Security researcher Mathy Vanhoef shared serious wireless security system vulnerability in the WPA2 encryption protocol. Most devices and routers currently rely on WPA2 for encryption of your WiFi traffic, so probability are high you’re affected.
But before any discussion, let’s clarify what an attacker can and cannot do using the KRACK Wi-Fi vulnerability. The attacker can seize some of the traffic between your device and your router. Attackers can’t acquire your Wi-Fi password using this vulnerability. They can just track your traffic. It’s like sharing the same Wi-Fi network in a coffee shop or airport.
The attacker needs to be in range of your Wi-Fi network to track system. They can’t attack you from miles and miles away. The attacker could also obtain access of a zombie computer near you, but this is by now a much more sophisticated attack. That’s why companies should release patches as soon as possible because probabilities are most attackers just learned about this vulnerability today.
There is at least an academic possibility that this vulnerability could be exploited by hackers to make it more scalable as an attack vector in future — idea of, for example, how worms have been designed , developed, and released that spread from one timid IoT device to another to build a zombie botnet. But currently this is not the case.
So here’s what to do now that the WPA2 protocol is vulnerable.
Update Wireless Settings You Own
Good news! Your devices can be updated to thwart the KRACK vulnerability. Updated devices and non-updated devices can co-exist on the same wireless network as the fix is backward compatible.
So you should always keep updated all your routers and Wi-Fi devices (laptops, phones, tablets etc.) with the latest wireless security patches. You can also regard as turning on auto-updates for future vulnerabilities as this won’t be the last one to exploits. Modern operating systems have become quite amazing at auto-updates. Some smart devices (ahem Android) don’t receive a lot of updates and could continue to pretense risks.
The key point is that both clients and routers need to be set against KRACK so there are lots of potential attack vectors to deem.
Check Your Router
Your router’s firmware completely requires updating. If the router has been abounding by your ISP, ask the company when their labelled kit will be patched. If they don’t have an answer, keep asking. You can ensure your router is up-to-date by browsing the administration panel. Find the user guide for your ISP-branded router and follow the commands to connect to the admin pages.
If your ISP is not swiftly putting out a firmware update to fix KRACK, it may be time to consider switching your ISP. A radical option would be to buy a Wi-Fi access point from a responsible company that has already issued a patch. Plugging a Wi-Fi access point into your ISP router and disabling Wi-Fi on your ISP trash is a superior option.
Here’s a list of some of the router makers that have already put out fixes (Microtik, Meraki, Aruba, FortiNet etc).
Use Ethernet
If your router doesn’t yet fix a patch, and you don’t have a patched WiFi access point that could be used for wireless as a substitute, you could Ethernet into your router and turn off its wireless function in anticipation of it’s patched (assuming WiFi can be disabled on your router). Turn off Wi-Fi on your running device as well so, that you can ensure all traffic pass through that sweet Ethernet cable.
If you still want to keep Wi-Fi for some devices, consider switching to Ethernet for essential devices. For instance, if you spend hours every day on a computer and use a ton of internet traffic from this computer, buy an Ethernet cable for connection.
Consider using Cellular Data on Your Phone
Your phones and tablets don’t have an Ethernet port. If you want to know nobody is watching your traffic, disable Wi-Fi on your device and use cellular data instead. This isn’t ideal, if you live everywhere with a spotted network, pay extra for mobile data, or if you don’t trust your telecom provider.
Devices running on Android 6.0 Marshmallow or later versions are more vulnerable than other devices. It is slightly easy to perform a key reinstallation attack because of a bad implementation of the handshake method in the Wi-Fi stack. So, Android users need to be more careful from vulnerability.
What about Internet-of-Things Devices?
If you own a lot of IoT devices, think which of those devices pretense the most serious risk if non-encrypted traffic is intercepted. Say, for example, you own a connected security camera that doesn’t encrypt traffic when you’re running on the same Wi-Fi network — well, that could allow hackers to spy on raw video footage inside your home. Erk!
Take action consequently — e.g. by pulling the most risky devices off from your network until their makers issue patches. And be sure to keep an eye on that kind of devices your kids might be connecting to your home network.
At the same time, if an attacker can catch traffic between your smart light bulbs and your router, it’s probably fine. What are they going to do with this information anyhow? It’s fair to say that Edward Snowden wouldn’t want even info about how his light bulbs are being turned on and off getting into the hands of attacker, and with fine reason. But most people aren’t at risk of such an extreme level of state-sponsored security surveillance system. So you should decide your own level of risk and act accordingly.
That said, the Internet of Things does have a horrific reputation when it comes to security. So this could be a great moment to audit your connected device collection and consider junking any Wi-Fi device whose makers can’t quickly issue a patch — they could cause some sort of long term risk to your network.
Install the HTTPS Everywhere Extension
The EFF has out a neat browser extension called HTTPS Everywhere. If you’re using Google Chrome, Firefox or Opera, you should consider installing the extension. There’s no require to configure it, so anybody can do it.
If a website offers non-encrypted access (HTTP) and encrypted access (HTTPS), the extension repeatedly tells your web browser to use the HTTPS version to encrypt your traffic. If a website still relies exclusively on HTTP, the extension can’t do anything about it. The extension is no longer useful if a company has a poor implementation of HTTPS and your traffic isn’t really encrypted. But HTTPS Everywhere is better than nothing.
Don’t rely on a VPN as a Solution
On a paper, using a VPN server sounds tidy. But we’ve been there already — are careful with VPN services out there. You can’t trust any of them.
When you use a VPN service, you redirect all your internet traffic to a VPN server in a data center somewhere. An attacker can’t see what you’re doing on your Wi-Fi network, but a VPN company can log all your internet traffic and use it alongside you.
For instance, The Register exposed last week in a legal document that PureVPN shared key information with authorities to track and arrest a man. And yet, the company’s website claims that PureVPN doesn’t keep any log information of their users. Again, don’t trust any VPN service provider. Unless you’re willing to build your own VPN server, a VPN service is not a reliable solution.
Especially paranoid Move to the woods…
Most of the paranoid out there, who don’t want to/can’t stop using Wi-Fi completely, it may be time to relocate to a remote cabin in the woods far from any neighbours.
Tech CEOs’ version of this privacy preserving strategy is to buy up nearest properties and knock them down to minimize the risk of any of their personal data being snooped on. Obviously, this strategy is very expensive.
