Site icon Zit Seng's Blog

The Krack Meltdown

The field of IT security is always very exciting. A big news that came out yesterday is about Krack. Not the drug “crack”, but Krack, the name of of the new vulnerability in the secure Wi-Fi you’ve been using and, I suppose, assumed was secure. Well, it’s cracked and no more secure. Here’s what you need to know.

The WPA2 which you’ve learnt to always use all the time every time you need Wi-Fi has a critical flaw. Security researcher Mathy Vanhoef revealed that WPA2 could be exploited to read and steal data, and in some cases, even manipulate and inject new data. This makes WPA2 no better than an open, unencrypted Wi-Fi connection. There’s much news coverage on Krack, but if you need some suggestions, try this article on The Verge.

This is a huge discovery because it is a flaw in the WPA2 protocol itself. It is not an implementation error like, for example, in the case of SSL Heartbleed. In other words, any implementation of WPA2, if it had been correctly done according to the WPA2 protocol standard, will be vulnerable. This pretty much means just about everything Wi-Fi is now vulnerable. Your phone, your tablet, your notebook, your broadband router, your enterprise Wi-Fi, they are likely all vulnerable. For now, you should just assume your Wi-Fi is as bad as an open, unencrypted, network.

Vendors are scrambling to come up with fixes. Here are some important ones to take note:

Then, of course, there’s a whole lot of other consumer routers out there, I suspect fixes for which might not be coming so quickly, if at all. Tough luck there, especially if you have older gear.

Good thing for me that MikroTik is proactive in dealing with Krack.

Enterprise users are not safe. To be clear, WPA2 Enterprise is impacted by Krack too, so the ordinarily more secure 802.1X based enterprise authentication isn’t safe from this vulnerability.

What can you, as an end-user, do right now? If you can’t fix your client and Wi-Fi access point, then:

After that, look out for fixes for every devie you have.

Exit mobile version