I sure hope Google or Apple is working on a piece of AI that will come up with new names for vulnerabilities because at the rate news has been breaking, I foresee us running out of them in the same way we’re running out of IPv4 addresses. And it’s funny I mention IP addresses because this blog is about the KRACK vulnerability in the WPA2 security protocol.
If you’re the person in your organization or home who set up the wireless router, you know that WPA2 is the highest level of protection you can enable on your router. Your password strength plays a factor but for years the amount of hardware and time it would take to decrypt WPA2 with brute force techniques was simply not worth the time and cost. The attack that KRACK uses is a common one called man-in-the-middle and the vulnerability lies in the 4-way handshake your device’s Wi-Fi makes with the wireless router. The attacker interferes with the handshake and poses as the router after the first-way portion of the handshake has occurred.
So what is a person to do to prevent this? First, ensure your router’s firmware is up to date. You’ll then want to use a VPN for all activity on your network. For businesses, this is already being done. For users at home, their personal PC’s and smart phones are able to pay for personal VPN services that are sold with privacy in mind. But what about that Apple TV, or that Chromecast, or that smart fridge? The problem with the VPN solution to KRACK is that all of the Internet of Things devices that are out there are entirely dependent on an individual solution per device from the device manufacturer. So what do you do if your device’s manufacturer has gone out of business? You either stop using it, or keep using it with the vulnerability. Neither is an ideal option for something you may have spent hundreds of hard earned dollars on.
One additional tool to use is a browser plugin available for all browsers called HTTPS Everywhere. This encrypts traffic by forcing a web server to use HTTPS if it is capable of it. Some webservers downgrade traffic to HTTP as a means of saving bandwidth/money. You can find that plugin available here.
Lastly, organizations should have far less hesitation to encrypt their sites since Let’s Encrypt has been providing free certificate authority service for a few years now. Sponsored by many logos in the industry, it’s an effort to better secure the entire internet for the safety of everyone. You can find their site at letsencrypt.org. For those interested in the private VPN services mentioned earlier, Ernesto Van der Sar is the founder of TorrentFreak and he wrote a great list of the best VPN providers that emphasize privacy and security. You can give that a read here.
Aside from using VPNs and disabling your IoT devices, let’s be hopeful that someone(s) out there is working on WPA3 or the next gen of wireless encryption with haste.