to your workplace using a VPN and send all of your internet traffic through the secure tunnel.
- Changing your WiFi password will not help, unless your password is weak to begin with. In the case of a weak password, strengthening that is never a bad idea.
Updating your wireless router’s firmware is not a simple task, so contact me or your network administrator for assistance in installing these updates.
In summary, there’s really nothing new here needed to protect yourself as long as you’re keeping your systems/devices updated, avoiding public WiFi, only accessing sensitive information on secure (https://) sites, etc. As long as you remain vigilant and get to know your technology a little better, you should be able to safely navigate the world wide jungle.
Stay safe out there!
Please feel free to pass this along to friends and co-workers.
For more information, please link to my sources for this article:
CNET Article: Steps to Take:
Hardware Vendor Updates: