By Michael Savich
On October 16th, security researchers published a paper detailing a set of vulnerabilities they have dubbed KRACK, short for key reinstallation attack. KRACK exploits WPA2, which is the security protocol used on nearly all wireless networks.
Although this is a major vulnerability, it can only be carried out if the attacker is on the same WiFi network as the victim. This means there is no risk of hackers siphoning your data from a remote location. On top of that, there are other layers of security protecting your data, such as HTTPS, often indicated by a green lock icon in a web browser’s address bar. However, as the researchers behind KRACK were quick to point out, many HTTPS sites are poorly configured and thus vulnerable.
In a recent email, Goucher IT claimed that “We do not use WPA2 at Goucher and therefore your connection is safe while on campus…” The meaning behind this statement is ambiguous. The claim that Goucher does not use WPA2 was probably a reference to the fact Goucher uses an enterprise- friendly derivative of the protocol, but that version is vulnerable to KRACK in the exact same way. Not only that, but even if the network is patched, an unpatched device isn’t entirely safe from KRACK exploits.
When asked for comment, Goucher IT staff member Bill Leimbach noted that Goucher’s WiFi “[Goucher IT] pushed out a [Cisco] firmware release at 4:30am on Tuesday morning to all of the campus access points. We will continue monitoring firmware releases from Cisco.”
(Cisco is the name of the company that sells the products that compose Goucher’s Wi-Fi infrastructure.)
To fully fix KRACK, client devices, such as phones and laptops, must also be patched. KRACK is a group of several vulnerabilities, and patching only the network or only the client would only resolve some of these problems.
Currently, only Microsoft has a patch available for KRACK. It was quietly pushed out on October 10th, so that by the time the vulnerability was disclosed many Windows machines had already been patched.
Apple has stated to the press that the KRACK vulnerability is fixed in the current betas of macOS 10.13.1 and iOS 11.1, which will be made available in the coming weeks.
There is no patch for Android available yet. Though technically owned by Google, Android is typically customized by manufacturers, which means that even once a patch is made available it may take some time for your Android device’s manufacturer, e.g. Samsung, makes the update directly available.
Patches are already available for Linux-based clients as well.
While KRACK is not the end of the world for WiFi security, it does represent a serious and long term threat. In particular, while most computers used by individuals will be patched, WiFi connected devices, aka the “Internet of Things” are less likely to be patched. If you own WiFi security cameras or WiFi smart locks, ensure that they are patched or, if no patch is made available, consider replacing them.
And finally, remember that as a rule of thumb, the best way to protect yourself against KRACK as well and any other future vulnerabilities is to install software updates as soon as they become available.
Photograph of KRACK’s Logo