Another day, another scary-sounding widespread cybersecurity vulnerability in the news. This time, it’s about WiFi—specifically, the WPA2 encryption protocol that practically everyone uses. As Ars Technica reported, Key Reinstallation Attacks—or KRACK—lets attackers intercept data between your device and a WiFi router including emails, passwords, personal information and anything else you’d transmit over the supposedly secure WPA2 connection.
So, how worried should you be? And what should you do? Here’s what we know right now.
How to Secure Your Devices Against the KRACK WPA2 Vulnerability
First, some good news: unlike WannaCrypt and Petya ransomware attacks, KRACK is only a proof-of-concept attack. There haven’t been any reported cases of this vulnerability being exploited on a widespread basis. That being said, the vulnerability does exist. Here are some highlights.
- KRACK vulnerabilities affect all devices that use WPA2, regardless of the platform. This includes Windows, macOS, tvOS, Android, iOS, and Linux devices. Your computers, tablets, laptops, smartphones, internet-of-things devices, streaming set-top boxes, etc. The vulnerability is focused on the clients and not the routers.
- Attackers must be within WiFi range. This is the next best news. This isn’t something that’s going to infect you over the internet or from a shady email link. An attacker has to be within physical WiFi range to exploit the vulnerability. This means parked outside your house, camped out in your company’s server room, or sitting next to you in a coffee shop.
- Microsoft has already patched Windows 10. Microsoft’s October 10 Windows 10 cumulative update included a fix for the KRACK vulnerability, but they didn’t disclose it at the time. If you stay up to date with your Windows patches, then you’re good on that device.
- UPDATE: Apple fixed this in iOS 11.1. The first point update to iOS 11 for the iPhone, iPod Touch, and iPad fixes the KRACK vulnerability. This was included in the beta of the iOS update, but it wasn’t rolled out until October 2017 in iOS 11.1.
- Linux and Android devices remain vulnerable. Be on the lookout for software updates for your Android and Linux devices and install them as soon as they are available.
- What about wireless routers? WPA2 is a protocol between your device and your wireless router. So, the obvious question should be: when are wireless routers going to be fixed? WiFi routers—be it a Netgear, Linksys, Cisco, ASUS, TP-Link or whatever—will need firmware updates to fix this issue. Developers are working on these fixes, but few if any are available right now. You can check for firmware updates on your router’s setup page. See our articles on updating ASUS router firmware and Cisco Linksys router firmware for examples.
- Changing your WiFi password won’t help. Although you may want to change your password once your devices are all patched, doing so now won’t protect you. The WPA2 vulnerability that KRACK exploits makes your password irrelevant.
- WEP is still worse than WPA2. The vulnerabilities of WEP are widely known and the researchers who found the KRACK vulnerability say you should NOT use WEP instead of WPA2, even in light of KRACK.
That’s about all the information there is now. For the latest and best information, I’d check out krackattacks.com which is the official site of the researchers who found KRACK (and got to name it apparently—good for them!). If you have any news about KRACK or any other vulnerability, be sure to share it with your fellow readers in the comments.