Do you have a wireless network (Wi-Fi) at home? Who doesn’t these days? There is a 99% chance that you are vulnerable to the KRACK attack. No, you did not do anything wrong. Even if your phone, tablet, PC or router was updated as recently as a week ago, you are still vulnerable. As you know, Wi-Fi sends data over the air. Anything transmitted over the air can more easily be intercepted than when it is sent via a network cable.
First some background information on Wi-Fi and how vendors have tried to make it as secure as wired network connections.
Protocol = An established orderly way technology devices have agreed upon to talk to each other.
Encryption = Instead of sending information (especially sensitive personally identifiable information) in clear text over a network, vendors use a special key\algorithms to encrypt (scramble) the information so it cannot be read. Once the information reaches its destination, the receiving device has the same or matching key and will then decrypt the information so it can be read.
Clear Text Example = My Social Security number is 234-09-1234
Encryption Example = Ym73766234%-(09-R##@12$3^
Wi-Fi vendors created WEP, WPA and WPA2 to make wireless communications more secure.
WEP stands for Wired Equivalent Privacy. It was designed to encrypt information sent between two wireless devices and make it as secure as sending it over a network cable. WEP was created in 1997 and it was cracked in 2003. Using only WEP to protect your Wi-Fi network is like using only a screen door to protect your house.
WPA stands for Wi-Fi Protected Access. It was released in 2004. It was the wireless encryption standard that was designed to take the place of the weak\cracked WEP. WPA was never meant to be the final answer to protecting wireless communication. The Wi-Fi Alliance had to come up with something quick to replace WEP.
WPA2 stands for Wi-Fi Protected Access version 2. WPA2 was created to be the long term solution to make Wi-Fi communications more secure…unbreakable encryption. Well that was the case until October 2017.
Client = The device (phone, tablet, or laptop) you are using.
Access Point (AP) The usually white square box with antennas sticking out of it that connects the wireless client to your router and subsequently connects you to the Internet.
Mathy Vanhoef, a security researcher at KU Leuven University in Belgium discovered a flaw in the WPA2 protocol. He called the flaw KRACK, Key Reinstallation AttaCK. In order for the name to make sense, you have to know a little bit about how the WPA2 protocol works, particularly the four-way handshake. Here are the steps.
Step 1 of 4 = The AP (Access Point) sends a number used only once to the client.
Step 2 of 4 = The client checks and recognizes the number and sends back its own used ONCE number to the AP.
Now the client and the AP know and trust each other.
Step 3 of 4 = The AP sends the secret key to the client. This secret key will be used to encrypt (scramble) any information sent back and forth between the client and the AP.
Step 4 of 4 = The client (being courteous) responds to the AP letting it know that it received the secret key.
The researcher has figured out how to capture and resend the secret key multiple times. If the attackers send it in a certain way, they can crack the key and gain access to the information inside that was previously safe and encrypted…the KRACK attack.
WHAT DEVICES ARE POSSIBLY AFFECTED?
Any device that connects to a wireless network.
IS MY WINDOWS COMPUTER AT RISK?
You SHOULD be okay, but ONLY if you downloaded and installed the update Microsoft released on October 10th.
IS MY LINUX COMPUTER AT RISK?
IS MY ROUTER VULNERABLE?
Yes. Check to see if the company that made your router will be coming out with a firmware update soon.
IS MY ANDROID OR IPHONE AT RISK?
Yes. iPhones are safer than Android when it comes to KRACK, but are still vulnerable.
HOW TO PROTECT YOURSELF?
Don’t use Wi-Fi until there is an update for your devices and you have applied the updates. I know, not likely.
Update all of your devices and keep them updated.
Use a wired instead of a wireless connection when possible.
Use secure sites. When you see HTTPS those sites are using encryption. Do not use sites when you only see HTTP in the website address.
Use a VPN. DO NOT USE A FREE VPN. Too many free VPN companies may be after your data. They have to make money somehow.
The good news is the attacker has to be in range of your network in order for this attack to be successful.