The field of IT security is always very exciting. A big news that came out yesterday is about Krack. Not the drug “crack”, but Krack, the name of of the new vulnerability in the secure Wi-Fi you’ve been using and, I suppose, assumed was secure. Well, it’s cracked and no more secure. Here’s what you need to know.
The WPA2 which you’ve learnt to always use all the time every time you need Wi-Fi has a critical flaw. Security researcher Mathy Vanhoef revealed that WPA2 could be exploited to read and steal data, and in some cases, even manipulate and inject new data. This makes WPA2 no better than an open, unencrypted Wi-Fi connection. There’s much news coverage on Krack, but if you need some suggestions, try this article on The Verge.
This is a huge discovery because it is a flaw in the WPA2 protocol itself. It is not an implementation error like, for example, in the case of SSL Heartbleed. In other words, any implementation of WPA2, if it had been correctly done according to the WPA2 protocol standard, will be vulnerable. This pretty much means just about everything Wi-Fi is now vulnerable. Your phone, your tablet, your notebook, your broadband router, your enterprise Wi-Fi, they are likely all vulnerable. For now, you should just assume your Wi-Fi is as bad as an open, unencrypted, network.
Vendors are scrambling to come up with fixes. Here are some important ones to take note:
- Apple says they’ve fixed the vulnerability in beta versions of iOS, tvOS, watchOS, and macOS. It’s the beta only. The public general release to consumers will come out soon, but I don’t know if that is soon enough.
- Microsoft, interestingly, has already fixed the vulnerability in supported version of Windows. Apparently Windows updates released on 10th October had addressed this problem.
- Android, sadly, is problematic. The Krack vulnerability affects Android, along with Linux, particularly badly. Worse, even Google will only have a fix, and only for Pixel devices initially, in the November security update. I honestly expected Google to be more expedient on this matter.
Then, of course, there’s a whole lot of other consumer routers out there, I suspect fixes for which might not be coming so quickly, if at all. Tough luck there, especially if you have older gear.
Good thing for me that MikroTik is proactive in dealing with Krack.
Enterprise users are not safe. To be clear, WPA2 Enterprise is impacted by Krack too, so the ordinarily more secure 802.1X based enterprise authentication isn’t safe from this vulnerability.
What can you, as an end-user, do right now? If you can’t fix your client and Wi-Fi access point, then:
- Treat all Wi-Fi, even if WPA2 secured, as open and unencrypted networks.
- Depend on security in other layers, such as HTTPS instead of HTTP, and SMTPS/SMTP+STARTTLS instead of SMTP.
- Use VPN.
After that, look out for fixes for every devie you have.