The Good News and Bad News About Today’s Massive Wi-Fi Bug
Today, researchers published details of a new attack against Wi-Fi encryption, which they dubbed “Krack.” Manufacturers have known about the issue for more than a month, but it still caught much of the industry off guard; major companies are still scrambling to deploy patches before an exploit code becomes available. It’s an unusual bug — both hard to exploit and hard to fix — and it’s already stretching vendor patching systems to their limit. Here’s what you need to know to keep your own devices safe.
THE GOOD NEWS: IT’S HARD FOR HACKERS TO EXPLOIT
The good news is Krack is a wide but shallow bug: nearly every device that uses Wi-Fi is vulnerable, but the attack itself is difficult to execute and not as damaging as you might expect. Taking advantage of this bug would take a lot of preparation and a very specific target, which is very good news in the short term.
Krack is essentially a weakness in the WPA2 system, which secures the Wi-Fi connection between a router and a computer. When that system breaks down, it could let an attacker get in between you and your router. From there, they can eavesdrop on unencrypted (non-HTTPS) traffic or compromise your computer by slipping malware into legitimate websites. But an attacker would have to be within Wi-Fi range to carry out any of those exploits, which dramatically reduces the risk that an average person will be targeted. Unlike server-side bugs like Heartbleed or Shellshock, there’s no way to carry out the attack over the internet at large. Hackers need to be physically present in range of a network, and even if you’re war-driving, you can only hit one network at a time.
The upshot of all of that is you probably don’t have to worry about hackers going after your network specifically. Still, we encrypt Wi-Fi signals for a reason, so you will want to patch your software as soon as you can.
THE BAD NEWS: PATCHES AREN’T HERE YET
Unfortunately, many vendors are still putting together patches for the bug, so updating immediately won’t be an option for everyone. There’s a real-time list of affected devices here, although it only covers the most common exploitation of the bug. Because WPA2 is so widespread, researchers predict that nearly every device that uses Wi-Fi will be vulnerable in some way. That starts with computers and phones, but also your router and any other device that plays a part in your home Wi-Fi network.
The most important devices to patch are the ones you use most often: your computer and your phone. Those would be the center of any attack, and locking them down will prevent the most severe damage from the bug. Microsoft is currently deploying a Windows patch, and Apple says that a patch for the bug is currently deployed in the beta versions of iOS, macOS, watchOS and tvOS. (The patch is expected to go public in the coming weeks.) Android phones will probably be the hardest to patch: the ecosystem is notoriously slow to deploy patches, and because of a specific implementation issue, more than a third of Android phones are vulnerable to a simpler form of the attack. Google has promised to deploy an Android patch in the coming weeks, but it may be some time before that patch will reach non-Pixel devices. Even if your router isn’t patched, patching the device should be enough to stop an attacker from getting in the middle.
Beyond computers and phones, it’s time to take a look at every Wi-Fi-enabled device you own, and checking on software updates for those devices in the weeks to come. We’re likely to see all kinds of exotic attacks on Wi-Fi-equipped TVs, printers, and other Internet of Things devices in the upcoming weeks. The best protection would be patching your router firmware, but because routers are often underpowered and with less robust support, it may also be one of the hardest devices to patch.
Krack is also harder to patch than the average bug. It targets a fundamental weakness in the way WPA2 reinstalls private keys, which makes it particularly difficult for security teams to be sure a given patch will protect against every attack. We’re likely to see related exploits popping up for years to come, potentially until the industry moves to the next Wi-Fi encryption standard.
As we wait for vendors to get their acts together, the simplest thing you can do to protect yourself is avoid Wi-Fi in general. Krack-based attacks have to happen in real time — they have to be splicing in malware at the same time you’re loading an HTTP page — so the less you use unpatched Wi-Fi, the less vulnerable you’ll be. That’s not possible in every situation, of course, but it’s the one thing that will guarantee you’ll be protected.