Many individuals and many organizations treat their router and WiFi network as a security perimeter. “The hostile world is outside. The warm, friendly, safe world is here, on our side of the fence.” The result is relaxed security inside the fence—printers anyone can talk to, media players with no passwords, open file sharing. Not to mention all the insecure IoT devices that may be on their network. The new KRACK Wifi exploit allows attackers to blow past Wifi's built-in security.
Researchers have found a fundamental flaw in the security mechanisms of WiFi. The KRACK vulnerability—nuts and bolts described here—allows malicious actors to access a WiFi network without the password or key, observe what connected devices are doing, modify the traffic amongst them, and tamper with the responses the network’s users receive. Everyone and anything using WiFi is at risk. Computers, phones, tablets, gadgets, things. All of it. This isn’t just a flaw in the way vendors have implemented WiFi. No. It’s a bug in the specification itself.
But don’t panic. There’s no need to burn your WiFi router or wrap your devices in tinfoil because KRACK can’t break HTTPS. The weaknesses that make a WiFi network vulnerable are made irrelevant when communications over the Hypertext Transfer Protocol are encrypted by Transport Layer Security, which, right now, means that you can safely access about 50% of the world’s websites. Even on a compromised network.
However, the Internet isn’t exclusively web browsing, and there’s a lot of activity that HTTPS can’t protect. For example, HTTPS can’t protect the infrastructure that keeps the Internet alive and accessible to people around the world. Things like time syncing, domain name resolution, routing, and network management. It also can’t shield activities like file sharing, email, remote login and remote control. Linux installations using wpa_supplicant 2.3 – 2.6 and Android devices using a variant of it (Android 6.x—roughly ⅓ of all Android installations) are especially vulnerable. Their reaction to it is even worse than most.
And keep in mind that this is not an attack that can be executed remotely. Attackers need to be within range of your network. So in densely populated areas, you may not be personally targeted, but you could be caught out by someone sifting through the neighborhood traffic. And WiFi services offered at work, at the gym, at your favourite cafe, at the airport? All potentially compromised.
Best Case Scenario
Keep going on like you’ve been going on. Nothing changes. No one bothers to attack your home network, and no one bothers to attack the sweet, sweet honeypots that are large public WiFi networks.
Worst Case Scenario
Many individuals and many organizations treat their router and WiFi network as a security perimeter. “The hostile world is outside. The warm, friendly, safe world is here, on our side of the fence.” The result is relaxed security inside the fence—printers anyone can talk to, media players with no passwords, open file sharing. Not to mention all the insecure IoT devices that may be on their network.
For an individual, the worst case scenario is that intruders get inside your own personal security perimeter and are able to access personal information, print jobs, email, and media; are able to capture passwords. An intruder might be able to plant malware in insecure IoT devices. They may be able to leverage vulnerabilities in your device’s software and plant malware directly onto your computers or phones or tablets. And this malware may include keyloggers and other software that can circumvent HTTPS and read and corrupt your files.
The fun doesn’t stop there: IoT malware can turn your personal worst case scenario into a global nightmare. Infected devices and computers on your network can be turned against fragile parts of the Internet infrastructure, forcibly recruited in the attempt to bring down the domain name system, routers, time servers, or other vital parts of the Internet, just as the Mirai Botnet did.
“So WTF Do I Do?”
Update your software. ASAP.
Update every single computer, phone, tablet and device on your network. Any devices running older software will remain vulnerable when connected to a WiFi network—whether it’s your own network or someone else’s. Yes, this is a bug in the specification, but there are ways to mitigate it via software, and major vendors are already releasing fixes:
- Microsoft already addressed the problem in a Windows Update issued on October 10, 2017.
- Apple already has a fix in their beta versions of iOS 11.1, watchOS, tvOS and macOS 10.13.1, but has not announced a release date for the final versions.
- Google will release an Android update fixing the problem on November 6, 2017. People with Google-branded Android phones—Nexus and Pixel phones—should see this fix right away. Other Android device owners are at the mercy of their phone’s manufacturer and cellular provider and may never see the fix.
- Many Wifi access point vendors have already issued updates. You should install these promptly. However, updating your access point will not protect other devices on your network.
Security Is An Onion
Because enhanced security is often at odds with usability, we tend to treat what’s on our side of the firewall in a relaxed way. We let our hair down and refuse to let security concerns prevent ease of use. Of course, this approach undoes us if an attacker gets past the security perimeter.
Do you have a safe or lockbox in your home, even though you lock your door? We often use multiple layers of security as backups in case a layer fails or is compromised. In the online world, each element—whether it’s network infrastructure, a web connection, an email, a login—should have its own protections, independent of anything else. That way, when one or more layers of the security onion fail, you still have other layers to protect you.
