What's the KRACK with Reported Wi-Fi Vulnerability?
The tech world is, once more, buzzing with a vulnerability in technology we all take for granted right now. So, what is the KRACK Vulnerability and what can businesses and users do about it?
What do we know so far?
The largest tech firms in the world are currently racing to patch a vulnerability in the most commonly used form of Wi-Fi security. The vulnerability sets the stage for a new attack method called Key Reinstallation Attack, or KRACK and it could potentially affect all Wi-Fi Protected Access II (WPA2) protocol implementations.
The good news is that an attacker would need to be in range of the Wi-Fi network itself before they could potentially help themselves to data such as credit card numbers, passwords, chat messages, emails and photos by exploiting the vulnerability. It is also possible that the vulnerability could also open devices and networks up to inserted cyber attacks.
The other positive news is that data passed over secure connection websites and services (those that use encryption such as HTTPS and TLS) should be safe from this kind of attack.
What about patching?
At the time of writing, Microsoft has already addressed the issue its round of October 2017 patches and published an advisory on its security guidance website. Apple is also working to close the vulnerability by including patches in the latest beta releases of macOS, iOS, tvOS, and watchOS.
It seems, however, that Google is a little behind the curve with planned patches available for devices running the Android Operating System in its November updates. Android 6.0 and above is said to be the Operating System most affected by the WPA2 vulnerability and that an attack could be "exceptionally devastating" against devices running it.
As with most security vulnerabilities, users can hold the key to staying safe. We would advise the following is communicated to staff within any organisation whilst the Wi-Fi loophole is patched and closed by vendors;
- Make sure that whenever you access a Wi-Fi connection, you are asked to provide a password. You can pick out secured Wi-Fi connections by looking for the padlock symbol next to the network name (SSID). If you don't see the padlock then do not connect. Connections that do not ask for a password are open to attack anyway and should be avoided at all costs.
- Avoid connecting devices to free Wi-Fi hotspots in communal places (coffee shops, libraries, shops etc.). If you need to go online whilst out and about then use the data service from your mobile carrier rather than free Wi-Fi.
- Check that any websites you access whilst connected to a Wi-Fi network use an encrypted connection. Always look for the green padlock symbol in your web browser address bar (like you can see on this website) to make sure that data passed between a device and a website is encrypted.
- Install the latest patches for all of your devices as soon as they are available. This includes internet routers.
- If you can, use a Virtual Private Network (VPN) whilst connecting to the internet and company networks.
We will continue to monitor this situation as it unfolds and will advise our clients as necessary.