Major exploit exposes ALL data–> Update NOW, to fix the KRACK in your security!
As reported this past weekend, an exploit, nicknamed KRACK (which stands for Key Reinstallation Attack) was discovered and it affects nearly every wireless device on the planet. This will affect more devices than the previous bad-boy of exploits– the Wannacry virus.
In a very abbreviated explanation, the exploit allows the data that passes between your device (tablet, phone, laptop) and the intended wireless device you’re connecting to (router, modem, wifi network) to be “sniffed” or read, and also (worse) this occurs even BEFORE you actually become connected to the network. It happens during the device’s initial “handshake”, or verification stage, with the intended network. It’s very, very bad….and can allow attackers to read Wi-Fi traffic between devices and wireless access points, and even modify it to inject malware into websites. This applies not only to typical devices such as laptops, but also to “smart TV’s” and NAS (network attached storage) hubs in the home, as well.
“Krack” allows hackers to read information (assumed before to be safely encrypted WPA-2) and they don’t need to know the Wi-Fi password to do this! All that’s required is your device be in range to the hacker: from there they can steal credit card numbers, passwords, chat messages, photos, emails, and most other online communications.
Now, before everyone panics entirely, the hardware and software manufacturers are already scrambling to release patches for this massive hole– but it’s up to the end-user/customer to seek it out for their devices.
Windows users, can simply update their systems (if they haven’t done so yet, do it– now). This vulnerability was patched in the 10 October update release. However, Microsoft has been virtually silent in their support (or lack of) for their mobile platform. Thus far, still no word on Windows mobile phone version 10 being patched. Version 8 was officially dropped not long ago, with no patch likely to come for that platform.
Apple users, have been told that a patch is, “in the works”– though not much is known yet about AirPort hardware, including Time Machine, AirPort Extreme base station, and AirPort Express. So far, they do not have a patch reported coming soon. You’ll need to contact Apple directly or via social media with your queries and concerns.
Linux users, simply update your system as this has been patched.
Android users– the situation is hit and miss. How long it takes comes down to the manufacturers and the version of Android being used on your device. It’s really up in the air as to when/if the device will ever be patched. It’s not looking good for devices older than Android version 6 (Marshmallow).
It’s worth checking with your network device manufacturer, as well, to see if they have released a patch for your modem, router, NAS, etc. If there is none, ask them, “why” and “when” you can expect one to be released. It’s now up to the consumer to keep the maker’s “feet-to-the-fire” in order that the majority of devices are patched.
Using a VPN to access the internet is a very good option, as it encrypts all your internet traffic- making it much more difficult to break into.
Lastly, when visiting web sites, be sure that they show “https” and the lock indicating a secure connection.
A Krack, fake-version of the site will not have this. HTTPS is not perfect, but better than nothing as more fixes emerge.
You can watch the demo of a Krack exploit here.
I’m jaded enough that when something like this occurs, to think, “it seems like a good way to force people to abandon perfectly good devices in favour of having to replace it with new” ….hmm? Could commercial interests have a hand in something such as this? What do you think?