Update: Thursday, October 19th 10:50pm:
Dave Hamilton and the folks at The Mac Observer are keeping and updating a list of router vendors who have updated their firmware to block the different CVE’s (vulnerabilities):
https://www.macobserver.com/news/list-of-krack-patches-routers/
(older updates in red at the bottom of this post, newest posts are a the bottom)
Reports are surfacing across the internet tonight with rumors of the WiFi WPA2 encryption mechanism as being “compromised.” What does this mean?
When you connect to a password protected WiFi network (you’re NEVER joining non-password protected WiFi networks, right?!?), the traffic between your device and the WiFi access point (often your internet router) is encrypted using WPA2 (“Wi-Fi Protected Access”). This scrambling of your data means the information your Mac, iPhone or iPad sends/receives isn’t visible to another party (i.e. someone sitting in their car, outside your house) as it flies through the air, between your devices.
While some websites and software services also encrypt your data using something called “SSL”, this isn’t always the case and WiFi users have come to rely on the basic security of WPA2 to keep any non-SSL data transmission from prying eyes.
Tonight’s reports seem to indicate that researchers have found a way to break the security of WPA2. This means that even password protected WiFi networks are no longer secure.
This story is just coming to light and I anticipate big press coverage tomorrow and in the days following. I will update this as we know more. Here is the current take from Ars Technica:
For now, I (as always) recommend connecting devices with Ethernet whenever possible and securing WiFi connections using a VPN.
Update 10/16/2017 @ 8:15am:
All the gory details are available here: https://www.krackattacks.com
The KRACK vulnerability demonstrated:
https://www.youtube.com/watch?time_continue=263&v=Oh4WURZoR98
- It appears this vulnerability in WPA2 *may* be able to be patched with a software update from either side (client device or the WiFi access point). If true, this is good news as it means you wouldn’t need to replace your router if the manufacturer is out of business or isn’t planning to release a firmware update for your model: “Implementations can be patched in a backwards-compatible manner. This means a patched client can still communicate with an unpatched access point, and vice versa. In other words, a patched client or access points sends exactly the same handshake messages as before, and at exactly the same moments in time. However, the security updates will assure a key is only installed once, preventing our attacks. So again, update all your devices once security updates are available.” To exploit this, an attacker must be within range of your WiFi network (i.e ~several hundred feet). This does NOT allow someone to access your devices, data or network from afar.
- Unless you have some serious enemies (foreign governments, a highly tech-savvy Ex), hackers are likely to start trying this vulnerability on larger targets (big companies with credit card data, health data, financial records), rather than your small office or home network.
- This is reportedly worse for devices running Android (non-Apple mobile phones) and Linux (many servers).
- My recommendations above remain true – use Ethernet where possible and VPN when on WiFi.
Update 10/16/2017 @ 11:45am:
A good podcast with relevant KRACK information from The Mac Observer here:
Update 10/16/2017 @ 3:50pm:
Apple says they’ve fixed the exploit in the latest beta releases of iOS 11.1:
https://www.macrumors.com/2017/10/16/krack-wifi-vulnerabilities-patched-apple-ios-macos/
This release is available to developers as well as a public beta now.
Still no word on a firmware update for AirPort hardware…
Update 10/17/2017 @ 5:25pm:
iDownloadblog.com is reporting “The hack doesn’t seem to exploit access points such as Apple’s AirPort wireless appliances.” and “AirPort hardware not vulnerable”:
http://www.idownloadblog.com/2017/10/17/wi-fi-wpa2-krack-attack-apple-os-betas-fixed/
I have not seen proof of this claim yet and Apple has’t officially commented, so take it with the appropriate grain of salt…
Kirk van Druten
LANsharks Consulting