Since its news release a few days ago, the tech media has made considerable hay of the threat and implications of the Wi-Fi Protected Access II (WPA2) protocol flaw / attack known as KRACK — Key Reinstallation AttaCK. And while the vulnerability does reveal legitimate security concerns, the real-world implications arent as panic-inducing as its been made out to be.
For the purposes of this blog, a deep dive into the technical details of this exploit isnt necessary, but suffice it to say that KRACK potentially allows bad actors to interfere with the security handshake between wireless devices. This could allow for observation and extraction of sensitive personal information (passwords, account data, social security #s, credit cards, emails) being transmitted between your wireless devices and Wi-Fi router / access point. In theory, it may also be possible for hackers to maliciously modify your network traffic and inject ransomware into websites.
This breach is only possible if the hacker is within close enough physical proximity to your wireless client or access points to inject himself into your network traffic and execute a Man-in-the-Middle attack.
Beyond your PCs, think about how many other wireless devices now occupy our home and office. This list includes, but is not limited to: smartphones, printers, TVs, washing machines, refrigerators, light bulbs, door locks, alarms, security cameras, and the list goes on and on.
KRACK represents an endemic weakness of the WPA2 protocol itself and is not a result of faulty implementation. Given how widely WPA2 is used, it is likely every wireless product you own is impacted by KRACK, and the only fix are security patches that each product vendor needs to generate & deploy to their devices.
While it sounds extremely concerning that hackers could potentially defeat WPA2, decrypt & intercept your wireless / internet traffic, reveal sensitive information, and even leverage your IoT devices to build a botnet as vectors to attack other networks, the real-world impact of KRACK is considerably more subdued.
First off, as of this writing, Microsoft and Apple have already issued security patches for their respective mobile and desktop operating systems. Google stated that a patch to its Android mobile OS is forthcoming in early November. Other Linux based OSs and devices are more at risk, to be explained a bit later. Firewall and Access Point manufacturer Sonicwall already disclosed that its products are not vulnerable to KRACK attacks. Cisco rapidly released security patches for its firewalls, which are available now via cloud updates / downloads.
Regardless of this new KRACK vulnerability, as weve stated repeatedly in the past, RSI strongly recommends staying on top of released security patches. Remember that the recent Wanna Cry ransomware attack exploited holes in Windows PCs that didnt implement Microsofts security patches. And of course, hackers were able to access Equifax data due to the company not patching security gaps in Apache software that the vendor itself resolved 2 months prior to the breach.
Being aware of released patches and immediate implementation is an absolutely mandatory security practice, but in KRACKs case, its still not enough.
The ability to patch our devices is obviously predicated on the availability of said patches, and many vendors unfortunately fall down on this. Keep hounding all your wireless product vendors for their WPA2 patch — refer for instance, to this list issued by US-CERT (United States Computer Emergency Readiness Team) is comprehensive, but not complete.
While WPA2 patches have been / will likely be patched by major computer and electronic vendors, it is uncertain if the litany of Internet of Things (IoT) product vendors will ever release security updates for their products. Granted, not all wireless IoT devices require encryption for local traffic in the first place. You dont necessarily need a password to control your smart light bulb so Plaintext communication between your wifi access point and bulb is fine. Even if someone took the inordinate effort to hack into that system, and manipulate its functions to turn on / off outside of your control, its not a life or death situation (vs. an internet accessible pacemaker.)
What about a hack to your smart TV? Bad actors potentially controlling the device and changing channels is one thing. What if theyre able to intercept your passwords for the Netflix app? What about your Amazon shopping password? The key is being fully aware of whats happening on all wireless devices that you might transmit sensitive information on. You cant assume security measures are automatically built-in or currently functioning as designed.
Also again, remember that the hacker has to be within close proximity to your network to first access your wireless signal, prior to his attempts at decryption, interception, malware insertion, etc if the KRACK exploit has not yet been patched by the device vendor or your router / access point vendor.
But what if you deliberately place yourself / your devices in a position to have your wireless traffic be exposed on an open network? Were talking of course about public Wi-Fi hotspots – every Starbucks, hotel, library, and mall has them, and your computer web browsing activity (if its not encrypted) is potentially an open book to other users / hackers sitting on the network.
If you use public WiFi, our security recommendations apply regardless of KRACK attack potential:
- Use a VPN on your laptop / smartphone / tablet to create a secure tunnel back to a firewall in your home or office, or a VPN service such as Private Internet Access
- Ensure the websites you access are secure via HTTPS notation before the web address.
That said, those security measure are still not a perfect remedy against KRACK, given other technical caveats / possibilities such as forced downgrading to plain HTTP. But again, those and other much more technical details are topics for another day.
Key Takeaways – Both general & directly in response to KRACK
- Dont panic, major vendor security patches have already or will soon be deployed
- Be vigilant on applying those patches, act immediately and dont wait days / weeks
- Hound your device vendors to generate and deploy patches. If they dont, or if the vendor has terminated business, consider moving to another name brand vendor.
- Use VPN when possible to securely mask your internet traffic
- Use a dedicated hardware firewall to prevent external intrusions into your network. Firewall settings on your router are insufficient.
- Use / surf on websites that state HTTPS, denoting encryption of web traffic
- Exclusively use wired ethernet connections, thereby eliminating possible wifi threats, but at the expense of features and convenience
- Analyze device features and understand costs and trade-offs. Does your internal wireless home security camera use encryption? If not, or if that encryption is broken, attackers could snoop on your home video feed. Is the convenience and feature set of these inexpensive IoT devices worth the possible security & privacy risks? Conversely, is there such a thing as too much security (only using wired connections) thus sacrificing todays ubiquitous wireless benefits?
And lastly, recognize that no solution or combination of solutions are 100% perfect. Cybersecurity will be a lifelong, persistent effort representing defensive layers that bolster your security posture, making you less of a target vs. other entities lacking corresponding defensive layers.
About the Author
Eric Haruki is a technology analyst with over 15 years of experience advising global category leaderssuch as Samsung, Panasonic, HP, & Ciscoonproduct and brand strategy, market competitiveness, and in areas of untapped product and distribution opportunity. He has produced both syndicated and project work, delivering forecasts, SWOT analyses, road maps, and panel survey insights to research customers around the globe. Eric has contributed to major print and television press outlets and has been a featured presenter at industry conferences. He isdriven to find insights through extensive market research and deliver concise and actionable solutions to vendors, leading ultimately to the development of valued downstream goods and services to end users.