This topic is so serious, I feel obliged to tell as many people as possible. This affects everyone!
An extremely serious vulnerability has been exposed affecting everyone. We all use WiFi and we are all vulnerable to this latest attack.
Two Belgian researchers discovered a vulnerability in the WiFi protocol (last year! 2016). They put their research paper out for comments in May 2017 and have now released it to the public. Key Reinstallation Attack (KRACK) is a man-in-the-middle attack targeting the 4-way handshake that occurs in the WPA2 wireless protocol. Huh? Read on..
DOES THIS AFFECT ME?
Not too long ago, we all used WEP wireless encryption (even if you didn’t know). It was the standard and is now extremely unsecure and can be hacked real time. The industry settled on WPA2 wireless encryption protocol as the new standard. It is everywhere. We all use it. It’s the default.
ALL ARE AFFECTED
Androids, iOS, MacOS, Windows, OpenBSD, Linux, Embedded and IoT devices.
The most vulnerable devices are Android 6.0 for the simplest form of attack making it trivial to decrypt all network traffic yet even Windows and iOS are susceptible to other forms of attack. All major operating systems are vulnerable to at least one form of the attack.
BleepingComputer.com is maintaining a list of all vendors addressing the KRACK WiFi vulnerability.
Note this does not affect your cell phone 4G/LTE data connection but rather Wi-Fi.
WHAT DOES THIS MEAN?
Someone can be sitting in a vehicle or in your neighborhood, within range of your wireless network, and they can potentially see what devices you have on your network (webcams, security devices, printers, computers, files, private photos). They can see where you are going on the Internet, what websites you are browsing, and potentially see your account passwords. This is a real threat to everyone’s privacy. We all rely very heavily on wireless technologies.
WHAT CAN I DO?
- Once again, I emphasize how it is important to ensure websites you interact with have SSL encryption. This is another layer of protection that is separate from the WiFi protocol. You need to see that lock symbol in your web browser, it needs to say “https” (the “s” is important). Also ensure that it continues to stay secure as there are attacks that exploit webservers and disable the SSL encryption.
- Make use of virtual private networks (VPN) when connecting to home or office networks remotely. This is another encrypted layer which securely tunnels your traffic over the Internet to the destination.
- Ensure you apply firmware and software updates on a regular basis!! So many people do not apply updates. For this situation, this affects everything you have which communicates wirelessly. There will be updates coming soon for iOS and Android, make sure you apply them. I am concerned that many of you have never updated the Internet routers at your home and this opens up your entire home network and all devices to hackers. Learn how to update your routers (NetGear / DLink / Linksys / Asus / Ubiquiti / Cisco / etc).
I’M NOT TECHNICAL
You need to get some help, either someone your know or else pay someone to secure your devices. This is not a topic you can ignore and hope it goes away. Privacy and security is something very real that everyone needs to understand the risks and address.
I AM TECHNICAL
Want more information?