The WPA2 security issue: Time to un-KRACK your WIFI – Updated Nov. 2017
Meanwhile, all of the bigger smartphone vendors have provided a patch for this vulnerability. In October, Microsoft and Apple removed the KRACK vulnerability in their systems. A few days ago, Google followed with the patch for Android. The update is called “2017-11-06” and you should be able to find it in your “Android security patch level” overview. For an overview of which vendors have provided a solution for their systems, go to Bleepingcomputer.com.
KRACK headlines are everywhere – all WiFi communication is at risk now that a researcher has figured out how to bypass WPA2 – the world’s most popular encryption algorithm.
The problem is huge – hitting essentially all devices using Wi-Fi Protected Access 2 (known as WPA2) for their WiFi connections – that means PCs, Apple devices, Android phones, WiFi routers, and those Linux-powered smart devices. In short, just about everyone using WiFi.
KRACK (or Key Reinstallation Attack) enables a hacker to bump users off an encrypted HTTPS WiFi connection and push them over to a malicious cloned network. Once you are on this new and unencrypted HTTP connection, the green padlock icon vanishes and the Man-in-the-Middle attacker can see all of your activities, read credentials and passwords, and even change the message content.
The way it works is by upsetting the 4-way handshake between your device and the WiFi access point. Instead of confirming that both parties have what they need for encrypted communication, it forces them to go without encryption – and then moves you over to the cloned connection, giving the hacker open access to your newly unsecured communication.
How insecure are you?
If you are using a WiFi for connecting to the internet, you are vulnerable. KRACK zeros in on the WPA2 encryption algorithm – the gold standard when it comes to WiFi encryption – which is almost certainly used on your home router.
The scope of vulnerable devices is mindblowing. Even if you have patched your PC (Windows has already rolled out the patch) your Apple and Android devices are at risk – and you are especially at risk on WiFi networks where the routers may not be fully patched. If you are not using a VPN – you should start now.
What is a VPN
VPN stands for Virtual Private Network and it is your best hope for having secure communication over unsecured networks – as in nearly all WiFi networks right now.
A VPN puts all of your data packets – encrypted or not – in its own secure encrypted envelope for certified sending and delivery. Even if there is a Man-in-the-Middle trying to sniff out your activities at the local café, they can’t get into this envelop and read these encrypted messages.
A full-fledged VPN such as Avira’s Phantom VPN does full data packet encryption. Some proxy VPNs – particularly those for Android devices – just add a forwarding address to the data packets that help them get around some geo-fencing restrictions. They do nothing towards encrypting your online activities – the real purpose of a VPN.
Treat your home WiFi like a Free WiFi
A VPN is a security essential when using unsecured public networks like the local café. As a result of KRACK, you need to treat your home WiFi like a public free WiFi network where you assume all connections are being read and no sensitive data should be sent. Yes, until you know that your router and all connected devices have been patched, you should get a VPN for your home use and configure it so that it is automatically connected every time you go online.
How patched is everything?
The good news with KRACK that patches are being worked on – and may already be available. Microsoft has already pushed out patches to its users with automatic updates. Apple and Google are working on patches for their respective operating systems. Timing is an issue as the next Google update of Android is scheduled for November 6 – but it may be months before this is pushed out by individual manufacturers. This unsteady rollout illustrates why a Software Updater – where patches are automatically compiled and pushed out to the end user – is such a great thing.