Monday is the least favorite day of the week for a number of people, but yesterday’s news that the heart of Wi-Fi security — Wireless Protected Access II (WPA2) — had been compromised through a vulnerability called KRACK really made October 16, 2017 a lousy day. In this article, we’ll tell you what KRACK is, how it works, and how you can stay safe on Wi-Fi networks.
What is KRACK?
KRACK is a nickname for Key Reinstallation Attack, a method that hackers can use to attack a Wi-Fi network to eavesdrop on any network traffic between an access point and a device.
Up to this point, most Wi-Fi users have assumed that using WPA2 as the encryption of choice on a network and sticking to websites using encryption (that is, using the https protocol) would keep their data secure and safe. KRACK is a somewhat brute force method of making a Wi-Fi network give up its encryption key, giving a hacker a method of then viewing all traffic from a device, including user names, passwords, credit card numbers, personal photos, etc…
Below is a short video from Mathy Vanhoef, who discovered the vulnerability. It shows just how easy it is to perform a Key Reinstallation Attack and then steal user names and passwords. Note that although the title is “Bypassing WPA2 against Android and Linux”, all operating systems are susceptible to the methodology:
How Are Companies Responding to KRACK?
Vanhoef made the vulnerability known to operating system developers prior to the public release of information so that they’d have time to begin preparing countermeasures.
Almost immediately, Microsoft released an update for Windows, and Google noted that it will have an update for its Pixel devices next month (there’s no word on whether or not they’re working on a patch for Android…). Apple announced yesterday afternoon that a patch for KRACK is already in developer beta versions of its operating systems that were made available today. Those OS updates should be rolled out to consumers soon, and this is one case where it is very important for Apple users to perform the updates as soon as they are available.
What About Wi-Fi Access Points?
Since the attack is made between Wi-Fi access points and devices, shouldn’t Wi-Fi access points be updated as well? At this point, most major router manufacturers are working on patches that should fix the problem. However, it’s rather rare for most computer users to update their access points on a regular basis, so unless manufacturers are able to get the word out to users on how to perform a patch, it’s unlikely that most users will actually do so.
Apple’s AirPort routers can notify users of incoming updates through the AirPort Utility, so if Apple decides to update the devices, users will get notification. The process of updating an AirPort is also quite simple and fast; once Apple sends out an update, the AirPort can literally be protected within a minute or two.
How Can We Stay Safe From KRACK While Waiting For Updates?
There’s one good thing about KRACK — it requires that the attacker have close physical proximity to the Wi-Fi network being compromised. That means that those who can only see their Wi-Fi access point in the list of available networks are pretty safe.
In many modern neighborhoods and especially in apartment complexes, it’s possible to see dozens of Wi-Fi access points in the available networks list. That means that any of those networks could potentially host an attacker who can see your network… but fortunately fixing the problem on the client side (your electronic devices) ensures that they can’t be attacked.
Until the updates to macOS, iOS, watchOS and tvOS arrive, there are some simple measures that can help. First, stay off of public networks as much as possible. Next, although it’s not a failsafe, make sure that you’re only visiting websites like the Rocket Yard that utilize https encryption to add another layer of protection.
Third, if there’s any way that you can use a wired Ethernet connection, that eliminates the attack altogether. Finally, consider using a Virtual Private Network (VPN) to further encrypt your online communications. VPNs create an encrypted “tunnel” between your devices and websites, making it more difficult for a hacker to try an attack.
The Rocket Yard will let you know when Apple releases the updates that fix the KRACK vulnerability. In the meantime, stay safe out there.
Further Reading
My Airport Extreme (just out of warranty) stopped working during Hurricane Irma, so I have been using an old Linksys with a current update dated 2008, so I doubt Linksys will patch it.
I am not too concerned about it for the moment, because the given the range of the signal, you would have to be inside a fence on my property or parked in front of my mailbox to execute this attack. So, the likelihood of getting attacked at home is slim. Outside of home, I don’t really trust “free WiFi” for anything but reading news sites.
Can anyone answer these questions?
1) The video says that all wi-fi devices must be updated. Does that include the modem/wifi unit provided by my ISP?
2) For what versions of IOS & macOS will the patch be available? I have 2 devices on which Apple no longer supports OS upgrade:
2a) iPad Gen 4 + IOS 10.3.3
2b) MacBook Pro 2009 + OSX 10.11.6
3) Have an iMac running 10.12.6 (Sierra), do I have to upgrade to High Sierra to get patch?
Why have they not replied to you, this was four days ago
The attract is against the supplicant, e.g. PC, phone or tablet. If an access point is used as a client then it needs an upgrade. My understanding is that apple mobile devices are not at risk due to an incomplete implantation of the standard. I would be very surprised to learn that your ISPs AP was being used as a client.
“Security Update 2017-003 10.11.6” just appeared for my old Macbook that can’t be upgraded past 10.11. So I am assuming updates for 10.12 and 10.13 will be forthcoming shortly.
I sure hope Apple is planning a firmware update for AirPort devices, because I have several IoT devices that are not easily updated.
A beautifully succinct and comprehensive of this newly published issue.
The only think I didn’t see was the users with application specific encryption(e.g. https or TLS) are protected by that encryption.