Are you vulnerable to a KRACK Attack?

A security vulnerability in ALL wireless WPA2 connections was recently discovered. What should you do?

Cupped hand to ear“KRACK” stands for “Key Reinstallation AttaCK“. Talking of a “KRACK Attack” is, therefore, tautological, but my pedantry doesn’t clarify anything. What it means is that a fault has been discovered in the way that two devices establish communication wirelessly (known as the “handshake”) which it is theoretically possible for someone to exploit so that they can intercept traffic passing along that wireless connection. The vulnerability was discovered by Mathy Vanhoef. He explains it on the Krackattacks website.

This is, of course, potentially very serious. The best wifi password in the world won’t protect against this vulnerability. So, let’s start with the good news: before this vulnerability had started hitting headlines, Microsoft had already patched Windows so that Windows 7, 8, and 10 users are already protected. They didn’t tell us at the time because they didn’t want to alert all the bad people out there of the problem before operating system manufacturers and router manufacturers had had the chance to close the loophole. As I write this (06/11/2017), I haven’t yet found any assurances from Apple or Google that the software for Macs, iPhones, iPads, or Android devices has been similarly patched.

KRACK logo
Yes, the KRACK vulnerability has its own logo!
Microsoft assure us that Window is now safe even if used with a router whose own firmware is still un-updated (since the problem concerns how two device communicate with each other, it appears that a vulnerability at either end can be a potential problem) . Clearly, if you use a Mac and are looking for complete protection before Apple say they have fixed it from their end (ie the operating system), then it would be a good idea to see if your router manufacturer has issued a firmware update covering the vulnerability.

I wish you good luck in that quest, though. I checked my own router’s firmware (it’s an Asus router) and found that a firmware update was, indeed, available. I installed it and hope that that means I’m now covered from that end. However, I couldn’t find any information from Asus that said that that specific firmware update includes protection against this specific vulnerability. Not entirely satisfactory. You may have more luck, though. I did find a list of router manufacturers who claim to have fixed the problem in their latest firmware.

Microsoft logo

Microsoft were quick off the mark in patching Windows 7,8, and 10

So, you may or may not have been able to update the firmware in your router. What else can you do before you’ve been re-assured by Apple and/or Google that your software has been patched?

  • This vulnerability only affects wifi connections. If you can connect your computer to your router by an ethernet cable then the problem disappears.
  • As far as mobile phones are concerned (and maybe tablets as well), if you turn the wifi connection off and connect to the internet using your data plan then the problem disappears (but it’s worth being aware of how much data you can transfer this way within your plan).
  • A wifi connection is safe if you are connecting to a “secure” web page. A secure web page begins with “https” (instead of “http”). In this case, the problem disappears as all traffic between yourself and the web page is encrypted.
  • Some social networks, such as Facebook, can take you between secure web pages and insecure ones. To ensure that all of your pages are secured on such sites, go to settings and look for an option that lets you turn on “secure web browsing” or similar.
  • A wifi connection is also safe if you connect to the internet using a VPN (Virtual Private Network). See my recent blog post “What is a VPN and do you need one?

And if you are still using Windows XP or Vista, maybe this is another wakeup call!