Monday is the least favorite day of the week for a number of people, but yesterday’s news that the heart of Wi-Fi security — Wireless Protected Access II (WPA2) — had been compromised through a vulnerability called KRACK really made October 16, 2017 a lousy day. In this article, we’ll tell you what KRACK is, how it works, and how you can stay safe on Wi-Fi networks.
What is KRACK?
KRACK is a nickname for Key Reinstallation Attack, a method that hackers can use to attack a Wi-Fi network to eavesdrop on any network traffic between an access point and a device.
Up to this point, most Wi-Fi users have assumed that using WPA2 as the encryption of choice on a network and sticking to websites using encryption (that is, using the https protocol) would keep their data secure and safe. KRACK is a somewhat brute force method of making a Wi-Fi network give up its encryption key, giving a hacker a method of then viewing all traffic from a device, including user names, passwords, credit card numbers, personal photos, etc…
Below is a short video from Mathy Vanhoef, who discovered the vulnerability. It shows just how easy it is to perform a Key Reinstallation Attack and then steal user names and passwords. Note that although the title is “Bypassing WPA2 against Android and Linux”, all operating systems are susceptible to the methodology:
How Are Companies Responding to KRACK?
Vanhoef made the vulnerability known to operating system developers prior to the public release of information so that they’d have time to begin preparing countermeasures.
Almost immediately, Microsoft released an update for Windows, and Google noted that it will have an update for its Pixel devices next month (there’s no word on whether or not they’re working on a patch for Android…). Apple announced yesterday afternoon that a patch for KRACK is already in developer beta versions of its operating systems that were made available today. Those OS updates should be rolled out to consumers soon, and this is one case where it is very important for Apple users to perform the updates as soon as they are available.
What About Wi-Fi Access Points?
Since the attack is made between Wi-Fi access points and devices, shouldn’t Wi-Fi access points be updated as well? At this point, most major router manufacturers are working on patches that should fix the problem. However, it’s rather rare for most computer users to update their access points on a regular basis, so unless manufacturers are able to get the word out to users on how to perform a patch, it’s unlikely that most users will actually do so.
Apple’s AirPort routers can notify users of incoming updates through the AirPort Utility, so if Apple decides to update the devices, users will get notification. The process of updating an AirPort is also quite simple and fast; once Apple sends out an update, the AirPort can literally be protected within a minute or two.
How Can We Stay Safe From KRACK While Waiting For Updates?
There’s one good thing about KRACK — it requires that the attacker have close physical proximity to the Wi-Fi network being compromised. That means that those who can only see their Wi-Fi access point in the list of available networks are pretty safe.
In many modern neighborhoods and especially in apartment complexes, it’s possible to see dozens of Wi-Fi access points in the available networks list. That means that any of those networks could potentially host an attacker who can see your network… but fortunately fixing the problem on the client side (your electronic devices) ensures that they can’t be attacked.
Until the updates to macOS, iOS, watchOS and tvOS arrive, there are some simple measures that can help. First, stay off of public networks as much as possible. Next, although it’s not a failsafe, make sure that you’re only visiting websites like the Rocket Yard that utilize https encryption to add another layer of protection.
Third, if there’s any way that you can use a wired Ethernet connection, that eliminates the attack altogether. Finally, consider using a Virtual Private Network (VPN) to further encrypt your online communications. VPNs create an encrypted “tunnel” between your devices and websites, making it more difficult for a hacker to try an attack.
The Rocket Yard will let you know when Apple releases the updates that fix the KRACK vulnerability. In the meantime, stay safe out there.