KRACK WiFi Bug: What You Need to Know
In light of the recent news about the KRACK vulnerability, here’s a bit more information.
Executive summary: yes, there is a flaw in WiFi security that affects almost all wireless networks and devices, but it’s not as bad as it sounds.
tl;dr: Keep calm and install updates.
What is KRACK?
KRACK is the name given to a vulnerability present in WPA2, which is the world’s standard WiFi security protocol. This protocol has been what almost every manufacturer recommends that we use for many years now. It is in use in most WiFi routers, whether you buy one off the shelf, through your IT supplier, or the free one that comes with your home broadband.
Am I affected?
Most probably, yes. The vulnerability exists in the protocol itself, so isn’t limited to a particular brand of WiFi router or laptop or mobile device. The scope is very broad, but affects Linux and Android devices more than Microsoft of Apple devices. The reason for this is that most Linux and Android devices have implemented the protocol more strictly, whereas Microsoft and Apple have tweaked their implementations.
That said, the only way someone can (currently) exploit the vulnerability is to use specialised equipment to target you when they are within WiFi range of you. Currently there is no readily available ‘exploit kit’, so the attacker would have to write the tools themselves. This puts it out of reach of the vast majority of would-be attackers. It also makes your private network a less likely target.
What should I do?
Ensure your systems are fully up to date. The attack is generally targeted at client devices and most manufacturers were notified several months ago and have issued updates to address this issue.
In the meantime, try and avoid using large, busy public WiFi networks which could be tempting targets for attackers.
Ensure you use secure protocols wherever possible. This means using secure (HTTPS) websites, VPNs etc. This way, even if someone intercepts your data, it is protected by another layer of encryption which is – as far as we know – secure.