It seems Wi-Fi is everywhere these days, except when you MUST view the new Star Wars trailer for the 30th time in order to unleash its hidden mysteries while waiting to board a flight from Cleveland and standing on the airline gangway.
Users of seemingly everywhere Wi-Fi, free or otherwise, take note: a new flaw unearthed last week has the potential to open you and more significantly, large business enterprise networks, to data hacking on a massive scale.
According to yesterday’s Wall Street Journal:
A bug in the software used to connect the world’s wireless devices could give hackers a new way to snoop on Wi-Fi traffic, sending device manufacturers scrambling to release patches.
Cryptographers said the Wi-Fi flaw, reported Monday by a security researcher, is the most significant to have been discovered in years. It is likely, though, to have a larger effect on big corporations than consumers.
Apparently, this new nefarious weapon can clone a wireless network that resets encryption keys insecurely, opening up previously encrypted data via Wi-Fi Protected Access II (WPA2), the latest Wi-Fi security protocol that usurped the legacy Wi-Fi Protected Access (WPA) and Wired Equivalent Privacy (WEP). Once it’s opened up, “hackers could view passwords or other sensitive information sent over the network,” said Mathy Vanhoef, the researcher at the University of Leuven in Leuven, Belgium, who discovered the flaw. “Depending on the network configuration, it is also possible to inject and manipulate data.” He presented the technique, which he calls a Key Reinstallation Attack, or KRACK, on a website he set up to explain the issue.
A related WSJ report the same day noted further details. “The research was expected to be disclosed 8am Monday, EST. US CERT, the Department of Homeland Security’s United States Computer Emergency Readiness Team, has sent an advisory on the research to about 100 organizations, according to Ars:
It works by exploiting a four-way handshake that’s used to establish a key for encrypting traffic
Who Is Affected?
As noted by Vanhoef:
- “The attack works against all modern protected Wi-Fi networks.”
- “The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected.” (emphasis ours)
How to Protect Yourself
We spoke to our Information Security Manager, Jeremy Swee who said the best ways to protect yourself involve doing the following:
- The age-old adage still holds true for KRACK, keep your software and devices updated!
- Lower the opportunities of a successful Wi-Fi-based attack by adjusting your default Wi-Fi signals strength down. This will avoid spillage into public areas.
- We have been saying this for years, don’t use public Wi-Fi access points, it mitigates against much more than KRACK!
- Use an always-on VPN from a trusted provider.
- Use HTTPS whenever possible to prevent snooping.
Vanhoef’s website has a pretty great FAQ section, if you want more details, but to summarize you should:
- Update all of your Wi-Fi-enabled devices.
- Update the firmware on your router.
- It’s also suggested that after you do both of the above, you update your WiFi password, but you should know that changing that password alone doesn’t prevent the attack or protect your from the vulnerability.
- Microsoft’s October 10th update included a fix for the issue.
- As of this writing, Google is still working on the issue, saying in a statement to BleepingComputer, "We're aware of the issue, and we will be patching any affected devices in the coming weeks."
- Apple has rolled out patches to iOS, tvOS, watchOS and macOS betas, with intentions to roll out to consumers soon.
As patches continue to be rolled out and everyone works on updating their devices, we suggest following the WSJ’s advice, which runs the same line as for any Wi-Fi connection you join. “The safest policy, until there is a fix, is that you should treat all Wi-Fi connections the same way you would a public Wi-Fi network at a coffee shop: that is, only access sites and use applications that use secure connections (e.g. HTTPS), especially when viewing or entering sensitive information,” said Shuman Ghosemajumder, CTO of Shape Security, as relayed to CIO Journal in an email. “Any unsecured resources available to all users of the network should also be immediately secured.”