You may have heard about it in the news, earlier
this year two researchers from the University of Leuven, Belgium submitted their
research for review, exposing
a flaw in our WiFi security. They discovered a critical vulnerability they
dubbed, KRACK, which affects the WPA2 security of ALL client WiFi devices. For
clarity, examples of client devices are your laptop, phone, tablet, e-reader,
etc.
Is this something you need to be concerned about?
Short answer is, YES!
If you’re using any Android device, it is of particular
concern, because this attack executed on an Android-based client can result in a
complete breakdown of the devices wireless security until this is patched. Fortunately,
the security patch is relatively simple, but you can expect manufacturers will
want to test it to make sure it doesn’t cause issues before releasing. Expect
to see big companies like Apple publishing it as beta (aka, not ready for
primetime) at first.
Devices such as WiFi access
points are at lower risk unless they also act as client devices themselves to
connect to other access points. Examples are wireless extenders and the new
“Mesh Network” devices such as Eero, Google WiFi, and Linksys Velop that connect
together to extend wireless access throughout your home. However, unless you’re
very tech-savvy, you may not be aware of a client capability your wireless
router has, and there is a long history of exploits against wireless routers.
Although less likely, it’s not impossible that a router could be attacked, have
its client capabilities enabled, and then compromised. Therefore, please do
update if possible, or check that your ISP has done this for you, if you are
one of them millions that rent a wireless router as part of your Internet
service.
Although sites such as banks and Google are
already HTTPS encrypted, the researchers warn that this was easily bypassed in
a “worrying number of situations”. The good news is, if you’re using a VPN such
as StrongVPN to encrypt all your Internet traffic, you’re safe from attack, because
all of your data is rendered unintelligible to prying eyes the entire time you
are connected to the VPN service.
Additionally, Mac and PC users do not need to be
concerned, because the WPA2 protocol was never properly implemented by either
Microsoft or Apple, which consequently made them immune to the attack, and
official patches are already available.
Should you update everything you own that connects
by Wi-Fi? In a word, yes, but since it may be very difficult to know
whether or not the manufacturer has updated your device automatically, or if it
must be done manually, whenever you have the opportunity to connect securely
via a VPN, we recommend you do so. This will make your life easier and take a
lot of worry off your mind.
It’s also important to know that this attack is
very sophisticated at the moment, and requires an attacker to be within radio
proximity, such as free Wi-Fi in a coffee shop. But, black hat hackers do not wait
to take advantage of vulnerabilities like this, and you can be sure a method
of simplifying this attack is in the works, seeking those that are unknowingly
still vulnerable.
To find detailed information about the KRACK
vulnerability, be sure to visit the EFF post about it. For a list of updated
devices and those not yet updated, BLEEPINGCOMPUTER
is one site taking the lead on tracking this complicated issue.
Have a comment or question? Please gives us your feedback in the comments sections and do join in the discussion on Twitter @dougkrug where you'll find us posting about the latest news in tech, IoT and smart home innovations.
Have a comment or question? Please gives us your feedback in the comments sections and do join in the discussion on Twitter @dougkrug where you'll find us posting about the latest news in tech, IoT and smart home innovations.