On October 18, all of the top news broadcasters and tech bloggers were covering the breaking news that took the world by surprise. A flaw was found in the most-used protocol that password-protects a wireless network. It was now a race between developers and hackers. Aahhh!
Let’s start here: What broke?
As you know, wireless routers and access points allow you to password-protect your WiFi network. To do this, the device is most-likely using the “WiFi Protected Access II” protocol (aka. WPA2). This protocol is an established set of rules and encryption that protects your network and the data transmitting over the air. The WiFi Alliance developed the first version of WPA in 2003 to temporarily replace the failing “Wired Equivalent Privacy” protocol (aka. WEP). In 2004, they released the more secure and complex WPA2.
Since its release over 13 years ago, WPA2 has remained the protocol of choice for one-password WiFi networks. One-password networks, as the name implies, are WiFi networks that allow you to join using one pre-configured password. There are security protocols that are more advanced than WPA2. These, however, require networking expertise and authentication servers, which is why they’re used in business and enterprise environments. Nonetheless, WPA2 has proven itself reliable and secure, time and time again.
When the story broke that WPA2 could be exploited, the news went instantly viral. Researcher Mathy Vanhoef discovered the vulnerability. He released a technical paper on how it could be exploited and named the process “Key Reinstallation Attack” (aka. KRACK). His complex description arrived at one conclusion: the 13-year-old protocol we had all grown to rely on was flawed. Most WiFi equipment and networks in the world were now virtually unsecure.
What this meant (and what it didn’t)
The WPA2 vulnerability allowed an attacker to intercept the data that is traveling between devices (e.g. smartphone, laptop, tablet) and WiFi sources (e.g. ISP router, coffee shop AP, hotspot). The attacker could also act as a middle person, allowing them to inject malware into web pages or any file you downloaded. In the end, our WiFi connection could be manipulated and used against us.
Let’s get to the good news. Researchers quickly pointed out the attack was difficult to execute. First, the attacker had to physically be within range of your device and wireless network. Second, the attacker would need to have lots of experience with the process, as it was difficult to pull off. Lastly, a lot of our internet activity today is encrypted/protected through secondary security protocols. Any data that was intercepted while under any of the following scenarios would be unreadable by the attacker:
- Secured activity via a web browser (URLs that use https://, “Green padlock” icon next to the URL)
- Data transmitted while using an SSL VPN connection/app
- Email processed through a secure client, such as Outlook (Office 365, Exchange, Google Apps)
- Data transmitted via ethernet cable (physical connection/not WiFi)
- Data transmitted via LTE/4G/3G cellular data/device (this data is encrypted differently than WiFi)
What happens next?
The WiFi Alliance confirmed that the WPA2 vulnerability could be patched and secured through a software update. To top it off, this software patch/fix was backward-compatible, allowing all versions of WPA2 to be patched. The only issue now is the waiting game. Manufacturer’s and developers will have to assign resources to develop patches/updates that will plug your device’s WiFi vulnerability.
As of this article, Windows, MacOS, Android, iOS, Linux, and ChromeOS all have available updates for their supported OS. Many major WiFi equipment companies have also released patches for their products. Please be sure to go through and regularly update all your devices. Have questions or concerns about your home devices? Reach out to your manufacturer’s support line and ask them what steps they recommend you take.
WiFi-capable devices to be aware of:
- ISP-Routers (Xfinity, CenturyLink, WaveG, etc)
- Third-party wireless routers (Netgear, Belkin, ASUS, Cisco, Linksys, etc)
- Smartphones (iPhone, Android, Blackberry, Windows)
- Workstations/Laptops (Any)
- Smart Televisions (LG, Samsung, Vizio, TCL, etc)
- Media Streaming Device (Apple TV, Roku, Amazon, Chromecast)
- Tablets (Android, iPad, Amazon, etc)
- Smart watches
- MP3 players/iPods
- Smart homes (connected appliances, light bulbs, thermostats, etc)
- Anything that accesses the internet