[KRACK] Your Encrypted WiFi Just Got Decrypted
The encryption protocol used by virtually every WiFi-enabled device on Earth has been cracked by a Belgian security researcher. It’s a huge problem for every maker of routers, PCs, smartphones, IoT devices, and more. But should you panic? Read on for the scoop...
WPA2 Cracked - What it Means For You
Mathy Vanhoef, a security expert at KU Leuven university, discovered the vulnerability in August and published it on October 16, 2017. He fittingly calls this vulnerability KRACK - Key Reinstallation AttaCK. In his report, Vanhoef says,
“Attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted. This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos and so on.”
Well, yes, it could - if WPA2 is the only form of encryption you’re using. But if your bank or e-commerce site uses HTTPS encryption, or if you use a VPN (Virtual Private Network), then eavesdroppers would still be stymied. Most financial and shopping sites use HTTPS today. For that matter, a majority of popular sites use HTTPS now.
Always check for the padlock icon and/or the presence of "https" in your browser’s address bar. Remote access software such as LogMeIn uses the SSH (Secure Shell) encryption protocol, so that avenue of attack is also shut off even if a network is compromised by KRACK.
A WiFi network whose WPA2 encryption is compromised by KRACK is vulnerable to invasion. That means a hacker could conceivably infiltrate every PC, phone, smart TV, media server, etc., on your home network. But that’s a relatively small risk, too, because a) the attacker must be within “close proximity” to your router, and b) your home WiFI network is probably not considered to be a valuable target.
Who Is Vulnerable to KRACK?
Keep in mind the KRACK vulnerability is only an issue for WiFi connections. If you have a high-speed Internet connection at home, and your computer is connected to the router with a wire, you're not affected. Even if you're using WiFi to connect at home, and there's nobody within a couple hundred feet of your router, you're safe.
“Small businesses and people at home should be concerned, but not too worried,” says Candid Wuest, a security researcher at Symantec. Just keep all of your devices’ firmware updated as much as you can, avoid sites that don’t use HTTPS, and it’s unlikely you’ll be affected via the KRACK vulnerability.
But the makers of devices and operating systems that employ WPA2 have a headache that won’t go away until KRACK is patched. The exploit is complicated so it will take some time to come up with a patch. Then it must be distributed to billions of devices that are not updated very often.
Patching the KRACK -- Microsoft released patches on October 16th for Windows 7, 8 and 10 users. Unless you've turned off automatic Windows Update processing, you'll be safe on those platforms (but not if you're still using Windows XP or Vista). Apple is releasing a patch for Mac OS X and iOS (iPhone and iPad) devices "in a few weeks." Google will be pushing out a fix for Pixel smartphones that run Android.
But most other Android devices are updated at the whims of device manufacturers who are generally lackadaisical about it. It takes an average of 18 months for a new release of Android to reach most smartphones, for example. That timeframe is partly due to device makers’ need to customize Android to their liking, but it’s also due to general indifference. There’s no telling when or if existing devices will see a KRACK patch. One can only hope that phone makers and mobile service providers will treat this as a priority.
My advice for now is to “keep calm and carry on.” Install all security updates as they become available, or better yet, enable automatic updates wherever possible. Pay attention to the address bar of your browser. Whenever possible, use websites that offer SSL encryption (the web address will start with HTTPS, or you'll see a padlock icon in the address bar.)
The HTTPS prefix on web page addresses isn't a deal-breaker if you're just reading the news, playing a game, or grabbing an apple pie recipe. But it's essential when using websites that require or display any personal information, such as your email, password, phone, address, credit card, social security number, banking information, etc.
Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 17 Oct 2017
|For Fun: Buy Bob a Snickers.|
Time to Switch From Yahoo to Gmail?
The Top Twenty
Security (and other) Improvements in Google Chrome
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005
- Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- [KRACK] Your Encrypted WiFi Just Got Decrypted (Posted: 17 Oct 2017)
Copyright © 2005 - Bob Rankin - All Rights Reserved