This week, security reports emerged detailing multiple vulnerabilities in the WPA2 protocol. WPA2 is used to secure Wi-Fi and is used around the world as the standard. If you use Wi-Fi, you use WPA2. Security researchers discovered that a hacker within range of a victim can exploit the Wi-Fi vulnerabilities using a key reinstallation attack (KRACK). In this article, we'll try and answer some of the common questions that users of Apple products have raised about this issue.
What is the Wi-Fi KRACK attack?
Discovered by Mathy Vanhoef of imec-DistriNet, their report stated the following:
Concretely, attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted. This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.
The researcher further explained where the vulnerabilities exist, what circumstances Wi-Fi users are affected, and how to prevent the attack:
The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected. To prevent the attack, users must update affected products as soon as security updates become available. Note that if your device supports Wi-Fi, it is most likely affected. During our initial research, we discovered ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attacks.
Should Apple users be concerned?
Technical details were extensively covered over the past few days, but an answer to the most common question remains hard to find or buried in technical jargon: Should Apple users be worried?
In short: Probably not.
These vulnerabilities can be addressed with patches to your router/access point (AP), and Apple has stated that the company is working on an update to patch the flaws. An Apple spokesperson sent the following statement to Romain Dillet of TechCrunch:
“Apple is deeply committed to protecting our customers’ data. The fix for the KRACK WiFi vulnerability is currently in the betas of iOS, macOS, watchOS and tvOS and will soon be rolled out to customers.”
Until then, your W-Fi is technically not as secure as it should be. Depending on your level of paranoia, pressure from clients you may support or the industry you're in, these vulnerabilities may have caused some sleepless nights over the past several days. But for most of you, there really isn't much to worry about.
As an individual consumer, there's very little chance that someone is sitting outside of your house trying to exploit these vulnerabilities; however, if you are responsible for securing Wi-Fi for a school campus, hospital or other kind of business, then this situation might be a real problem. Not so much because these vulnerabilities are actively being exploited, but because businesses need to meet certain conditions and certifications to protect user data — with these vulnerabilities, that technically cannot be guaranteed.
That said, hackers are surely working on a script or app to exploit these vulnerabilities this very moment, so the longer these vulnerabilities remain unpatched, the higher the risk will become.
A few things to keep in mind:
- For these vulnerabilities to be exploited, an attacker needs to be in physical proximity to your network. This is not something that can be exploited by a hacker in another country, for example.
- It's not the WPA2 encryption that has vulnerabilities. This means your encrypted traffic over a WPA2 Wi-Fi connection is still encrypted, unless you use Android, Linux or other clients that use the open-source wpa_supplicant software library. For Apple's operating systems, WPA2 encryption is still good and an attacker cannot decrypt all of your traffic.
- Apple has said these vulnerabilities were addressed in house and will be part of updates coming to all OS versions soon.
How to protect yourself from Wi-Fi KRACK Flaws
The best thing you can do is find out if patches are available and install them. Several AP manufacturers have already released patches for their hardware, so you can go to their websites or call and ask for the patch. Typically if you registered your router or AP with the manufacturer, they have your email address on file and will send out an email about such patches. If your Wi-Fi is provided by your Internet Service Provider (ISP) where most modems have Wi-Fi built in, contact them to see if this issue is being addressed. Consumers typically do not have full access to their modem, so software and firmware updates must be pushed out by the ISP.
Using a Virtual Private Network (VPN) and visiting websites that use HTTPS will add another layer of security. Though websites that do not implement HTTPS properly can be tricked into downgrading to HTTP, the use of a VPN will at least secure the traffic between your computer and the access point (AP) you are connected to. Of course, by using ethernet instead of Wi-Fi where possible, you will have nothing to do with the KRACK vulnerabilities. You'd still need to patch your OS and AP hardware when patches are released, but until then it's business as usual via ethernet.
Knowing if you're connecting to an AP that has yet to be patched becomes much harder once you leave your house or office. Sure, you can ask the barista at Starbucks if their AP was patched, but you'll likely get a very confused look. The same goes for any establishment that offers Wi-Fi to their guests and you may never find out. If unpatched, this is a vulnerability that will last forever on that hardware, so if you do find yourself using Starbucks Wi-Fi often, perhaps a call to their HQ might be a good idea. Fortunately, when you need Wi-Fi on the go, there is one solution that may offer better security: This Home VPN Router Setup Protects Your Traffic Wherever You Are.
Have something to say about this story? Share your comments below!