For routers, printers and other “Internet of things” devices, you may have to sign into the device to manually update its “firmware.” For routers, you can contact your Internet service provider for help if you are unsure how to update. You may need to consult the manual of other devices or ask for external help by contacting a local professional IT service like Brainbox IT (for Sydneysiders only).
A few days ago Mathy Vanhoef and Frank Piessens from the department of computer science of KU LEUVEN, a Belgium University, found a major security flaw in the protocol used by most modern devices to connect to the Wi-Fi, the WPA2 protocol. According to statistics by Wigle.net, it secures 60% of the world’s Wi-Fi networks.
The vulnerability called KRACKs (Key Reinstallation AttaCKs) affects every device using WPA2 encryption and could allow nearby attackers to intercept and steal data transmitted across a Wi-Fi network. This weakness can be exploited by attackers to steal sensitive information like credit card numbers, passwords, chat messages, emails, photos and more.
By performing a novel type of attack against the 4-way handshake of the WPA2 protocol, Mathy found a way to get around the security offered by the WPA2 protocol. Whenever someone joins a Wi-Fi network, a 4-way handshake is executed to produce a fresh encryption key for all subsequent traffic. To guarantee security, a key should be installed and used only once. But by using the key reinstallation attack (KRACK), an attacker can trick a victim into reinstalling an already-in-use key allowing them to gain access to the local area network (LAN) side of your network and from there, being able to use all sort of tricks to steal data, spy on communications or even inject ransomeware and malware onto devices. Once inside the LAN, the options to do bad things are overwhelmingly large.
While all devices using WPA2 are affected, some devices were described as being “trivial” to exploit with the attack being “especially catastrophic” against wpa_supplicant version 2.4 and above, a Wi-Fi client commonly used on Linux and Android 6.0 and above. As it affects the Wi-Fi standard itself not individual products or implementations, any correct implementation of WPA2 is likely affected.
Products that are known to be affected by this at this time include Android, Linux, Apple, Microsoft Windows, Linksys and more. The list of affected vendors is enormous, and vendors including Amazon, Cisco and Netgear are currently working hard to release patches to fix this issue. BleepingComputer has compiled a running list of vendors that will be growing over time as more information about patches becomes available.
What to Do About the WPA2 Vulnerability
If your device uses public Wi-Fi, you are at higher risk. The vendors that make your products are working on patches which they will release in the coming days. As they release the patches, you will need to update your devices. The good news is that this vulnerability does not require you to replace any hardware. It is fixable through a software update.
The devices and hardware you will need to update, once patches are released, include the following:
- Desktop workstations
- Laptops/notebooks
- Mobile phones
- Tablets and e-readers that use Wi-Fi
- Home and office routers
- Home devices like NEST, Amazon Echo and Google Home
- Printers, both home and office, that use Wi-Fi
- Any other device that uses Wi-Fi
You should prioritize devices that use public Wi-Fi higher than your other devices. This puts mobile phones and tablets at the top of the list.
How to Stay on Top of Updates
Your desktop computer, mobile and tablet devices will prompt you when an important security update is available. Many might be applying the updates automatically. Most devices also provide an option to manually check for updates. We recommend you do that periodically this week so that you catch any updates as soon as they are released.
For routers, printers and other “Internet of things” devices, you may have to sign into the device to manually update its “firmware.” For routers, you can contact your Internet service provider for help if you are unsure how to update. You may need to consult the manual of other devices or ask for external help by contacting a local professional IT service like Brainbox IT (for Sydneysiders only).
Other alternatives are:
- Use mobile data: When possible, use the mobile data of your phone or tablet instead of Wi-Fi in order to make sure you are safe. This is only during the next few weeks while the necessary updates are released and implemented.
- Use Ethernet: When possible, is a good a idea to connect your computer to your network via Ethernet cable (CAT5 or CAT6). This is not only for protection but also for performance, as wired communications are much faster than the wireless ones.
- Install the HTPPS Everywhere extension: Although we normally do not recommend installing extensions onto the web browser, this one seems to be particularly convenient in this case. If you use Chrome, Firefox or Opera, you could install this neat extension by EFF. It does not require configuration so anyone could do it. This extension would force web traffic through the https protocol (encrypted) in cases where the two options are available (http and https).
- Isolate your Wi-Fi Signal: Anyone who want to attack a Wi-Fi network has to be necessarily within its range. Therefore, a good way to protect yourself is isolating your Wi-Fi signal so no one outside your premises can reach it. This sound like a convenient way to avoid this attack but because of its nature, it might result quite expensive as you would need to either move to a high floor level building or hire an electrician and a constructor to strategically position the router and provide isolation to the walls. Probably not a smart idea as this risk will eventually fade off.