/ Published in Woo on Tech

Special Bulletin: Critical Vulnerability Found in Core Wi-Fi Protocol

Researchers released findings today on a critical vulnerability in the way devices using WiFi authenticate themselves with WiFi access points and routers. The exploit that takes advantage of this vulnerability is known as a Key Reinstallation AttaCK, or “KRACK” for short. Unfortunately for all of us, this vulnerability is actually found in a core protocol that is used just about everywhere, especially public WiFi hotspots.

DO NOT USE PUBLIC WIFI WHEN WORKING WITH SENSITIVE DATA

This has always been our advice to everyone – public WiFi networks are inherently insecure because it is impossible to control who is using the network, but this vulnerability adds to the growing pile of reasons to avoid using public WiFi unless you have no other alternative. Your office and home networks are only slightly more secure in that you have a marginal amount of control over who has physical access to the network, just by virtue of signal strength versus controlled space, but WiFi does travel through walls and over fence lines, so it’s still possible someone could be physically close enough to exploit this flaw without you ever seeing them.

Websites and applications that communicate via HTTPS and the use of a VPN will protect you from snooping, but won’t prevent someone from actually piggy-backing onto your data connection and sniffing all the unencrypted traffic, which can include many mobile apps and regular websites that don’t use HTTPS. For much better security, wired networks are still superior and are completely unaffected by this particular flaw.

The (somewhat) Good News:
  • This exploit has not yet been seen in the wild, and it does rely on someone being physically close enough to you to start the attack.
  • In any instance when either the provider or receiver are patched to fix this loophole, this exploit will not work.
The devices that are vulnerable to this flaw:
  • Android 6.0 devices and newer, which are just about all current and previous generation phones and tablets.
  • Any routers or firewalls with built-in WiFi
  • Just about all consumer-grade WiFi access points
  • Unpatched computers with WiFi capabilities
  • Home automation devices that rely on WiFi for control (Nest thermostats, Ring doorbells, etc.)
  • WiFi connected cameras

It may be days or even weeks before this vulnerability is patched on mobile devices, and in the case of some older phones and tablets, this vulnerability may never be patched if the manufacturer has abandoned support for that particular model. Windows 10, 8 and 7 have already been patched. Apple has a patch in beta right now for most of its late model devices and OS X, and most variants of Linux are already distributing patches for this hole. Firmware updates for higher-end, late-model routers and access points are likely to happen, but it will vary greatly by manufacturer and age of device, and it’s still too soon to tell when or if automation and security devices will be patched.

Image Courtesy of Stuart Miles at FreeDigitalPhotos.net

What you can read next

2-Factor Security
Apple adds 2-factor Authentication to AppleID
Driverless Pizza Delivery? Yes, please!
Google changing mobile search
Mobilegeddon could impact your website traffic

Leave a Reply

Your email address will not be published.