Information Security

KRACK WiFi Vulnerability

What is KRACK?

On October 16 2017, news outlets started reporting that WiFi security was broken.  Researchers have found a flaw in the security of the WiFi protocol itself, and call the exploit "KRACK" - an acronym for Key Reinstallation AttaCK.

What makes this vulnerability a big deal is that almost every device that talks WiFi - your iPhone, laptop, home router, XBox, Echo Dot, SmartTV,  Internet-connected talking teddy-bear - has a flaw that can let a nearby attacker take over or disrupt your WiFi network session.

This is not one issue or one vendor's problem. It is actually nine different vulnerabilities that can be exploited, based on the same flaw in the underlying WiFi protocol that almost every WiFi device uses. At the time of the bug's  announcement, only three vendors (Arista, Mikrotik, and VMWare) were proven immune to all 9 issues, out of the 147 major worldwide vendors with a WiFi product.

How Bad Is It Really?

There's good news and bad news. It is definitely not the "end of WiFi" as one normally sensible tech site stated.

The attack is quite hard to execute, and needs the attacker to be physically close to the target network. Any network traffic to secure sites like Gmail or your banking site will be encrypted from the browser to the server (using HTTPS), so gaining access to the network stream will not reveal any information.

However, you cannot just ignore this. The number of vulnerable devices is huge, which means there will definitely be more sophisticated attempts to exploit this vulnerability appearing in the near future. If not subjected to data loss, you may have your network sessions disrupted, or your WiFi network hijacked for illegal purposes.

What do I do?

  • Don't panic
  • Avoid all public WiFi for the time being, until patches are more widely available
  • Ensure your websites are using encryption - shown by a padlock icon, or a website address starting with https://. You might find the HTTPS Everywhere extension for Chome or Firefox useful to prioritize encrypted access if a site offers both.
  • Update your daily-use WiFi devices (laptop, phone, smartwatch, WiFi router, WiFi hotspot) as soon as patches become available
    • Android users may need to put pressure on your carrier to release the Google-supplied security patches in a timely manner
    • If your WiFi router is supplied by your ISP, you may need to call them and put pressure on them to release updated software.
  • Consider your Internet Of Things devices - can you get an update for your WiFi security camera? It may not be safe to leave on the network until it is patched.
  • If you need to process secure data, consider using a wired connection on a laptop, or cellular data on a phone.

 Vendor Status and Patches

Vendor Status Software Update
Apple - iPhone, iPad, Watch Affected Will be fixed in next iOS/watchOS software update (no date supplied) 
Apple - Mac Affected Will be fixed in next macOS software update (no date supplied; not confirmed if fix will be available for Sierra)
Android Affected Fix in Security Update release November 6 (for Android 6.0+)
Microsoft - Windows Affected Fix available now in security update bundle
Will be pushed to SCU PCs on 10/26
Linux Affected Fix available now for Debian Ubuntu RedHat Generic 
Amazon - Echo, Kindle Affected Under review and will issue patches when available
Netgear Affected Fix available now for many products
Linksys/Belkin Affected Are planning to publish product update details on their webpage.

List last Updated 16 October 2017