[KRACK] Your Encrypted WiFi Just Got Decrypted
The encryption protocol used by virtually every WiFi-enabled device on Earth has been cracked by a Belgian security researcher. It’s a huge problem for every maker of routers, PCs, smartphones, IoT devices, and more. But should you panic? Read on for the scoop... |
WPA2 Cracked - What it Means For You
Mathy Vanhoef, a security expert at KU Leuven university, discovered the vulnerability in August and published it on October 16, 2017. He fittingly calls this vulnerability KRACK - Key Reinstallation AttaCK. In his report, Vanhoef says,
“Attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted. This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos and so on.”
Well, yes, it could - if WPA2 is the only form of encryption you’re using. But if your bank or e-commerce site uses HTTPS encryption, or if you use a VPN (Virtual Private Network), then eavesdroppers would still be stymied. Most financial and shopping sites use HTTPS today. For that matter, a majority of popular sites use HTTPS now.
Always check for the padlock icon and/or the presence of "https" in your browser’s address bar. Remote access software such as LogMeIn uses the SSH (Secure Shell) encryption protocol, so that avenue of attack is also shut off even if a network is compromised by KRACK.
A WiFi network whose WPA2 encryption is compromised by KRACK is vulnerable to invasion. That means a hacker could conceivably infiltrate every PC, phone, smart TV, media server, etc., on your home network. But that’s a relatively small risk, too, because a) the attacker must be within “close proximity” to your router, and b) your home WiFI network is probably not considered to be a valuable target.
Who Is Vulnerable to KRACK?
Keep in mind the KRACK vulnerability is only an issue for WiFi connections. If you have a high-speed Internet connection at home, and your computer is connected to the router with a wire, you're not affected. Even if you're using WiFi to connect at home, and there's nobody within a couple hundred feet of your router, you're safe.
“Small businesses and people at home should be concerned, but not too worried,” says Candid Wuest, a security researcher at Symantec. Just keep all of your devices’ firmware updated as much as you can, avoid sites that don’t use HTTPS, and it’s unlikely you’ll be affected via the KRACK vulnerability.
But the makers of devices and operating systems that employ WPA2 have a headache that won’t go away until KRACK is patched. The exploit is complicated so it will take some time to come up with a patch. Then it must be distributed to billions of devices that are not updated very often.
Patching the KRACK -- Microsoft released patches on October 16th for Windows 7, 8 and 10 users. Unless you've turned off automatic Windows Update processing, you'll be safe on those platforms (but not if you're still using Windows XP or Vista). Apple is releasing a patch for Mac OS X and iOS (iPhone and iPad) devices "in a few weeks." Google will be pushing out a fix for Pixel smartphones that run Android.
But most other Android devices are updated at the whims of device manufacturers who are generally lackadaisical about it. It takes an average of 18 months for a new release of Android to reach most smartphones, for example. That timeframe is partly due to device makers’ need to customize Android to their liking, but it’s also due to general indifference. There’s no telling when or if existing devices will see a KRACK patch. One can only hope that phone makers and mobile service providers will treat this as a priority.
My advice for now is to “keep calm and carry on.” Install all security updates as they become available, or better yet, enable automatic updates wherever possible. Pay attention to the address bar of your browser. Whenever possible, use websites that offer SSL encryption (the web address will start with HTTPS, or you'll see a padlock icon in the address bar.)
The HTTPS prefix on web page addresses isn't a deal-breaker if you're just reading the news, playing a game, or grabbing an apple pie recipe. But it's essential when using websites that require or display any personal information, such as your email, password, phone, address, credit card, social security number, banking information, etc.
Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 17 Oct 2017
| For Fun: Buy Bob a Snickers. |
 |
Prev Article: Time to Switch From Yahoo to Gmail? |
The Top Twenty |
Next Article: Security (and other) Improvements in Google Chrome |
 |
Post your Comments, Questions or Suggestions
|
Free Tech Support -- Ask Bob Rankin Subscribe to AskBobRankin Updates: Free Newsletter Copyright © 2005 - Bob Rankin - All Rights Reserved About Us Privacy Policy RSS/XML |
Article information: AskBobRankin -- [KRACK] Your Encrypted WiFi Just Got Decrypted (Posted: 17 Oct 2017)
Source: https://askbobrankin.com/krack_your_encrypted_wifi_just_got_decrypted.html
Copyright © 2005 - Bob Rankin - All Rights Reserved
Most recent comments on "[KRACK] Your Encrypted WiFi Just Got Decrypted"
Posted by:
Sarah L
17 Oct 2017
Okay, keep calm about home router. What about the network at my public library? Safe as long as no one who knows how to work the KRACK vulnerability is at the library? Thanks for an article in a calm tone.