But don’t be fooled into thinking that security is all or nothing. Sure, it’s easy to feel overwhelmed with all the bad security news. It feels like every few weeks some fatal bug is found and now everything is insecure. Some people feel that, because they don’t have perfect security, they should just give up. If there’s one vulnerability then they’re screwed—even some technically astute people who should know better take this attitude.
In reality, all attacks aren’t equally likely. Some attacks cost a lot or are very difficult to carry out. Other attacks are very easy or very cheap. Some attacks can only be carried out with personal information about their target; others are effective on large groups of anonymous targets. Some attacks are happening around you constantly, invisibly—you’re immune because they can’t reach you or you’re not running vulnerable software.
Think about how secure you are on a spectrum, rather than using the false dichotomy of “secure” or “insecure”. You can lose a few layers of your security onion and still be unlikely to be successfully attacked. That is, if you actually use the security that’s available to you.
Security Only Works When You Use It
The computers, devices, apps and online services that you use all have a variety of built-in security mechanisms. Use them.
- Update your computers, phones and tablets—all the time, not just for this incident. I understand that this can be risky and painful. I find many people who are several versions behind on their software updates. And sometimes updating your software to fix a security issue may bring big changes you didn’t want (I’m looking at you here, Apple—leaving people no choice but to update to the latest major version of iOS and never patching older major versions forces many people to choose to forgo updates). But. Keeping your software up to date is one of the most effective ways to protect yourself. That Windows fix that Microsoft did a great job getting out there isn’t going to help you if you don’t install it.
- Use HTTPS whenever possible. Use the browser extension HTTPS Everywhere. HTTPS will protect your web browsing from eavesdropping and manipulation.
- Use multi-factor authentication on every account that you can. A physical token or an app is better than an SMS/text message second factor, but SMS is still better than no second factor.
- Use a VPN when you’re on a public network. While VPNs are by no means a perfect security mechanism—they trade off concerns about privacy with your ISP for concerns about privacy with your VPN provider—they will protect your traffic from snooping on a public network. So while they will not give you perfect privacy—and after all, there is no perfect security—they will up the difficulty, and thus reduce the likelihood, of someone eavesdropping on you.
- Update your devices. If you have IoT devices on your network—smart lights, thermostats, garage door openers, ceiling fans, unfortunate refrigerators with sad tablets embedded in them… whatever they may be—make sure their firmware is updated. Some devices are smart enough to silently update themselves. Unfortunately, many devices give you no notification that they have an update available. The only way to find out may be to open the device’s app and check for an update. Do that until you get one. If you don’t see updates available promptly, contact the device’s vendor and demand to know when they’ll fix this vulnerability.
What The Future Holds
KRACK isn’t an attack that script kiddies using attack packages off Github would come up with, though it’s possible to package KRACK up so that they could use it. It’s actually very sophisticated. As its author points out, the part of the WiFi protocol specification that it attacks has been proven correct—KRACK succeeds because it attacks assumptions the protocol makes.
While we’re still seeing plenty of simple attacks—devices shipped with default logins that never get changed, simple buffer overflows, weak protocols, incorrect SSL/TLS implementations—we’re also seeing new, sophisticated attacks which take advantage of deep technical implementation and design details. These are attacks that are based on the timing of electrical signals in chips, on overflow vulnerabilities in WiFi chipsets rather than software running on a CPU, timing attacks on crypto protocols.
These classes of vulnerabilities have been under an umbrella that gave us some protection because they required deep technical knowledge to discover and exploit. There are relatively few people out there who are competent enough to guess at vulnerabilities in chipsets, and there are much easier ways to break into a system. But we’ll be seeing more of this type of vulnerability in the future. The shadowy underpinnings of the technology we depend on are ripe for exploitation: they’ve had the chance to be examined by very few eyes at this point.
Often specifications are behind an expensive paywall—some can cost thousands of dollars to get access to. Few people will have had a chance to examine, comment and contribute to them. On the other hand, open specifications—like those IP layer and higher Internet technologies are built upon—have benefited from an open process where many minds have been able to analyze and contribute to them.
So, I expect to see more major vulnerabilities in WiFi chipsets, and especially Bluetooth, Zigbee and Z-Wave as more people start to crack them open and see how they work. As attackers peer deeper into the technology stack that the networked world is built on they’ll find more sophisticated, exotic and difficult to remedy vulnerabilities that have until then stayed hidden in shadow.
In the meantime, you can help yourself by taking security seriously: apply updates and use the security mechanisms you have available to you. Avoid single points of failure and armor yourself in as many layers of security as you can.