Solid advice for setting up a new wireless router or Wi-Fi network in your home is to password-protect it. Set a secure password using Wi-Fi Protected Access 2 (WPA2) and only share it with those you trust.
Since the WPA2 standard became available in 2004, this was the recommended setup for wireless area networks everywhere -- and it was thought to be relatively secure. That said, like the deadbolt on your house, password protection is really only a strong deterrent. Like most things, as secure as WPA2 was believed to be, it was only ever as strong as your password or any vulnerabilities discovered in its security.
Over the weekend, a vulnerability was indeed discovered and turned the internet on its head.
A(which stands for Key Reinstallation Attack) was unveiled. The ominously named crypto attack exploits a flaw in the four-way handshake process between a user's device trying to connect and a Wi-Fi network. It allows an attacker unauthorized access to the network without the password, effectively opening up the possibility of exposing credit card information, personal passwords, messages, emails and practically any other data on your device.
The even more terrifying bit? Practically any implementation of a WPA2 network is affected by this vulnerability, and it's not the access point that's vulnerable. Instead, KRACK targets the devices you use to connect to the wireless network.
The website demonstrating the proof-of-concept states, "Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys and others are all affected by some variant of the attacks." That said, most current versions of Windows and and iOS devices are not as susceptible to attacks, thanks to how Microsoft and Apple implemented the WPA2 standard. Linux and Android-based devices are more vulnerable to KRACK.
Editor's note: Originally published Oct. 16, 2017, this article has been updated to include new vendors with security patches for the WPA2 exploit.
What you can do
So what can you do right now?
Keep using the WPA2 protocol for your networks. It still the most secure option available for most wireless networks.
Update all your devices and operating systems to the latest versions. The most effective thing you can do is check for updates for all of your electronics and make sure they stay updated. Users are at the mercy of manufacturers and their ability to update existing products. Microsoft, for example, has already released a security update to patch the vulnerability. that it "will be patching any affected devices in the coming weeks." Patches for Linux's hostapd and WPA Supplicant are also available.
Changing your passwords won't help. It never hurts to create more secure password, but this attack circumvents the password altogether, so it won't help.
Know that a KRACK is mostly a local vulnerability -- attackers need to be within range of a wireless network. That doesn't mean your home network is totally impervious to an attack, but the odds of a widespread attack are low due to the way the attack works. You're more likely to run into this attack on a public network. For more, read our.
Available updates so far
The good news is that with such a dangerous vulnerability, companies have been quick to patch their software. Here's a list of all the companies that have released security patches or information so far:
- Apple has already created a patch for the exploit in betas for iOS, MacOS, WatchOS and TVOS.
- Aruba has patches available for download for ArubaOS, Aruba Instant, Clarity Engine and other software.
- Cisco has already released patches for the exploit for some devices, but is currently investigating whether more need to be updated.
- Expressif Systems released software fixes for its chipsets, starting with ESP-IDF, ESP8266 and ESP32.
- Fortinet says FortiAP 5.6.1 is no longer vulnerable to the exploit, but version 5.4.3 may still be.
- FreeBSD Project is currently working on a patch.
- Google will be .
- HostAP has released a software fix for the exploit.
- Intel released an advisory as well as updates for affected devices.
- LEDE/OpenWRT now has a patch available for download.
- Linux already has software fixes and Debian builds can already be updated, as well as Ubuntu and Gentoo.
- Netgear has updated some of its routers. You can check for and download updates here.
- Microsoft released a .
- MicroTik RouterOS version 6.93.3, 6.40.4 and 6.41rc are not affected by the exploit.
- OpenBSD access points are unaffected, but a patch for clients has been released.
- Ubiquiti Networks released a firmware update, version 220.127.116.1137, to patch the vulnerability.
- Wi-Fi Alliance now requires testing for the vulnerability and provides a detection tool for Wi-Fi Alliance members.
- WatchGuard released patches for Fireware OS, WatchGuard access points and WatchGuard Wi-Fi Cloud.
A list of vendors that have patched the vulnerability can be found on the CERT website, though the site appears to be under heavy traffic.
More important KRACK facts
Fortunately, there are a few comforting thoughts:
- The Wi-Fi Alliance stated it now "requires testing for this vulnerability within our global certification lab network," which is promising for for any new devices headed to shelves. It's also providing a vulnerability detection tool for Wi-Fi Alliance members to test their products with.
- Using a virtual private network (VPN) will encrypt all your internet traffic and could protect you from such an attack. Not to mention, if you care about your online privacy or security anyway.
- Strictly using sites that use HTTPS can help protect you against KRACK, but HTTPS isn't totally impervious either.
This is a developing story. Check back for additional tips as we have them.
WPA2 security flaw puts almost every Wi-Fi device at risk of hijack, eavesdropping (ZDNet): KRACK is a total breakdown of the WPA2 security protocol.
Here is every patch for KRACK Wi-Fi attack available right now (ZDNet): Vendors are reacting swiftly to an exploit that lets attackers eavesdrop on your network traffic.