The Global Wi-Fi KRACK Vulnerability Affects Everyone

Posted on 19/10/2017 by Sinclair Wilson in Scam & Security Alerts

But what does it mean for you and how can you protect yourself?

The Threat:

This month a Belgian Cyber security research group has published details of a previously unknown vulnerability in the Wi-Fi Protected Access (WPA2) protocol used to encrypt and secure data transfers in most Wi-Fi networks around the world.

This vulnerability effectively allows an attacker, who is running the right software and physically within range of their target network, to bypass a Wi-Fi network’s encryption and read and record all data transferred between all devices connected to it.

While thankfully, this does not allow the attacker to gain access to any of the devices connected to the network, it does allow them recreated unencrypted data being sent to/ from devices into its original form (e.g. emails, files, website logons, the cat picture you are uploading to social media, etc…)

Wait, I thought you said the attacker could bypass encryption!?

They can!.. and they can’t!.. it’s complicated… and very heavy on technobabble about protocol stacks, network layers vs Internet layers and… well… suffice is to say:

The attacker may be able to break your Wi-Fi network’s encryption, but that does not mean they can break the encryption between your computer and the website or email server it is connected to. The trouble is knowing if these individual connections are in fact encrypted. Unless you know how to check this yourself, or are told by an expert that a particular site/ service is safe, my recommendation would be to not assume that they are.

So what do I do? Turn everything off and take that digital detox I’ve been talking about?

Well if you can go without Netflix for the next few weeks all the more power to you. I know I can’t, so I’ll be leaving my home Wi-Fi on. Before you call me crazy, remember an attacker must be “within physical range of their target network”. Your home Wi-Fi just isn’t worth the effort.

All you really need to do is avoid connecting to public Wi-Fi for the next 3-4 weeks.
These include Wi-Fi networks in:

  • Cafes
  • Fast Food Restaurants
  • Shopping Centres
  • Pubs and Clubs
  • Motels
  • Airports
  • Metropolitan Centres

In 3-4 weeks even the slowest manufacturers will have released updates to fix the vulnerability and IT departments will have had a chance to install them on affected devices.

Update early, update often:

Your personal devices such as smartphones, tablets, laptops and even your modem router also need updating if you want to be protected from this vulnerability. Your phones, tablets and laptops should take care of themselves. Just make sure you do not defer any updates for the next few weeks.

Your home router may be a different story. Depending on its make, model and age there may or may not be an update released for it and even if there is, it is unlikely to be an automatic process. I would recommend contacting your Internet Service Provider as a starting point to find out what is required.

It’s all about trust:

The manufacturers will have released their updates and every business large enough to have a dedicated IT department will have updated their devices in 3-4 weeks. However, the truth is only just over 50% of devices are updated regularly and completely.

Moving forward over the next few months, possibly even the next few years, the question you will need to ask yourself before connecting to a someone else’s Wi-Fi is “have they updated?”.

Because if they have not it does not matter if you have. You will be back at risk.