Another day, another scary-sounding widespread cybersecurity vulnerability in the news. This time it’s about WiFi, specifically the WPA2 encryption protocol that practically everyone uses. As Ars Technica reported, Key Reinstallation Attacks (KRACK) lets attackers intercept data between your device and a WiFi router including emails, passwords, personal information and anything else you’d transmit over the supposedly secure WPA2 connection.
How to Secure Your Devices
KRACK is only a proof-of-concept attack. There haven’t been any reported cases of this vulnerability being exploited on a widespread basis. That being said, the vulnerability does exist. Here are some highlights.
- KRACK vulnerabilities affect all devices that use WPA2, regardless of the platform. This includes Windows, macOS, tvOS, Android, iOS, and Linux devices. Your computers, tablets, laptops, smartphones, internet-of-things devices, streaming set-top boxes, etc. The vulnerability is focused on the clients and not the routers.
- Attackers must be within WiFi range. This is the next best news. This isn’t something that’s going to infect you over the internet or from a shady email link. An attacker has to be within physical WiFi range to exploit the vulnerability. This means parked outside your house, camped out in your company’s server room, or sitting next to you in a coffee shop.
- Microsoft has already patched Windows 10. Apple’s release is coming very soon. Microsoft’s October 10 Windows 10 cumulative update included a fix for the KRACK vulnerability, but they didn’t disclose it at the time. If you stay up to date with your Windows patches, then you’re good on that device. Apple has a fix in its beta release of iOS, tvOS, watchOS and macOS. It’ll be rolling out soon, giving us yet another .0.x update since the September release of iOS 11.
- Linux and Android devices remain vulnerable. Be on the lookout for software updates for your Android and Linux devices and install them as soon as they are available.
- What about wireless routers? WPA2 is a protocol between your device and your wireless router. So, the obvious question should be: when are wireless routers going to be fixed? WiFi routers—be it a Netgear, Linksys, Cisco, ASUS, TP-Link, etc.—will need firmware updates to fix this issue. Developers are working on these fixes, but few, if any, are available right now. You can check for firmware updates on your router’s setup page.
- Changing your WiFi password won’t help. Although you may want to change your password once your devices are all patched, doing so now won’t protect you. The WPA2 vulnerability that KRACK exploits makes your password irrelevant.
- WEP is still worse than WPA2. The vulnerabilities of WEP are widely known and the researchers who found the KRACK vulnerability say you should not use WEP instead of WPA2, even in light of KRACK.
That’s about all the information there is now. For the latest and best information, check out krackattacks.com which is the official site of the researchers who found KRACK.