This is an emergency post: normal* service will resume next week**.
So, over the past 48 hours or so, news of the KRACK vulnerability for Wifi has started spreading. This vulnerability makes is pretty trivially easy to snoop on information sent between a device (mobile phone, laptop, etc.) and a wifi router, in some cases allowing changes to that information. This is not a bug in code, but a mis-design in the crypto algorithm that’s used by the vast majority of Wifi connections: WPA2.
Some key facts:
- WPA2 personal and WPA2 enterprise are vulnerable
- the vulnerability is in the design of the code, not the implementation
- however, Linux and Android 6.0+ implementations (which use wpa_supplicant 2.4 or higher, are even more easily attacked)
- in order to correct this problem, BOTH the client AND the router must be patched.
- this means that it’s not good enough just to update your laptop, but also the router in your house, business, etc.
- Android phones typically take a long time to get patches (if at all)
- unless you have evidence to the contrary, assume that your phone is vulnerable
- many hotels, businesses, etc., rarely update or patch their routers
- assume that any wifi connection that you use from now on is vulnerable unless you know that it’s been patched
- you can continue to rely on VPNs
- you can continue to rely on website encryption***
- but remember that you may be betraying lots of metadata, including, of course, the address of the website that you’re visiting, to any snoopers
- the security of IoT devices is going to continue to be a problem
- unless their firmware can easily be patched, it’s difficult to believe that they will be safe
For my money, it’s worth investing in that VPN solution you were always promising yourself, and starting to accept the latency hit that it may cost you.
For more information in an easily readable form, I suggest heading over to The Register, which is pretty much always a good place to start.
For information in the initial publisher of this attack, visit https://www.krackattacks.com/.
*well, as normal as it ever was
***as much as you ever could before…
2 thoughts on “Stop reading, start patching”