A new flaw has been discovered in the WiFi security most of our WiFi devices use. What does this mean?
You may not realise it, but if you live in a delightfully wire-free world, you are very likely relying on a technology called “WiFi Protected Access”, a concept that has for over a decade found a way to protect you, your business, and your home from anyone trying to get in.
Shortened to “WPA”, it’s the thing that says “make a password for your WiFI network to keep it locked down”, and without getting into too much jargon and programming knowhow (because you probably don’t need that), is essentially the security for wireless networking most devices rely on today.
When you set up your own wireless network, it tends to rely on WPA2, the second generation version of the platform, and if you’ve ever bought a modem router from an ISP or telco and used the password it recommends, that funny combination of letters and numbers is what has made WPA2 the recommended choice for the security of your wireless network.
And it has been this way for a good ten years or so, but this week, something’s changed: a new method of breaking WiFi Protected Access has been uncovered.
What’s happened?
Called the “Key Reinstallation Attack” or “KRACK”, it’s a flaw Belgian researchers have been researching which is a flaw in WiFi itself, essentially allowing an attacker to break into a network by essentially resetting one of the handshake mechanisms that allows WiFi to talk to devices by inserting their own fraudulent point.
Once executed, the WiFi traffic between devices can be read, reviving the days of people possibly sitting near your network and trying to monitor the comings and goings of your life illegally, almost like war-driving, the act of driving near homes to scour for WiFi networks you can break into.
Understandably, this is a problem, and it’s one that affects anything with WiFi in it. While researchers have suggested the vulnerabilities could be damaging most on smartphones and computers — operating systems like Windows, Mac, iOS, Android, and even Linux — WiFi is on a whole lot more, that includes a very big list of a lot of different products.
That means your phone, your computer, your tablet, your video game system, router, your modem router, your security cameras, and so on and so on and so on. You can see pretty quickly how messy this one is going to be.
Fixes are coming
Fortunately, companies are working on solutions, and international technology website The Verge has reported Microsoft has a fix for Windows 7, Windows 8, Windows 8.1, and Windows 10, which is no doubt good news for Windows users, and probably a faster way of fixing the issue for computer manufacturers.
Apple will likely be next, as will Google towards November, but the issue, as we’ve noted, isn’t just limited to devices with an operating system you regularly talk to.
Rather, it affects devices in your home you may not be thinking of, starting with the WiFi router that controls your wireless network as a whole.
At least one security company has released a statement, with McAfee’s Chief Technology Officer for APAC, Ian Yip, adding “Based on what we know so far, this exploit requires an attacker to be in the proximity of the wireless device or network in question, which reduces the risk somewhat.”
On the plus side, the Wi-Fi Alliance — the organisation that gathers all the WiFi supporters into one bucket and works on new WiFi technologies to designate them as a standard — has said that “there is no evidence that the vulnerability has been exploited maliciously”, which is great news for everyone.
You don’t have to worry too much, and it is highly unlikely that anyone is outside your home using KRACK to break into your WiFi network. Tinfoil hat down, people.
What can you do in the meantime?
However, it does mean that WiFi updates will be coming for devices, and that will likely start with the hardware controlling your home network, the wireless router and modem router.
That means if you set up your own wireless network at home or work, you can likely expect a notification in the near future alerting you to an update, and you should definitely take it. We haven’t heard quite what the rollout will be like for those with modems and routers supplied by telcos like that of Telstra and Optus, but our guess is that it will likely be the same, and when the patch it ready, it will be rolled out.
Until that happens, the University of Western Australia’s David Glance has written an excellent piece about what you should do at The Conversation, making great suggestions like only using websites with the security padlock, something Google’s Chrome now alerts people with.
In Chrome, you can easily identify a website without security because it will have a little exclamation mark in a circle next to the URL, and possibly a word saying “Not Secure”. Once reserved only for websites that transacted information, security certificates are now recommended for all websites, and help make the web a safer place.
While KRACK and the WiFi exploit will likely take some time to clean up, best web practices like this will help to ensure you don’t run into problems, as will making sure that the patches are deployed for your affected devices when they arrive.