If you have to enter a key code to connect to your Wi-Fi, there’s a good chance that your connection is protected using Wi-Fi Protected Access II, or WPA2. It followed the previous WEP and WPA methods of securing wireless connections and has been a mandatory component of all new Wi-Fi devices since March 2006.
There are WPA-Personal and WPA-Enterprise modes, depending on the level of security needed, but in early October 2017 researchers in Belgium published details of a vulnerability that is believed to affect all pre-existing WPA2 devices.
By using a Krack (Key Reinstallation AttaCK), hackers can force the wireless signal to reveal raw data that should only be transmitted in encrypted form, and may even be able to inject malware and other false data into the signal received by other devices on the network.
ALL existing WPA2 connections are vulnerable, including desktop and laptop computers running Windows, Linux or iOS, as well as smartphones – iOS, Android and other mobile operating systems – as the flaw is in the Wi-Fi standard and not in any specific hardware or software configuration.
The researchers also pointed out several ways in which unencrypted data can be accessed using a Krack Attack, even if it is transmitted via an HTTPS ‘secure’ connection to a website.
Am I at risk?
The short answer is yes, most probably. If you have a Wi-Fi network protected by WPA2, and if you have not yet installed any security updates or patches in response to the Krack Attack news, then you are still at risk.
Particularly high risk applies to Linux and Android systems, which use an especially vulnerable Wi-Fi client called wpa_supplicant. About half of all Android devices are open to attack because of this, and it is unusually easy for hackers to access unencrypted data on those devices and on the Linux operating system.
The research paper itself was written in May but is only officially being presented on November 1st (although it has been made public online already) and the researchers say that in the months since May, they have also found even easier ways to hack both OpenBSD and macOS using Krack Attacks.
What happens next?
On November 1st the researchers will present their paper, Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2, at the Computer and Communications Security conference.
Before then it is essential that you identify any of your wireless networks that are using WPA2 (which is likely to be most, if not all standard configurations) and apply any appropriate security updates to close this vulnerability.
Router firmware should be updated once a patched version is available, but crucially all wireless devices – from computers to smartphones and other networked equipment – should also be patched as and when updates become available.
Patched devices will still be able to communicate with unpatched devices, so nothing should be ‘cut off’ from the network following an update, but those devices that are updated will no longer be vulnerable to this specific attack.
Unusually, because the vulnerability is in the signal itself, there should be no need to change your Wi-Fi password, but you may also wish to do this as a general security measure.
The major hardware and software developers are working fast to provide security updates and patches that close this loophole, and Microsoft had theirs available as soon as the news broke.
If you have automatic updates enabled, this means those devices should be secured, but if you use manual updates, you’re not certain, or especially if you run old versions of Windows that are no longer subject to ongoing updates and security support, you could be at risk.
If you need a second opinion on your computer systems, or you need help protecting mobile devices and other network equipment, call Comcare to find out how we can make sure all of your network routers and connected devices are protected against the risk of Krack Attacks.