No need to panic about the KRACK Wi-Fi vulnerability, unless your home is IOT3 min read . Updated: 17 Oct 2017, 05:06 PM IST
Most companies are actively rolling out security updates to block attacks arising due to KRACK, Key Reinstallation Attack, vulnerability
New Delhi: We all love to be connected on Wi-Fi, but the very same Wi-Fi that we are using has a serious vulnerability. It is called KRACK, which is short for “Key Reinstallation Attack". The United States Computer Emergency Readiness Team, a part of the Department of Homeland Security, confirmed the WPA2 vulnerability for Wi-Fi networks, after Mathy Vanhoef, security expert at Belgian university KU Leuven, discovered the flaw in wireless security.
This is specifically linked with the WPA2 security protocol, an exploit for which allows attackers within the physical proximity of a vulnerable device or wireless access point to intercept passwords, read e-mails, and other traffic that is currently running on that network. This exploit will also allow hackers to potentially inject ransomware or other malicious content on web pages. Worse still, sensitive information such as your banking passwords, credit card details as well as photos, chat messages and documents can be intercepted and stolen.
This newly discovered weakness in the Wi-Fi security protocol puts nearly every connected device at risk. The threat starts from the Wi-Fi router that you own, and can easily spread to phones, tablets and other computing devices that you may use. Researchers have noted that Android- and Linux-based devices are particularly vulnerable, and as many as 50% of Android devices are particularly susceptible.
However, it is not all bad news. For this sort of an attack to be mounted on your Wi-Fi network, a hacker has to be within the range of the network—this cannot be remotely. This also means that any attack being mounted is limited to that particular Wi-Fi network. However, considering the fact that any and all connecting devices must be considered vulnerable, the potential of hackers getting their hands on sensitive data from devices is very true, particularly on public Wi-Fi networks. Also, many websites add an extra layer of HTTPS (Hyper Text Transfer Protocol Secure) encryption to ensure that the data is scrambled as it travels on the network, and KRACK is believed to not break that encryption.
The best way to protect yourself at the moment is to ensure that all computing devices and mobile devices that connect with Wi-Fi are properly updated with the latest software and security patches. Microsoft already released the patches for Windows PCs in the updates rolled out last Tuesday. Apple is finalizing patches for all its operating systems, including iOS, macOS, watchOS and tvOS. There is still no specific information on Android phones, considering the fragmentation in that space and a lot will depend on how quickly phone makers want to roll out the updates.
In the meantime, avoid connecting to public Wi-Fi networks.
There is still a question mark on Wi-Fi routers however. It is expected that almost all manufacturers will roll out updates for routers that are currently in use with consumers—you will just need to keep an eye out for those on the website of your router’s manufacturer—there are different installation and update processes for different router types. At present, not much will be achieved by changing the Wi-Fi password. The Wi-Fi Alliance has confirmed that manufacturers will need to verify that any new routers that they sell must not be vulnerable to KRACK exploits.
Internet of Things devices are at serious risk too. Connected devices such as security cameras, lighting and other electronic devices are at risk too. For instance, if your home security camera is sending unencrypted data on the Wi-Fi network to your phone or tablet, hackers too can get access to that unedited footage. The ideal solution right now would be to unhook these devices from the Wi-Fi network, and check with the manufacturer for KRACK patches.
Mobile data networks from your cellular service provider are not vulnerable to KRACK.