What Is KRACK?
A new Wi-Fi vulnerability has been dubbed “KRACK”, which is a shortened mashup of Key Reinstallation Attacks.
If you use Wi-Fi then you are at risk. But don’t worry too much, as this issue can be resolved through a straightforward software update or a firmware patch.
The WPA encryption algorithm itself has not been compromised, but the key exchange part has.
Using this flaw, attackers can perform a man-in-the-middle attack and insert themselves between the wireless access point and the wireless client—whether that is a laptop, smartphone, tablet, gaming console, or IoT device.
This is a client-side vulnerability, so there is nothing to fix on the wireless router or access point. There are some wireless equipment makers issuing updates, though, so check with your vendor to see if there is a patch available. Attackers cannot obtain your actual WPA2 password using KRACK—or even view encrypted traffic in many cases. The flaw simply allows a successful attacker to view unencrypted traffic traversing your wireless network on Windows, MacOS, and iOS devices. For Android (version 6 and up) and Linux, on the other hand, KRACK is a much bigger threat. Because of the way these platforms handle encryption keys for WPA2, the system defaults to an all-zero encryption key, which enables the attacker to decrypt encrypted traffic as well and that’s a huge bummer. See the video below for a real live demonstration of this attack.
What about Windows PCs ?
They’re safe if you stayed updated. Microsoft released a Windows patch to protect against KRACK on October 10, before the vulnerability was made public.
Fixed at patch level “November 6, 2017.” Rolls out soon to Pixel + Nexus. Other models make take a bit longer to receive the patch.
How about iPhone and Mac ?
Safer than Android, but still not entirely safe. Apple said in a statement that all current iOS, macOS, watchOS, and tvOS betas include a fix for KRACK. It will be rolling out to all devices within a few weeks. by November 6, 2017.
The Rest ?
Check this list for more products. If you have Kickstarter products check with those vendors, but more than likely you will have to buy new ones.
Protecting yourself Against KRACK
- Simply plug in a wired Ethernet cable connection, or stick to your cellular connection on a phone. Stay off Wi-Fi until you patch your router and your devices. Monitor vendor sites for patch availability and patch immediately once an update is available
- Only use websites that use HTTPS encryption. Secure websites are still secure even with Wi-Fi security broken.
- Use a virtual private network (VPN) to hide all of your network traffic. Example: VyprVPN or if your inclined to setup your own try this LifeHacker link.