Posted by:
Dr. Sheldon Cooper
17 Oct 2017
Just in case your are wondering if both WPA2 Personal and Enterprise are affected, this is from the link Bob provided: "...the attack works against personal and enterprise Wi-Fi networks, against the older WPA and the latest WPA2 standard, and even against networks that only use AES."
Posted by:
Sam
17 Oct 2017
Thanks Bob for informing us.
Does Krack also allow an attacker to find out my wifi password or otherwise let him use my internet connection without my knowledge?
If so that'd be another headache to deal with...
Posted by:
Jonathan
17 Oct 2017
Thanks Bob for calmly explaining ... I must say the title got me over to the site to read this article immediately!
As to Sarah's comment, if I have read this article correctly you'd be OK at the library (et al) as long as you use sites with a padlock and/or https: for anything you wouldn't want "out there".
Or as OK as you've ever been, because using any public system has it's own "risks". Which of course Bob has explained in other articles.
Posted by:
Aki
17 Oct 2017
Another reason to use VPN whenever possible.
Posted by:
Brian L
17 Oct 2017
I always use a free VPN called Jailbreak VPN on my laptop on home wifi and on my cellphone at home on wifi or on any public wifi. I have used Jailbreak VPN for close to a year now at home and away with no issues whatsoever. Check it out. Free piece of mind! www.jailbreakVPN.com
Posted by:
David
17 Oct 2017
There are several browser add-ons that force HTTPS.
Posted by:
SharonH
17 Oct 2017
I remember when the Internet used to be fun. Now almost every month there are more warnings about hackers (some who have done HUGE damage), spammers, phishers etc. Really says something about human nature.
Posted by:
Mat
17 Oct 2017
Thanks Bob...this is the FIRST article that I read about KRACK (and I have read a bunch of them) that explains the part about being safe if your router is connected by a wire.
I have updated it anyways, but now I know I'm a lot safer.
Posted by:
Bobby
17 Oct 2017
Hi Bob,
The Voting machines in America!
Could they have been hacked in every State, by people in the State?
Is this what all the "Russian" thing is about!
Posted by:
Paul S
17 Oct 2017
For those readers with a sustained interest in security issues consider a RSS feed from krebsonsecurity.com. Brian Krebs explains issues quite well (former journalist) and keeps on top of matters of importance. I suspect Bob Rankin is a regular reader.
Posted by:
Kenneth Heikkila
17 Oct 2017
One reason I don't mind paying a bit extra for an iPhone, though I won't pay more for a MAC for the same reason- MS seems to be the first to patch most exploits:
"But most other Android devices are updated at the whims of device manufacturers who are generally lackadaisical about it. It takes an average of 18 months for a new release of Android to reach most smartphones, for example. That timeframe is partly due to device makers’ need to customize Android to their liking, but it’s also due to general indifference. There’s no telling when or if existing devices will see a KRACK patch. One can only hope that phone makers and mobile service providers will treat this as a priority."
Posted by:
Lady Fitzgerald
17 Oct 2017
The article stated that the Windows patches were released on the 16th. Actually, they were released on the 10th.
Posted by:
MikieB
17 Oct 2017
Lots of people are within 90 to 100 feet from my router, but they are going past at 55 mph or more. Do you think that I'm in danger? Yes, living in the country does have some benefits.
Posted by:
Gina
17 Oct 2017
WPA2 and VPN here. If anyone is using the Opera browser (lite version of Chrome), it has a built in VPN but you must actively activate it.
Posted by:
Donna
18 Oct 2017
Thank you SO very much Bob for keeping us up to date and keeping us readers safe when using our technical devices on the internet!
Posted by:
PeteFior
18 Oct 2017
The excellent Opera browser provides a free optional VPN service that I highly recommend. Download the latest version of Opera and enable VPN in the Privacy and security section of the Settings menu. I have been using this feature for a few months now with no issues - essential for all banking and financial transactions!