We’re so reliant on Wi-Fi and gadget interconnectedness that a vulnerability found in the security mechanism could lead to meltdown – malicious nabbing of personal data, credit card details, the lot. PAT PILCHER on the big new threat.
The world’s tech media flew into a flap. It was over a flaw within the security mechanism that secures Wi-Fi networks. The worrying thing is that the flaw isn’t likely to get fixed for several weeks, depending on your OS.
The media pumped out ‘sky is falling’ headlines and everyone pulled their hair out. Trouble is, almost no one has sat down and discussed how serious this threat is.
Most worrying of all is the sheer ubiquity of Wi-Fi. It’s everywhere. It is in effect the technological glue that keeps all the gadgets in our lives functioning. And encrypting your Wi-Fi network is vital if you hope to keep personal info safe from dodgy hackers
Key to this is the WPA2 security protocol. It’s become a mandatory spec for almost all Wi-Fi capable devices .
There’s billions of laptops, smartphones, cameras, sound systems, smart TVs, routers and other gadgets that are using it. And here’s where the trouble begins.
The exploit, dubbed KRACK (who comes up with these names?) is that an exploitable weakness – discovered by a security researcher at the Catholic University of Leuven (KUL) in Belgium – is buried deep within the WPA2 standard.
The KRACK takes advantage of how a widget connects to a Wi-Fi router over WPA2 encrypted Wi-Fi. This sees the widget exchanging data with the router to establish its credentials, and gets called the as a ‘four-way handshake’. With KRACK, it’s possible to interfere with this process to achieve unauthorised access over a supposedly secure WPA2 encrypted network.
This allows a cyber crim to access information sent over the compromised network or stored on devices connected to the network.
Your credit card numbers, passwords, messages, emails and photos could all be gathered, regardless of the fact that you’ve carefully set up passwords and encryption.
If that’s the not-so good news, the good news is that it is fixable.
Doing so is a simple matter of installing a software update that patches the vulnerability. Microsoft and Apple have already released a patch to fix the problem. Your mileage may vary depending on who your router and Wi-Fi connected widget makers are.
Of most concern according to security experts are devices running Android 6.0 or later. This is because the problem is with the Wi-Fi standard, not the hardware. The theory is that a device’s vulnerability depends on how it adheres to the WPA2 standard. Android adheres strictly. Researchers do say that Apple and Microsoft don’t adhere to it as much. This means that Windows and IOS gear are only vulnerable to unusual and unlikely variations of the attack.
Before you toss your Android phone off a tall building, don’t panic – exploiting the vulnerability isn’t straightforward. For a start the attacker’s PC/phone/tablet needs to be within around 100 metres of your router to carry out the attack. Sure, you could start searching outside your house for dodgy looking strangers in trench coats, trilbies and PCs, but another reassuring fact is that the code needed to carry out the KRACK exploit isn’t published. While it could get crafted based on the description in security white-papers, you’d still be looking at weeks if not months of work to do so. By then if all goes to plan, you’ll have a software update.
Not all hardware makers have responded as quickly as Microsoft or Apple in plugging the vulnerability. Equally worrying is the fact that even if your router, PCs/tablets and phones are all patched, there’s a high likelihood that device manufacturers for low cost Internet Of Things widgets in your home may drag their heels or choose not to patch the vulnerability. This in turn could see home networks open to exploits.
Our advice at Witchdoctor is to call the helpdesk or manufacturer of any suspect gear and ask them if they’ve got an update.