KRACK Wi-Fi Attack is Whack
A security weakness has been discovered in the Wi-Fi protocol which allows attackers to intercept passwords and do much more damage. This weakness is being referred to as a KRACK attack (Key Reinstallation Attacks). KRACK works by targeting the four-way handshake that occurs when a device connects to Wi-Fi. KRACK tricks the vulnerable device into reinstalling an already-in-use key that the attacker has access to.
“This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on,” researcher Mathy Vanhoef, of the Katholieke Universiteit Leuven in Belgium wrote. “The attack works against all modern protected Wi-Fi networks.
Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.”
What Can Happen to Me?
KRACK attacks are not limited to recovering login credentials (i.e. e-mail addresses and passwords). In general, any data or information that the victim transmits can be intercepted and decrypted. Depending on the device being used and the network setup, it is also possible to push data to the victim (e.g. changing the contents of a website). “Although websites or apps may use HTTPS as an additional layer of protection, we warn that this extra protection can (still) be bypassed in a worrying number of situations.
Can I Just Change My Wi-Fi Settings?
The exploit is being advertised as affecting WPA2, but this also includes WPA2-AES with WPA-TKIP and GCMP being even more vulnerable! So pretty much any type of Wi-Fi connection you have in your home or office is vulnerable until devices are patched.
How Scary Is KRACK?
As scary as this attack sounds, there are several mitigating factors at work here. First off, this is not an attack that can be pulled off remotely: An attacker would have to be within range of the wireless signal between your device and a nearby wireless access point. This still makes the use of public Wi-Fi extremely dangerous until your devices are patched.
More importantly, most sensitive communications that might be intercepted these days, such as interactions with your financial institution, are likely already protected end-to-end by Secure Sockets Layer (SSL). This type of encryption is separate from any encryption added by WPA2 — i.e., any connection in your browser that starts with “https://”. But keep an eye out for the incorrect certificate warnings that you occasionally see while surfing the web. If you see one, close the website.
What Do I Do?
Hardware manufacturers were made aware of this issue a couple of weeks ago, so they’ve been working on patches and most of them already have updates available to fix this issue. If yours does not have the proper update available, you can try to mitigate attacks against routers and access points by disabling client functionality (which is, for example, used in repeater modes) and disabling 802.11r (fast roaming).
Steps to Take:
- Stay off Public Wi-Fi until your device is properly patched.
- Update the firmware for your router. If you’re not sure how, use a search engine to look up “how to update the firmware for my BRANDNAME HERE router”.
- Update ALL devices you own that connect to Wi-Fi. Update your phones first, then laptops, and then any additional Wi-Fi connected devices. Don’t forget gaming consoles, Echo & Dots, Dash buttons, iPods, smart Blu-Ray players, smart TVs, tablets, some kids toys, possibly even your fridge or washer/dryer, doorbells, etc. Everything that connects to the Internet in your home or office needs to be patched. Tip: After making a list of all our vulnerable devices, our family then changed our Wi-Fi password. This doesn’t fix the KRACK problem, but it stops our in home devices from being able to connect to Wi-Fi until we can get them all updated. Our kids also let us know immediately about the devices we had forgot since their precious devices were no longer connecting to the Internet.
- Finally, although an unpatched device can still connect to a patched access point (AP), and vice versa, both the client and AP must be patched to defend against all attacks!
- Once everything is updated this is a good time to update your Wi-Fi password as well. This is good practice anyways, and there is a chance it may have been intercepted.
How to Update Your Devices
Windows issued a patch on Tuesday October 10, 2017 that fixes the vulnerability in Windows. However even when patched, affected Windows systems may offload the vulnerability to installed Wi-Fi hardware. Windows users should also use Device Manager to update their Wi-Fi device drivers.
