Earlier this week, a vulnerability was disclosed in the WPA2 security protocol that, in the worst case, could allow an attacker to potentially gain access to some or all of the encrypted information transmitted over a Wi-Fi connection.
This isn’t a bug, and it’s not a failure of one manufacturer or another. This is a weakness in the protocol itself.
If you use Wi-Fi on any device, it’s worth understanding how big of a risk this might be, and what steps, if any, you might want to take.
Become a Patron of Ask Leo! and go ad-free!
The steps to take, if you need to take them
The single biggest mitigating factor for the average computer user is that this is a wireless vulnerability, and therefore requires proximity. You need to be using a Wi-Fi connection, and the attacker needs to be within wireless range of your computer.
If you don’t use Wi-Fi, this is a non-issue. Nothing to see here. Move along.
If you do use Wi-Fi, then understanding your common surroundings is important. If you’re in some isolated area where, like me, anyone close enough to listen in to your Wi-Fi would be obvious and out of place, it’s possible you don’t need to take any additional steps other than updating software, which I’ll discuss below.
If, on the other hand, someone’s within range, and particularly if you consider yourself or your business a potential target, then there’s something you might want to do until the problems gets fixed: treat your wireless connection as if it were an open Wi-Fi hotspot with no encryption at all. In this case, that generally means:
- Use https wherever possible.
- Avoid sites that don’t use https.
- Consider using a VPN.
- Consider using your mobile device’s data plan instead of Wi-Fi in sensitive locations.
Or, if you can, switch to a wired ethernet connection.
The steps you need to take regardless
As it turns out, this is a relatively easy problem to address in software. As a result, most major manufacturers are pushing out updates that will fix the issue. Once your software is updated, you’re protected.
Take those updates as soon as they’re available. Bleeping Computer reports that for Windows 10, at least, your system may already be fixed, as the update was apparently silently included in the most recent patch Tuesday. That fact was only revealed when the vulnerability itself became public. (Sadly, this comes on the heels of a Windows Update problem causing many people to try to avoid updates. When it’s available, this is an update you want.)
This applies to any and all devices that use Wi-Fi.
And therein lies a different problem: not all devices will be updated.
Updates on older devices
It’s unclear if Windows XP or Vista will get fixes for this. It’s pretty clear older versions of MacOS and Linux may not get updates. In short: if your operating system doesn’t get security updates now, it’s probably not going to be updated for this protocol vulnerability. You’ll either have to live with it (see “steps to take” above) or update to a newer OS or device.
And yes, I said “device”. One of the areas considered particularly problematic is that of Android tablets and mobile phones. Almost all are at the mercy of the mobile company from which they were purchased, and many of the older models still in use are not getting updates of any sort. Some will get updates quickly, and some not at all. It’ll be important to know which boat you’re in.
When it comes to TVs and IOT devices, it’s unclear when, how, or even if they’ll ever be updated, and what the ramifications of that might be.
This is about clients, mostly
One final point: the fixes apply mostly to Wi-Fi clients — the computers and other devices you use which connect to the network wirelessly. Wireless routers and access points, as I understand it, may not be impacted in the same way. Nonetheless, be on the lookout for updates to your router or access point’s firmware related to this issue.
There’s one specific case that is impacted, and that’s a wireless range extender or repeater. These act as both clients and access points. Since they act as clients, connecting to another wireless router or access point, they would likely be vulnerable to this issue. You’ll want to update their firmware as soon as the manufacturer makes a fix available.
Do this
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Great article Leo. Thanks for explaining all of this.
Yes thanks for the article very timely, It appears on reading that both devices need to be able to be compromised for this vulnerability to be effective , i have also seen no mention of IPhone / Apple devices being compromised. I understand Microsoft patched this last week.
https://www.computerworld.com/article/3233198/microsoft-windows/microsoft-shuts-down-krack-with-sneaky-windows-update.html so updating Windows to latest patches should secure your computers and laptops.
What about things like power line adaptors, they use WPA but are wired. Are they affected?
