Last week, security researchers identified a series of vulnerabilities affecting almost all Wi-Fi devices, from computers to refrigerators. The vulnerability could allow attackers to intercept wireless communications and potentially steal credentials and other sensitive information. The vulnerabilities are collectively referred to as KRACK.
The good news is that computers running Windows and Linux already have patches available. Microsoft included fixes in the October 2017 Patch Tuesday updates.
Apple says that fixes are ready for MacOS, but there’s no word on exactly when they will actually be made available.
The bad news is that mobile devices, particularly those that run Google’s Android operating system, are vulnerable, and in some cases, might stay that way indefinitely. That’s because even though Google has prepared fixes for Android, those fixes won’t get to devices made by other vendors until those vendors make them available. Some vendors are better than others at pushing updates to their devices. Worse, some devices running older O/S versions may never get updates at all, rendering them permanently insecure.
There are mitigating factors. First, because of the responsible way in which these vulnerabilities were reported, Microsoft and other major players have had time to develop fixes, while details of the vulnerabilities were kept relatively secret until recently. That means we have a head start on the bad guys this time.
Second, exploiting these vulnerabilities requires close proximity. Attacks based on these vulnerabilities can’t be executed over the Internet.
Use caution with unpatched devices
If you use a public Wi-Fi access point with an unpatched device, you’re exposed. So until patches for your device become available, you might want to disable its Wi-Fi when you’re not at home. Most devices have settings that prevent automatically connecting to Wi-Fi networks it finds in the vicinity.
IoT devices may remain vulnerable forever
‘Internet of Things’ (IoT) devices, including thermostats, cars, appliances, and basically anything that can have a computer stuffed into it, often connect to the Internet using Wi-Fi. There are no security standards for IoT devices yet, and many are extremely unlikely to ever be patched.
Recommendation: identify all of your IoT devices that have the ability to connect to the Internet. For each, make sure that you’re using a wired connection, or disable networking completely, if possible. As for devices that connect to the Internet via Wi-Fi and cannot or won’t be patched or disabled, consider taking them to the nearest landfill.
References
- KRACK Vulnerability: What You Need To Know | Electronic Frontier Foundation
- What You Should Know About the ‘KRACK’ WiFi Security Weakness — Krebs on Security
- List of Firmware & Driver Updates for KRACK WPA2 Vulnerability
- Everything you need to know about KRACK, the WPA2 Wi-Fi vulnerability | Android Central
- How the KRACK attack destroys nearly all Wi-Fi security | Ars Technica