This effects Linux as well. The process of updating Linux varies by flavor. User friendly varieties such as Ubuntu and Mint come with a graphical “Update Manager” tool which automates the process. These also push notifications to the task bar when important updates are ready to be installed. If your version doesn’t come with a friendly tool like this, it can still be done using the command line. Linux utilizes a powerful “package manager” tool to manage and automate software updates from the web. Your particular package manager will vary depending on which type of Linux you’re using. If you don’t see your exact variety listed below, one of the other commands will most likely work just fine (doesn’t hurt to try them all). Keep in mind that some of these will prompt for a password:
sudo apt-get update && sudo apt-get upgrade
sudo aptitude update && sudo aptitude safe-upgrade
emerge -puv world
Note that currently 50% of Android devices are still vulnerable to this devastating variant of attack. You’ll want to use Google to find out how to update your particular Android device.
According to a report from AppleInsider citing anonymous sources at Apple, the patch to remove this hardware vulnerability was added to previous beta versions of iOS, tvOS, watchOS and macOS.
However, the site’s source noted that fixes for AirPort, Time Machine, AirPort Extreme Base Station and the AirPort Express have not been made available yet. Not coming out with a patch for its routers may not be a huge issue for Apple. In order to work, the KRACK Wi-Fi hack needs to take advantage of a vulnerable router and client device. If your iPhone, iPad or Mac is already patched, it doesn’t matter if your AirPort router is vulnerable.
Use the Settings > General > Software Update Feature to install the newest updates.
Amazon is still working on a fix for their Echo devices.
There are obviously thousands more devices out there that connect via Wi-Fi, it will take a very long time for the world to get up to date on this issue, and it’s likely that during that time many other exploits will be found. Our best advice here at Appletree is to keep a running list of your devices that connect to Wi-Fi so you can track them all down for updates when as soon as vulnerabilities such as this one are found.
For more information visit: KrackAttaks.com
Subscribe To Our E-Newsletter
The Great Phishing Scamdemic
Have you been noticing an abundance of suspicious looking emails flooding y…
Serious Risks to Consider When Socializing Distantly
In today’s crazy world of staying home instead of visiting friends, we’ve a…
Ten Tips on How to be Successful While Working From Home Dur
As a web developer of over 15 years, I’ve spent a lot of time working remot…
- Facebook Password Reset Scam!
- Social Media Copyright Issues: Fair Use or Infringement?
- Help Alexa and Siri Find Your Business During Voice Search
- UWUA – Utility Workers Union of America
- Scam Emails
- Why Is It Important To Know Who Owns Your Representative? One Example: Glass-Steagall
- Email Newsletters in the Digital Age
- 6-Pak Open
- Wind Walker Farms
- Chinese Government Holds Back Everyone’s Internet Freedom: A strong example of the problems this world... Chinese Government Holds Back Everyone’s Internet Freedom: A strong example of the problems this world faces with cyber censorship is what is going on in China. The government blocks many websites, searches, and software based on their content.
- EU-US Privacy Shield Still Not Protecting Your Privacy: Still collecting bulk data, problems with the... EU-US Privacy Shield Still Not Protecting Your Privacy: Still collecting bulk data, problems with the judicial redress act, and no true protection for businesses
- Copyright and Social Media: This has become a gray area. Almost everyone is guilty of... Copyright and Social Media: This has become a gray area. Almost everyone is guilty of sharing something on social media, whether it be Facebook, Twitter, or Pinterest, that was copyrighted and not yours to share. But what is fair to ...
- How Your Devices are Tracking you and How to Stop it: Apple, Microsoft, and Android How Your Devices are Tracking you and How to Stop it: Apple, Microsoft, and Android
- Being Safe while Downloading Apps: With how many apps are downloaded it is always a... Being Safe while Downloading Apps: With how many apps are downloaded it is always a good idea to stay safe while downloading. You must take precautions, learn where to download, and do your research.
- Why Labor Unions Need Member Data System: Many large organizations – specifically labor unions –... Why Labor Unions Need Member Data System: Many large organizations – specifically labor unions – struggle trying to keep their member data updated and accessible. Without a centralized database, the most up-to-date vital pieces of information often find their way ...
