The newly discovered WiFi exploit dubbed “KRACK” (or Key Reinstallation Attack) affects just about everyone using WPA2 security on their devices, which should be everyone using WiFi.
The attacked exploits a flaw in the four-way authentication process between devices when negotiating and securing a connection. Ultimately it allows an attacker to gain unauthorised access to your network traffic, potentially exposing your credit card details, banking information, messages, personal data, emails and really anything on your storage.
All manufacturer devices are affected as it’s a flaw in the standard itself, however Microsoft and Apple are somewhat less susceptible due to the way they implement it.
What should you do now?
- Keep using WPA2: It’s still the most secure option for consumer networks.
- Update your devices: Check for updates to your phones, laptops, tablets and computers as soon as you can and apply any referring to security especially. CWE-323 is the official CERT designator, in case your patching mechanisms refer to those explicitly.
- It’s a local exploit: Meaning an attacker needs to be within range of your device in order to hack it. So it’s highly unlikely you’ll be affected at home, but public WiFi is anyone’s game. So don’t panic, yet.
- Use a VPN! If you’re not already (and you should be) get yourself a VPN and use it whenever you’re online. Then, even if you are hacked, your data is a lot safer (but still not 100% secure, we’re still talking the internet here).
- Aim to use HTTPS: This is another added layer of security that you should be using. If a site doesn’t start with https, then avoid using it (look up at the address bar, ours should say Secure in green writing next to our web address. If it doesn’t, please let us know!)
What patches are available right now?
Not many yet, but as this is a developing story at time of writing, this will change rapidly. We’re keeping at eye on various sites for patches as they come to hand, but you can check ZDNet’s fairly comprehensive list for the time being.
Update: 18 Oct 17
Microsoft patched the vulnerability on the 10th October, so try force an update if you haven’t received it yet.
Apple have a patch in their Beta versions of iOS and macOS, with the public releases coming in the next couple weeks.
Google has patched their Android implementation and will release it on November 6 for their brand phones. It will take some time for other manufacturers and carriers to filter that through, however so we could be looking at weeks or months before all phones get patched. Let’s hope a quick fix gets sent through ASAP.