I would assume they’re technically vulnerable, but the attacker would have to be connected to your powerline.
Great article; well presented.
PLEASE CLARIFY HOW a client patch fixes this? example, windows 10 rolled out a fix… WHAT is the fix? HOW does the CLIENT patch solve the KRACK problem? does it keep the data from creating the “0000…” password? or WHAT
Also, (example, a WiFi light bulb, for example), WHAT type of data would that expose, if it is not patched? I really don’t care about the light bulb, but does it open up my network to sniffing, hacking, etc?
thanks
Window automatically and often silently patches itself via Windows Update, so in most cases, you don’t have to do anything.
they state they DID patch it. BUT, WHAT does the patch do, in the case of the client (in this case windows). the SERVER (router) is still unpatched, so how does windows fix this two-way communication problem? does their software FORCE AND MAINTAIN encryption of the password that goes to the router, and prevent the injection of the ZERO’ed password? the hacker can still sniff this wi-fi connection, so I am concerned as to how just fixing the client (or the android phones, hopefully) achieve this task.
Since this is such a widespread issue, I’d like to know more than “windows fixed this…” which they claim they did
thanks for any further details you can provide
Fixing windows obviously doesn’t fix the router. It means that the Wi-Fi connections to that Windows machine are no longer vulnerable to the attack. You still want to update your router if at all possible so as to secure any other connections to non-Windows devices it might be making. The worse case is simply that those connections could be intercepted, redirected, or monitored. Again, once patched the Windows machine will NOT be vulnerable to this, but other devices could be. And a reminder, the attacker need to be in radio range. For most people that means only mobile devices are really at risk since they may be taking them out to public places where an attacker might hang out.
Thank you for this helpful article, it actually addresses what people need to know. As for me, my XP machine is directly connected by ethernet and I no longer allow my Android tablet to access the Internet as they don’t issue updates for them. My only concern is my Chromebook which has just issued an update which hopefully addresses this issue.
Currently, we are using only the Amazon TV stick for the device that uses wireless LAN at Home,
the carrier line on smartphones etc. at Home, so we will not use Wi-Fi absolutely in open spots etc.
This is to be careful before vulnerability is disclosed.
It seems that we are planning to update for Amazon TV stick, so we decline to use it until the update is published.
I’m so sorry, but I’ve no idea what “software” means or how to update my software and/or my router. I’m even confused by the term router.
I have an HP desktop computer with Windows 7 home premium that I keep up=to=date through Windows Update and Norton 360.
I think I was using DSL through Verizon on copper phone wires. This week Verizon upgraded me to fiberoptics for my phone and pc. The Verizon employee disconnected my modem and router and connected some sort of box that handles my internet service now. I’ve no idea how to update this to protect me from the KRACK problem.
I apologize for not being more knowledgeable. Can you guide me, please
I would actually suggest calling your Verizon tech first. They will know exactly what you have, and may even walk you through any updates you need to do. A good tech is a gold mine, use them!
Oh my goodness – I never thought of that. Thanks much.
My Norton mobile security is saying that it detects the KRACK vulnerability on my Android phone. My operating system is 7.1 1. Do I have to wait for my updates to come in, or can you give me a link to manually install the patch myself? I’ve even visited the manufacturers website, but get no place. Alot of information, but no instructions on where to go to get the patch! If I already received the update when I bought the phone, it’s GONE now, cuz I did a factory reset to try to get rid of the KRACK thing. When I reinstalled my Norton product back to my phone, it’s saying it’s detecting it again! What do I do? Should I just go get another phone, or wait to see if I get the update in my auto updates?
Help, cuz I’m worried! I am using a password manager to store my passwords, and I’m worried they may have been compromised! I never ever use public WiFi, NOT EVER—and I don’t use the WiFi on my phone, NOT EVER, I always keep it turned OFF and ONLY USE my phone’s cellular data for accessing the internet. So, Leo, what do you think? What are the chances my phone could be infected?
No way to know. And the only way to update is via your mobile provider.