- Is Your Phone Keeping You up at Night? Our electronics tend to distract us from... Is Your Phone Keeping You up at Night? Our electronics tend to distract us from going to bed, disrupt our sleep with constant sounds, and hurt our health with their blue light.
- All About Browsers: With so many browsers out there including: Google Chrome, Mozilla Firefox, Opera,... All About Browsers: With so many browsers out there including: Google Chrome, Mozilla Firefox, Opera, and Safari, you may have a hard time choosing one. While all of them have their ups and downs you can choose one that will ...
- Mobile Sub-Site versus Responsive Web Design: In 2016, if your website is not mobile ready... Mobile Sub-Site versus Responsive Web Design: In 2016, if your website is not mobile ready you need to change that today. Two main ways to make your site mobile is to either have a mobile sub-site or a responsive web ...
- Do Not Track: Two members of congress filed a bill called the ‘Do Not Track... Do Not Track: Two members of congress filed a bill called the ‘Do Not Track Online Act of 2015’
- Website Tips for 2016: -Fresh Up to Date Modern Websites -Easy Navigation is Key -Website... Website Tips for 2016: -Fresh Up to Date Modern Websites -Easy Navigation is Key -Website Usability -Improve Your SEO -Social Media
- Where Technology and Christmas Come Together: Check out some of the ways you can enjoy... Where Technology and Christmas Come Together: Check out some of the ways you can enjoy the Christmas festive technology and how you can share some yourself.
- How to Stay Safe While Holiday Online Shopping: Learn where to shop online, how to... How to Stay Safe While Holiday Online Shopping: Learn where to shop online, how to be secure, and best practices to keep yourself safe.
- Newsletters in the Digital Age! In a digital age sending out electronic newsletters instead of... Newsletters in the Digital Age! In a digital age sending out electronic newsletters instead of paper newsletters has become much more popular. While deciding to do your newsletter does have its downsides the pros definitely outweigh the cons.
- Safe Harbor Ruled Invalid, How it Affects You: The European Union and the Unites States... Safe Harbor Ruled Invalid, How it Affects You: The European Union and the Unites States will be meeting on December 17th to create a new agreement for the Safe Harbor. They plan to conclude this agreement in January 2016.
- The Internet Helps in a Crisis: Everyone has heard about the recent Paris Attacks on... The Internet Helps in a Crisis: Everyone has heard about the recent Paris Attacks on November 13th many dead, wounded, or stranded. Many companies have made use of the Internet in a time of crisis to help those whom need ...
- Advertising Online for your Business: Advertising your business online can boost your sales and website... Advertising Online for your Business: Advertising your business online can boost your sales and website traffic if done the correct way. There are many different ways and places to advertise online
- Using Analytics for Your Business: Analytics is data analysis that usual involves taking past data... Using Analytics for Your Business: Analytics is data analysis that usual involves taking past data to find trends and effects or decisions or events. It can also compare old data with new data using a given tool or scenario.
- The NSA and Online Privacy: Many studies, cases, and documents show that the NSA is... The NSA and Online Privacy: Many studies, cases, and documents show that the NSA is spying on American citizens using online surveillance. As an American, this invades our Freedom of Speech and our Right to Privacy proving the NSA’s “Unconstitutional ...
- Learn About Scam Emails: Scam emails are a very popular and while most email services... Learn About Scam Emails: Scam emails are a very popular and while most email services have a spam sorting feature built in, not all will be sorted properly. Scams can look like they came from a friend, a business you ...
- Google Event, the Good and Bad: Google held their press event on Tuesday, September 19th... Google Event, the Good and Bad: Google held their press event on Tuesday, September 19th in San Francisco announcing many new products such as the Nexus 6P and 5X, the new Chromecast 2, Chromecast Audio, and the Pixel C. They ...
- Prevent Malware on your Smartphone: Different malware includes adware, bug, spyware, Trojan horse, virus, and... Prevent Malware on your Smartphone: Different malware includes adware, bug, spyware, Trojan horse, virus, and many more (Learn more about Malware types ) There are some signs that your phone is being attacked and many ways to prevent these attacks ...