Earlier this week, a researcher from the University of Leuven discovered a critical flaw in the WPA2 wireless communication standard that leaves all Wi-Fi-connected devices vulnerable to attacks. Now, we will lay out simple steps users can take to mitigate risk until the Wi-Fi Alliance comes up with a fix.
As we wrote yesterday, researcher Mathy Vanhoef confirmed that “an attacker within range of a victim can exploit these weaknesses using key reinstallation attacks (KRACKs).”
Attacks would be platform-agnostic – meaning no operating system is immune – and would theoretically work against all modern protected Wi-Fi networks. It is worth noting that no attacks exploiting this flaw have been recorded yet, but it’s better to be safe than sorry.
The Wi-Fi Alliance has drawn up a plan to remedy the situation, but it’s going to be a while before WPA2 is fully patched.
For its part, the United States Computer Emergency Readiness Team (CERT) has published an advisory in response to the news and even lists all known affected hardware and software. As the Wi-Fi alliance and product vendors scramble to come up with patches, here’s what you can do:
Install whatever update / patch is already available
If your vendor already has a patch available, grab it. It might not be easy to obtain and install, but if you care about your data and privacy, you should make the effort to patch. Typically, routers need to be patched manually by visiting the vendor’s website, downloading the patch and feeding it to the router through a web tool.
Use AES encryption
Both AES and TKIP are vulnerable to KRACK. However, AES is not vulnerable to packet injection, so you can continue using WPA2 with some peace of mind as long as it’s encrypted with AES (not TKIP).
Visit only HTTPS-secured websites and/or use VPN
HTTPS negotiates its own security layer, so every website secured with HTTPS (TLS) is theoretically safe to visit. For greater peace of mind, use a trusted VPN service to encrypt inbound and outbound transmissions. HTTP sites are not safe – not just because of KRACK, but in general.
Use lower-risk devices if you can
Soon after KRACK came to light, it was confirmed that virtually any device that sends and receives data over Wi-Fi is vulnerable. However, Vanhoef said Android devices running OS version 6.0 or newer are the most vulnerable because of a flawed implementation of WPA2. So maybe use a non-Android device until things get cleared up. This is not a remedy, of course, but merely a “safer” option for the types who dual-wield phones and tablets with different OSes anyway.
Desktop-wise, researchers discovered Linux is the most vulnerable operating system, so consider using a Windows PC or a Mac in the meantime – again, if you can.
Avoid public Wi-Fi, use Ethernet at home and at work
Public Wi-Fi hotspots are the most vulnerable at this point, so avoid them as much as you can. At home or at work, use a wired network if your computer allows it. This means connecting an Ethernet cable to your computer, instead of connecting to the web through Wi-Fi.
If you’re a Windows PC user (and chances are most of our reader base is), Microsoft’s October 10 update protects Windows 10 PCs against KRACK. The Redmond-based software maker confirmed it in a statement to Windows Central:
“Microsoft released security updates on October 10th and customers who have Windows Update enabled and applied the security updates, are protected automatically. We updated to protect customers as soon as possible, but as a responsible industry partner, we withheld disclosure until other vendors could develop and release update,” Microsoft said.
If your PC has automatic updates enabled, you’re good. If not, you have to manually fetch it via Windows Update. We suggest you do it now.
(Remeber that updating Windows protects only your Windows device from a potential attack. Your other devices will still have to be secured either with a patch or via the steps enumerated above)
For Apple users and others
Apple has confirmed to the press that it is beta testing new versions of iOS, macOS, watchOS and tvOS containing a patch for KRACK. No word on when the final/public versions will be released, though. Typically, Apple spends at least two months testing beta OSes for its platforms.
Google, for its part, has also confirmed it is aware of the issue and will be rolling out patches soon. Linux suppliers are also on the case (word has it that patches are already being deployed).
So pretty much everyone is left with the general tips above until their vendors deploy the updates.
As always, running a trusted AV solution further enhances your protection. Even if a hacker successfully deploys a KRACK attack, you still have your anti-malware solution by your side in case the attacker wants to redirect you to malicious or fraudulent websites, or tries to drop a malicious file on your system.
That’s it. Stay safe everyone!