This story broke in the press on Monday and is a serious breach of the WPA-2 Wi-Fi protocol (named KRACK) that secures your connections to Wi-Fi networks. It affects the majority of vendor’s equipment and when you start to think about the number of devices that have Wi-Fi then you will start to appreciate the scale of the problem.
Are you at risk?
Just to avoid the usual scaremongering and apocalyptic predictions that surround these types of events, let’s be clear on what someone with malicious intent can and can’t do using the attack.
The attacker needs to be in range of your Wi-Fi and can intercept some of the traffic between your device and your router. If traffic is encrypted properly using HTTPS, an attacker can’t look at this traffic and attackers can’t obtain your Wi-Fi password using this vulnerability. They can only look at your unencrypted traffic if they know what they’re doing. With some devices, attackers can also perform packet injection and do some nasty things. This vulnerability is like sharing the same Wi-Fi network in a coffee shop or airport – you are exposed to what others on this network are doing.
Vendors have been aware of this vulnerability for a few weeks and quietly working on patches before the news hit the mainstream press. Microsoft have already released a patch in their October 10th security update for Windows but you would have done well to spot the reference to it as it was kept pretty vague.
The security flaws affects the 802.11r standard which is more commonly known as fast roaming that allows wireless devices to perform fast authentication when your device roams from one access point to another to prevent any serious network drop outs which is important for certain types of network traffic. If you are not using this then your exposure is greatly reduced but your devices should still be patched.
Here are some simple steps that you can take to protect yourself.
Update all the wireless things you own
As vendors release patches then your devices can be updated to prevent the KRACK vulnerability. Updated devices and non-updated devices can co-exist on the same network as the fix is backward compatible. A useful site that contains a database of vulnerable vendors can be found here https://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=228519&SearchOrder=4 but our advice is don’t wait – start contacting the vendors now.
You should update all your routers and Wi-Fi devices (laptops, phones, tablets etc) with the latest security patches. You should also turn on auto-updates for future vulnerabilities as this won’t be the last one. Microsoft Windows operating systems have become quite good at auto-updates but some devices (Android for example) unfortunately don’t receive a lot of updates and could continue to pose risks.
The key point is that both clients and routers need to be fixed against KRACK so you have a bit of work to do.
Your Wi-Fi Router
You MUST update your wi-fi router firmware with a version that includes a fix. If the router has been supplied by your ISP, ask the company when their branded kit will be patched. If they don’t have an answer, keep asking. We are already seeing vendors such as Cisco releasing patches for their equipment (eg Meraki) which is great but also seeing quotes from well-known home broadband suppliers saying it will take them a couple of weeks to release a patch – not so good.
You can make sure your router is up-to-date by browsing the web based administration panel. Find the user guide (google if you are struggling) for your ISP-branded router and follow the instructions to connect to the admin pages.
If your ISP is not quickly putting out a firmware update to fix KRACK, it may be time to consider switching your ISP. A less drastic option would be to buy a WiFi access point from a responsible company that has already issued a patch. Plug this patched WiFi access point into your ISP router and disable WiFi on your ISP router.
What about Internet-of-Things devices?
If you own a lot of IoT devices, consider which of those devices pose the most serious risk if unencrypted traffic is intercepted. Say, for example, you own a connected security camera that doesn’t encrypt traffic when you’re on the same WiFi network —that could allow attackers to snoop on raw video footage inside your home. Not a good idea.
You will be surprised at the number of devices that have Wi-Fi in them that you may not even be aware of – music streaming devices, digital radios, TV’s, Smart devices such as heating controls or lighting controls, Blu Ray players, Games Consoles – the list goes on and on.
Take action accordingly — e.g. by pull the most risky devices off your network until their vendors issue patches. And be sure to keep an eye on the kinds of devices your kids might be connecting to your home network – that opens up another can of worms for those of you who have some It smart kids!
That said, the Internet of Things does not have a particularly good reputation just now when it comes to security. This could be a good moment to audit your connected device collection and consider replacing any WiFi device whose vendors don’t quickly issue a patch — they could pose some form of long term risk to your network.
Install the HTTPS Everywhere extension
One method of mitigating risk is to force your web browser to encypt all traffic where it can. The Electronic Frontier Foundation (EFF) EFF has released a browser extension called HTTPS Everywhere ( https://www.eff.org/https-everywhere ). If you’re using Google Chrome, Firefox or Opera, you should consider installing the extension. There’s no need to configure it, so anybody can do it. Unfortunately there is not an extension for Microsoft Internet Explorer or Microsoft Edge so maybe you should think about what your default browser is?
If a website offers unencrypted access (HTTP) and encrypted access (HTTPS), the extension automatically tells your browser to use the HTTPS version to encrypt your traffic. If a website still relies exclusively on HTTP, the extension can’t do anything about it. The extension is no use if a company has a poor implementation of HTTPS and your traffic isn’t really encrypted. But HTTPS Everywhere is better than nothing.
If all else fails?
Well you could switch off every electronic device you own and revert to what we did a few thousand years ago and move into a cave and live a simple life. I can see the attraction of this for a short break but leave me without a PC for more than a couple of weeks and I’d be getting severe withdrawal symptoms I think!