IAS Security Hero

What am I doing about the Krack Wi-Fi attack?

What's the Krack Wi-Fi attack?

Krack stands for Key Reinstallation Attacks. It is an exploit against the WPA2 protocol that preys on an issue in the protocol itself. These are usually the worst kind of issues, because they affect every implementation, and everyone knows that you should be using WPA2 for Wi-Fi nowadays. WPA2 has two main modes, Enterprise and Personal. If you have to give your guests the password to the Wi-Fi in your house, you are using the Personal version. If everyone has to log in with their username and password, it is probably the Enterprise version. For the Personal version, there are two main security modes, TKIP and AES. It has been said that TKIP is an older, less secure protocol than AES, but Krack can affect them both. For WPA2-TKIP, it can replay, forge and decrypt packets. For WPA2-AES, it can replay and decrypt. This basically allows a malicious person who is in range of your Wi-Fi signal, to listen in on your conversation, and in some circumstances, interject without your knowledge. This is bad news, indeed!

Don't Panic.

Although it is bad news, as always, don't panic. Remember, we are using defense in depth to help protect ourselves, right? Imagine that you were shipping an expensive lamp to your inlaws. You carefully wrap the lamp with bubble wrap and then put it into a box with packing peanuts. If the box gets damaged along the way, by rain, or abuse, the lamp should be ok because of the layers you put it inside. In this case, you can consider that box as WPA2. Most sensitive connections on the network (like contacting your bank) is sent via TLS encryption. You can consider this the packing peanuts and bubble-wrap. You see, although our box got a pretty big gash in the side, the contents within are still pretty well protected. It's not perfect, though, and there is still some traffic that isn't protected with TLS encryption. So, what should we do?

What can I do?

We've seen that this attack can be stopped with a simple patch to your computing device. Microsoft already released a patch for their operating systems. Apple is going to apply a fix it in its next big release, OSX 10.13.1 and iOS 11.1. Linux kernel patches were also released in early October to fix the glitch. For all of these, simply letting your computer run its updates should fix the issue.

Wait, you didn't mention Android back there!

Uh oh. As an avid Android user, I always hate breaking bad news. Android has such a large adoption of users from such a large number of vendors, that there isn't a standard way to update the devices that just works. If you purchased direct from Google, your device will receive the update during the normal update cycle in early November. For the other 98% of users out there, though, you are at the mercy of your manufacturer, and in many cases for phones, your mobile carrier. This is where I like to mention the budget I recommend people to have to buy a new phone every two years...

Seriously, though, if you can't afford a new phone, what can you do. Well, for the technically saavy, you can install a new ROM on your aging Android device. LineageOS reports that they have patched their Android operating system for Krack and seem to support a wide range of devices. Of course to do this, you need to unlock your phone, and if you bought it from a mobile phone carrier, good luck.

So, check with your carrier about getting updates. Complain, tell them that you won't buy another phone from them. If enough people complain, they might actually do something. For me, I'm going to recommend to my Android wielding friends and family members to upgrade to a new device over the next year. Until then, refer to the Don't Panic section above.

Why not use a VPN?

A Virtual Private Network (VPN) is a private encrypted tunnel to another place. You could think of it like a small box to put our lamp inside of before it goes into the larger box, it is just another layer of protection. There are several free and paid services out there, but you have to be careful which one to choose. If you have a VPN for your workplace, that is probably the safest bet. If you are technically saavy, you could set up a VPN in your own house. If you aren't, though, there are many options out there. Here is a comparison chart that helps you choose which one is best for you, and which to avoid.

What if I'm running WPA2 Enterprise for my company?

Look to see if you are using PeerKey, group key, or Fast BSS Transition (FT) handshake (802.11r). If you are, you should speak with your access point provider about patching your equipment. Otherwise, you could disable 802.11r, but then you lose all the awesomeness of roaming quickly between parts of the building while on that WhatsApp call.