We had a number of concerned requests come into our office today regarding some recent news stories about a new wireless vulnerability. The news stories claim every wireless device is affected by this exploit and nothing is safe as the bad people can now get all your information from credit cards to passwords. It sounds very bad… but is it REALLY as bad as they make it out to be?
Like most mainstream stories, things have been sensationalized a bit. It’s true, a collection of exploits was discovered by security researchers Mathy Vanhoef and Frank Piessens working at Belgian University KU Leuven. (It’s been dubbed KRACK which is an acronym for Key Reinstallation Attacks.) They have responsibly disclosed these exploits to vendors to release patches for their devices. And it’s true that these exploits are in the protocol itself and NOT the specific vendors. So getting a new wireless router or changing your password won’t necessarily protect you from the issue.
What has been sensationalized is what attackers can do or obtain. This attack is extremely difficult and time-consuming to pull off. It would require someone sitting within range of your wireless network for as long as it takes, armed with the knowledge and tools to pull it off. Your average script kiddie will not be a threat. On top of that, even if they do gain access utilizing this new collection of exploits, most standard protection mechanisms already in place will work perfectly fine.
You see, proper computer security utilizes layered security to help protect against attacks. If your wireless network (or wired for that matter) is compromised, the bad people will have to do more work to gain access to sensitive information being sent over it. Pretty much every website that sends traffic that is considered personal utilizes the HTTPS protocol. This includes bank websites, anywhere that handles a credit card, most username/password logins, webmail, etc. So even if someone is snooping on the traffic going between you and the website or service, the traffic is encrypted and they are unable to read it.
It’s worth noting that every device that uses wireless is susceptible, to some degree, to the vulnerabilities making them a potential target. This includes mobile phones – as an example –
Android 6.0 and above contains a vulnerability that researchers claim “makes it trivial to intercept and manipulate traffic sent by these Linux and Android devices.” (Google says the company is “aware of the issue, and we will be patching any affected devices in the coming weeks.”) It’s nmot just limited to Android. Any operating system that implements the WPA/WPA2 encryption standard is at risk, including macOS, Windows, iOS, Android, and Linux devices.
So is this not a good thing for the world of wireless? No, it’s not – but it’s great it was discovered and reported responsibility so it can be fixed. Many enterprise vendors have already released patches that protect against this. (These are the places that are out of your control and could affect you by no fault of your own. These are the places that may be targeted because of the amount of data they hold or access one could gain.) Other vendors that are more popular in the mid/small business market and home users have also released patches or will be soon. These areas are much less likely be to affected by this due to the skill and time required to exploit the vulnerability.
What should you do? The only thing you can do is wait for a patch from the vendor that made your wireless equipment. It will be a software patch (known as firmware in some cases) as the issue is not with the hardware but the protocol that runs on it. You do NOT have to purchase anything new – firmware patches are usually free unless you have a higher-grade device that requires a support contract. (And in these cases, you’ll likely know about it.) We expect to see scams popping up about it at some point, claiming to be able to fix it for some money. Go to someone you trust with your technology to assist if you’re unable to do so on your own. Be very careful simply calling a number you find online for support! Scammers love to take out ads on all the search engines, just waiting for someone to search for support and call them up.
Further reading at a less-sensationalized article can be seen here. You can read more from the security researchers here. Lastly, US CERT is keeping a list of vendors and their status over here.
As always, we’re happy to assist if we can. Please feel free to contact us if we can be of assistance. Thank you!
Updated: 10/16/17 @ 4:15pm PST with statement from Google and additional links.
Interpreting Technology is here to help you!
Help spread the word about your experiences with Interpreting Technology. Click on your preferred social network below to share.